New requirements were placed on Federal contractors this year, to train their employees on the protection of personally identifiable information (known as “PII”). Under a new rule that went into effect in January 2017, all federal contractors that handle or have access to the personally identifiable information of others must provide training to their employees. The rule applies not only to large government contractors, but also to contractors “at or below the simplified acquisition threshold (SAT), and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items.” The rule requires prime contractors to flow down these privacy training requirements to their subcontractors. Personal identifiable information (“PPI”) is any type of information that may be used to trace or distinguish an individual’s identity.
Government contractors and subcontractors must ensure that their employees complete an initial privacy training course, and thereafter undergo annual refresher training. An employee must receive training if they:
- Have access to any system of records
- Design, maintain, develop, or operate the contractor’s system of records
- Store, collect, create, use, maintain, or dispose of personal identifiable information on behalf of the contractor.
The training is to include:
- Explanation of the authorized and official use of personal identifiable information, and of records containing such information
- How to appropriately safeguard and handle private information
- Applicable restrictions of the use, collection, access, disclosure, and disposal of personal identifiable information
- Procedures to be followed during a suspected or confirmed breach of security for personal identifiable information
Contractors are required to customize their privacy training to fit particular employee’s duties, and the training must include foundational levels of privacy training, as well as advanced privacy training where appropriate. Employees must be tested to ensure they have the level of knowledge necessary to keep personal identifiable information private. Contractors are required to keep records of training to show what type of training particular employees received, and these records are subject to audit by the government.
Federal contractors and subcontractors need to consider which of their employees (if any) handle or have access to the personally identifiable information of others, and prime contractors need to ensure that their subcontractors comply with these new training requirements. In addition to providing the required training, contractors and subcontractors also must comply with the record-keeping requirements in the new rule.