Insights & Analyses

US government imposes new privacy training regulations for federal contractors

January 20, 2017

Adhering to privacy standards will now be a key expectation for federal government contractors in America, thanks to new rules that went into effect this week, ensuring that employees will receive annual training on privacy.

The new rules were adopted as of Thursday by the U.S. Department of Defense, the General Services Administration, and NSA, as detailed by Cooley. They apply to employees who handle personally identifiable information, who have access to a system of records, and those who design, develop, maintain or operate a system of records.

The new privacy training for contractors will be tailored to the employee’s specific duties. Workers will also be tested to ensure their understanding of the issues.

The training can be provided by the contractor’s employee, or through an outside party. Training will be completed upon hiring and repeated annually.

The new federal laws require the training to cover the following:

  • The provisions of the Privacy Act of 1974 (5 USC § 552a), including penalties for violations
  • Appropriate handling and safeguarding of personally identifiable information, or PII
  • Authorized and official use of a system of records and PII
  • Restrictions on the use of unauthorized equipment to create, collect, use, store, disseminate, or otherwise access PII
  • Prohibitions against unauthorized use of a system of records or PII
  • Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure of PII

Concerns over privacy, and how to protect it, remain major issues in government work, particularly as governments continue to collect more data on their citizens.

Recently, the National Institute of Standard and Technology solicited help from private companies to build a system that could identify and match tattoos of suspected criminals. Privacy rights advocates slammed the effort, noting that some 15,000 photographs, many containing personal information, were provided to outside contractors, with “little restriction” placed on what those companies could do with the data.