New requirements were placed on Federal contractors this year, to train their employees on the protection of personally identifiable information (known as “PII”). Under a new rule that went into effect in January 2017, all federal contractors that handle or have access to the personally identifiable information of others must provide training to their employees.
New requirements were placed on Federal contractors this year, to train their employees on the protection of personally identifiable information (known as “PII”). Under a new rule that went into effect in January 2017, all federal contractors that handle or have access to the personally identifiable information of others must provide training to their employees. The rule applies not only to large government contractors, but also to contractors “at or below the simplified acquisition threshold (SAT), and to contracts and subcontracts for commercial-items, including contracts and subcontracts for commercially available off-the-shelf (COTS) items.” The rule requires prime contractors to flow down these privacy training requirements to their subcontractors. Personal identifiable information (“PPI”) is any type of information that may be used to trace or distinguish an individual’s identity.
Government contractors and subcontractors must ensure that their employees complete an initial privacy training course, and thereafter undergo annual refresher training. An employee must receive training if they:
The training is to include:
Contractors are required to customize their privacy training to fit particular employee’s duties, and the training must include foundational levels of privacy training, as well as advanced privacy training where appropriate. Employees must be tested to ensure they have the level of knowledge necessary to keep personal identifiable information private. Contractors are required to keep records of training to show what type of training particular employees received, and these records are subject to audit by the government.
Federal contractors and subcontractors need to consider which of their employees (if any) handle or have access to the personally identifiable information of others, and prime contractors need to ensure that their subcontractors comply with these new training requirements. In addition to providing the required training, contractors and subcontractors also must comply with the record-keeping requirements in the new rule.