- Mandatory Privacy Training Rule for Federal Contractors Expected Soon
- November 17, 2014 | Author: Jonathan T. Cain
- Law Firm: Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. - Washington Office
A rule to require federal contactors handling personally identifiable information to train their employees in safeguarding the information is close to release. Under the anticipated rule, contractor employees will have to undergo either agency training when the agency chooses to make it available, or will have to provide their own privacy training programs using an agency-approved syllabus and materials.
The privacy training rule, originally proposed in 2011, would apply to civilian and defense agency contracts in which contractor employees would have access to a federal agency system of records, handle personally identifiable information, or design, develop, operate, or maintain a federal system of records on behalf of a federal agency.
Under the anticipated rule, contractors will be responsible for assuring that their employees have initial and annual refresher training on the following topics:
- Requirements of the federal Privacy Act
- The handling and safeguarding of personally identifiable information
- The authorized and official use of federal systems of records
- Restrictions on the use of personally owned equipment to process, access, or store personally identifiable information
- Breach notification and remediation procedures when privacy information is lost or stolen
Agencies will be responsible, in most cases, for providing agency-specific training requirements and training materials for contractor use.
Contractors will be required to maintain training records and to assure that only employees who have completed the agency-approved training course are provided access to Government system of records information.
The rule, which has been languishing for several years, was sent to OMB for final review on November 5. Final procurement rules typically are released by OMB to the Federal Register for publication within four to six weeks. It is reasonable to expect that the privacy rule will be published before the end of the year.