Privacy Training Requirements
On December 20, 2016, Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), collectively the "Federal Agencies," issued a final rule amending the Federal Acquisition Regulation (FAR) to require that contractors whose employees have access to a system of records or handle personally identifiable information complete privacy training. This final rule, which you can find here, becomes effective January 19, 2017.
The proposed rule that initially imposed the privacy training requirement, published on October 14, 2011, provides guidance to contractors on the kind of privacy training that addresses the protection of privacy in accordance with the Privacy Act of 1974 and the handling and safeguarding of personally identifiable information (PII). The proposed rule requires contractors to identify employees who handle PII, have access to a system of records, or design, develop, maintain, or operate a system of records. These employees are required to complete initial privacy training and annual privacy training thereafter. Under the proposed rule, a contractor with employees involved in these activities is also required to maintain records indicating that its employees completed the requisite training and to provide these records to the contracting officer upon request. A prime contractor is required to flow-down these requirements to all applicable subcontracts.
The final rule now makes several clarifications to the proposed rule. Specifically, the final rule clarifies that contractors have flexibility to utilize privacy training from any source that meets the minimum content requirements, unless the agency specifies in the contract that only agency-provided training is acceptable. The final rule also provides a number of clarifications addressing the substance of the minimal privacy training requirements. The final rule revised the definition for PII and clarifies that the privacy training must be role-based, must provide foundational as well as more advanced levels of training, and must have measures in place to test the knowledge level of users. More specifically, at a minimum, privacy training must cover—
- The provisions of the Privacy Act of 1974, including penalties for violations of the Act;
- The appropriate handling and safeguarding of PII;
- The authorized and official use of a system of records or any other PII;
- Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access, or store PII;
- The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII or systems of records; and
- Procedures to be followed in the event of a potential or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.
In response to comments expressing concern over the applicability of the rule to commercial item contracts, the final rule also clarifies that the privacy training requirement applies to contracts and subcontracts for commercial items when they involve access to a system of records.
Lastly, the final rule makes clear that it is applicable to contracts and subcontracts at or below the simplified acquisition threshold (SAT) and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items.
Payments To Subcontractors
On December 20, 2016, the Federal Agencies also issued a final rule amending FAR to implement a requirement under the Small Business Jobs Act of 2010 that contractors notify the contracting officer, in writing, if the contractor pays a reduced price to a small business subcontractor or if the contractor's payment to a small business subcontractor is more than 90 days past due. The final rule also requires contracting officers to record the identity of contractors with a history of late or reduced payments to small business subcontractors in the Federal Awardee Performance and Integrity System (FAPIIS). This final rule, which you can find here, becomes effective January 19, 2017.
As we wrote about in our earlier bulletin (here), the Federal Agencies first proposed these requirements in a proposed rule issued January 20, 2016 under which contracting officers are required to report to FAPIIS a contractor that has a history of three or more unjustified payments under a single contract within a 12-month period. Under the proposed rule, unjustified untimely or reduced payments to small business subcontractors are now included in ratings for small business subcontracting past performance evaluation factors.
The final rule now incorporates significant changes in response to comments received on the proposed rule. The final rule now provides a reporting window of 14 days from the date of any occurrence of untimely or reduced payment for prime contractors to report to the contracting officer. The final rule also includes examples of payment and nonpayment situations that are not considered unjustified, including if:
- There is a contract dispute on performance;
- Partial payment is made for amounts not in dispute;
- A payment is reduced due to past overpayments;
- There is an administrative mistake; and
- Late performance by the subcontractor leads to later payment by the prime contractor.
The final rule preamble also makes clear that the rule applies to contracts for the acquisition of commercial items and commercially available off-the-shelf items.