[Federal Register: October 14, 2011 (Volume 76, Number 199)] [Proposed Rules] [Page 63896-63899] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr14oc11-23] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 24 and 52 [FAR Case 2010-013; Docket 2010-0013; Sequence 1] RIN 9000-AM02 Federal Acquisition Regulation; Privacy Training, 2010-013 AGENCY: Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to require contractors to complete training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information. DATES: Interested parties should submit written comments to the Regulatory Secretariat at one of the addresses shown below on or before December 13, 2011 to be considered in the formation of the final rule. ADDRESSES: Submit comments in response to FAR case 2010-013 by any of the following methods:Regulations.gov: http://www.regulations.gov. Submit comments via the Federal eRulemaking portal by inputting ``FAR Case 2010-013'' under [[Page 63897]] the heading ``Enter Keyword or ID'' and selecting ``Search.'' Select the link ``Submit a Comment'' that corresponds with ``FAR Case 2010- 013.'' Follow the instructions provided at the ``Submit a Comment'' screen. Please include your name, company name (if any), and ``FAR Case 2010-013'' on your attached document. Fax: (202) 501-4067. Mail: General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Instructions: Please submit comments only and cite FAR Case 2010- 013, in all correspondence related to this case. All comments received will be posted without change to http://www.regulations.gov, including any personal and/or business confidential information provided. FOR FURTHER INFORMATION CONTACT: Mr. Karlos Morgan, Procurement Analyst, at (202) 501-2364 for clarification of content. For information pertaining to status or publication schedules, contact the Regulatory Secretariat at (202) 501-4755. Please cite FAR Case 2010- 013. SUPPLEMENTARY INFORMATION: I. Background DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to add a new subpart 24.3, entitled ``Privacy Training,'' and related clause to ensure that contractors identify employees who require access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records on behalf of the Federal Government, and who, therefore, are required to complete privacy training initially upon award of the procurement and at least annually thereafter. In addition, contractors are required to keep records indicating that employees have completed the required training and, upon request, provide those records to the Government. This rule does not apply to commercial items. These requirements are consistent with subsection (e), Agency requirements, and subsection (m), Government contractors, of the Privacy Act of 1974, 5 U.S.C. 552a. Other applicable authorities that address the responsibility for Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements with the laws, rules, and guidance pertaining to handling and safeguarding personally identifiable information include the E- Government Act of 2002, the Federal Information Security Management Act (FISMA) of 2002, and Federal guidance from the Office of Management and Budget (OMB), e.g., OMB Memorandum M-07-16, entitled ``Safeguarding Against and Responding to the Breach of Personally Identifiable Information,'' issued May 22, 2007; OMB Memorandum M-10-23, entitled ``Guidance for Agency Use of Third-Party Web sites and Applications,'' issued June 25, 2010 (this memorandum contains the most current definition of personally identifiable information, and clarifies the definition provided in M-07-16); and OMB Circular No. A-130, entitled ``Management of Federal Information Resources,'' which address significant requirements for safeguarding and handling personally identifiable information and reporting any theft, loss, or compromise of such information. In addition, FAR subpart 24.1 requires that Federal agencies contracting for the design, development, or operation of a system of records on individuals must extend all Privacy Act safeguards to the contractor and its employees working on the contract. Minimum requirements for privacy training are proposed for the coverage in order to ensure consistency across the Government. For example, any privacy training must address the protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. The proposed FAR text includes seven mandatory elements of the privacy training, including any agency-specific requirements. Many agencies currently require that designated contractor employees complete agency-developed privacy training, but, in some circumstances, an agency may provide a contractor with the Privacy Act requirements and have the contractor develop the training package. While the use of an agency-developed privacy training package is the most common approach, and the approach embodied in the clause at FAR 52.224-XX, Privacy Training, the proposed FAR language provides an Alternate I to the FAR clause for those cases where the agency prefers to have the contractor create the privacy training package. Additionally, the proposed FAR language provides an Alternate II to the FAR clause for those instances when it's determined to be in the best interest of the Government for a contractor employee to attend agency-provided privacy training. Under the proposed FAR rule, a contractor employee who requires access to a Government system of records will be granted or allowed to retain such access only if the individual has (1) Completed privacy training and (2) met all other applicable agency requirements. II. Executive Orders 12866 and 13563 Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under Section 6(b) of E.O. 12866, Regulatory Planning and Review, dated September 30, 1993. This rule is not a major rule under 5 U.S.C. 804. III. Regulatory Flexibility Act The change may have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act 5 U.S.C. 601, et seq. The Initial Regulatory Flexibility Analysis (IRFA) is summarized as follows: This proposed rule was initiated to ensure that contractor personnel who handle personally identifiable information; design, develop, maintain, or operate a system of records on behalf of the Government; or require access to a Government-owned system of records are properly trained on the requirements of applicable laws and appropriate safeguards to ensure the security and confidentiality of personally identifiable information. Such training of contractor employees is required by provisions of the Privacy Act (5 U.S.C. 552a), Title III of the E-Government Act of 2002, the Office of Management and Budget (OMB) Memorandum M- 07-16, and existing Privacy Act clauses (52.224-1 and 52.224-2). Various other statutes, applicable authorities, and memoranda address the responsibility of Federal agencies to ensure that Government and contractor personnel are instructed on compliance requirements pertaining to the handling and safeguarding of personally identifiable information. The list includes, but is not limited to the following: The Federal Information Security Management Act (FISMA) of 2002 (44 U.S.C. 3541); OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information; and OMB Circular No. A-130, Management of Federal Information Resources. The proposed rule requires all contractors with contracts that require employees to have access to personally identifiable information to complete training that addresses the [[Page 63898]] statutory requirements for protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a), and the handling and safeguarding of personally identifiable information. This rule requires the contractor to identify its employees who require access, ensure that those employees complete agency-provided privacy training before being granted access and annually thereafter, and maintain records of the training. In a few cases, the content of the training will not be provided by the agency but will be created by the contractor in accordance with Alternate I to the clause at FAR 52.224-XX. Alternate II to the clause at FAR 52.224-XX if it is determined to be in the best interest of the Government for a contractor employee to attend agency-provided privacy training. This rule does not apply to commercial items. Information obtained from the Federal Procurement Data System for Fiscal Year 2009 demonstrates that 98,864 small business concerns were awarded contracts and 197,728 firms were awarded subcontracts. However, only contracts for the types of work identified in the paragraphs above will be subject to the privacy- training requirement. We estimated that approximately one-half of one percent of all small business Government prime contractors and subcontractors will be required to conduct privacy training as follows: Small business prime contractors........................... 98,864 Small business subcontractors.............................. + 197,728 ------------ Total small businesses................................. 296,592 Percent w/privacy-training requirement..................... x 0.005 ------------ Number of small businesses impacted........................ 1,483 Recordkeeping associated with this proposed rule is minimal; there are no required formats or templates for the records, and they will be retained by the contractor in most cases. The Government only will request a contractor's training records on an exception basis, i.e., if the Government has a particular reason to check on a contractor's compliance with the training requirement. The Regulatory Secretariat will be submitting a copy of the Interim Regulatory Flexibility Analysis (IRFA) to the Chief Counsel for Advocacy of the Small Business Administration. A copy of the IRFA may be obtained from the Regulatory Secretariat. DoD, GSA and NASA invite comments from small business concerns and other interested parties on the expected impact of this rule on small entities. DoD, GSA, and NASA will also consider comments from small entities concerning the existing regulations in subparts affected by this rule in accordance with 5 U.S.C. 610. Interested parties must submit such comments separately and should cite 5 U.S.C. 610 (FAR Case 2010-013) in correspondence. IV. Paperwork Reduction Act The Paperwork Reduction Act (44 U.S.C. chapter 35) applies. The proposed rule contains information collection requirements. Accordingly, the Regulatory Secretariat has submitted a request for approval of a new information collection requirement concerning ``Privacy Training'' to the Office of Management and Budget. A. Public reporting burden for this collection of information is estimated to average one hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The recordkeeping requirements are minor, and records generally will be retained within the contractor's organization. While a contractor is required to identify its employees who require initial privacy training and annual privacy training thereafter, there is no requirement to collect this information in a particular format or provide it to the Government, other than on an exception basis, i.e., when there is an indication that the contractor is not complying with the training requirements. The annual reporting burden is estimated as follows: Respondents................................................ 148 Responses per respondent................................... 1 ------------ Total annual responses................................. 148 Preparation hours per response............................. 1 ------------ Total response burden hours............................ 148 :B. Request for Comments Regarding Paperwork Burden. Submit comments, including suggestions for reducing this burden, not later than December 13, 2011 to: FAR Desk Officer, OMB, Room 10102, NEOB, Washington, DC 20503, and a copy to the General Services Administration, Regulatory Secretariat (MVCB), ATTN: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Public comments are particularly invited on: whether this collection of information is necessary for the proper performance of functions of the FAR, and will have practical utility; whether our estimate of the public burden of this collection of information is accurate, and based on valid assumptions and methodology; ways to enhance the quality, utility, and clarity of the information to be collected; and ways in which we can minimize the burden of the collection of information on those who are to respond, through the use of appropriate technological collection techniques or other forms of information technology. Requester may obtain a copy of the supporting statement from the General Services Administration, Regulatory Secretariat (MVCB), Attn: Hada Flowers, 1275 First Street, NE., 7th Floor, Washington, DC 20417. Please cite OMB Control Number 9000-0182, FAR Case 2010-013, Privacy Training, in correspondence. List of Subjects in 48 CFR Parts 24 and 52 Government procurement. Dated: October 6, 2011. Laura Auletta, Acting Director, Office of Governmentwide Acquisition Policy, Office of Acquisition Policy. Therefore, DoD, GSA, and NASA propose amending 48 CFR parts 24 and 52 as set forth below: 1. The authority citation for 48 CFR parts 24 and 52 continues to read as follows: Authority: 40 U.S.C. 121(c); 10 U.S.C. chapter 137; and 42 U.S.C. 2473(c). PART 24--PROTECTION OF PRIVACY AND FREEDOM OF INFORMATION 2. Add subpart 24.3 to read as follows: Subpart 24.3--Privacy Training Sec. 24.301 Privacy Training. 24.302 Contract clause. Subpart 24.3--Privacy Training Sec. 24.301 Privacy training. (a) Contractors are responsible for conducting initial privacy training, and annual privacy training thereafter, for employees who-- (1) Require access to a Government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see subpart 24.1 and 39.105). (b) Agencies shall provide contractors with the privacy training materials (in a format deemed appropriate) necessary to satisfy the requirement described in paragraph (a) of this section unless, on an exception basis, the contracting officer authorizes a contractor to provide its own privacy training materials (see 24.302(b)). (c) Privacy training shall, at a minimum, address-- (1) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a); [[Page 63899]] (2) The handling and safeguarding of personally identifiable information; (3) The authorized and official use of a Government system of records; (4) Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information; (5) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or systems of records on behalf of the Federal Government; (6) Breach notification procedures (i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised) to minimize risk and to ensure prompt and appropriate actions are taken should a breach occur; and (7) Any agency-specific privacy training requirements. (d) The contractor is responsible for ensuring that employees identified in paragraph (a) of this section complete the required training and maintain evidence of appropriate training completed. The contractor is required, upon request, to provide evidence of completion of privacy training for all applicable employees. (e) Each contractor employee who requires access to a Government system of records, handles personally identifiable information, or designs, develops, maintains, or operates a Government system of records, shall be granted or allowed to retain such access only if the individual-- (1) Has completed agency-mandated privacy training that, at a minimum, addresses the elements in paragraph (c) of this section; and (2) Has met all other applicable agency requirements. Sec. 24.302 Contract clause. (a) When contractor employees will have access to a Government system of records, handle personally identifiable information, or design, develop, maintain, or operate a system of records, the contracting officer shall insert the clause at FAR 52.224-XX, Privacy Training, in solicitations and contracts. (b) When the contracting officer elects to have the contractor provide its own privacy training materials, use Alternate I in lieu of paragraph (a) of the basic clause. (c) When an agency elects to provide privacy training to contractor employees, use Alternate II in lieu of paragraph (a) of the basic clause. PART 52--SOLICITATION PROVISIONS AND CONTRACT CLAUSES 3. Add section 52.224-XX to read as follows: 52.224-XX Privacy Training. As prescribed in 24.302(a), insert the following clause: Privacy Training (Date) (a) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using the Government-provided privacy training materials, for employees who-- (1) Require access to a Government system of records; (2) Handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105). (b) The Contractor shall ensure that its employees, as identified in paragraph (a) of this clause, complete the required training in a timely manner. In addition, the Contractor shall maintain privacy training records, and, upon request, shall provide to the Contracting Officer evidence of privacy training completed for applicable employees. (c) The Contractor shall not grant any employee access to a Government system of records or personally identifiable information until the employee has completed privacy training, as required by this clause, and has met all other applicable agency requirements. (d) The substance of this clause, including this paragraph (d), shall be included in all subcontracts under this contract, when subcontractor employees will (1) have access to a Government system of records, (2) handle personally identifiable information, or (3) design, develop, maintain, or operate a system of records on behalf of the Federal Government. (End of clause) Alternate I (Date). If the agency elects to have the Contractor provide its own privacy training materials, substitute the following paragraph (a) for paragraph (a) of the basic clause: (a)(1) The Contractor shall conduct initial privacy training, and annual privacy training thereafter, using its own privacy training materials, for employees who-- (i) Require access to a Government system of records; (ii) Handle personally identifiable information; or (iii) Design, develop, maintain or operate a system of records on behalf of the Federal Government (see also FAR subpart 24.1 and 39.105). (2) The privacy-training materials shall, at a minimum, address-- (i) The protection of privacy, in accordance with the Privacy Act (5 U.S.C. 552a); (ii) The handling and safeguarding of personally identifiable information; (iii) The authorized and official use of a Government system of records; (iv) Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information; (v) The prohibition against access by unauthorized users, and unauthorized use by authorized users, of personally identifiable information or a system of records on behalf of the Federal Government; (vi) Breach notification procedures (i.e., procedures for notifying appropriate individuals when privacy information is lost, stolen, or compromised); and (vii) Any agency-specific privacy training requirements specified by the Contracting Officer. Alternate II (Date). If the agency elects to provide privacy training to contractor employees, substitute the following paragraph (a) for paragraph (a) of the basic clause: (a)(1) The Government shall provide initial privacy training, and annual privacy training thereafter, to contractor employees who-- (i) Require access to a Government system of records; (ii) Handle personally identifiable information; or (iii) Design, develop, maintain, or operate a system of records on behalf of the Federal Government (see also subpart 24.1 and 39.105). (2) The Government will conduct privacy training to Contractor employees in the same format given its own employees (e.g., lecture, computer-based training, Web-based training, video conferencing, etc.). [FR Doc. 2011-26546 Filed 10-13-11; 8:45 am] BILLING CODE 6820-EP-P