Rules for Handling PII by DON Contractor Support Personnel
By the DON Privacy Team - Published, March 10, 2011
The following Privacy Tip provides existing policy guidance and best business practices for contract support personnel who handle personally identifiable information. Office of the Secretary of Defense Memo dated June 05, 2009, "Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII)" and SECNAV INST 5211.5E: "SECNAV Privacy Program" apply.
The DON has a continuing affirmative responsibility to safeguard PII and to prevent its theft, loss or compromise. All DON personnel, including support contractors and business partners must ensure their actions do not contribute to, nor result in, a compromise.
52.224 - 1 - Privacy Act Notification
- DON support contractors with authorized access to PII must receive and certify their understanding of PII handling through the completion of annual DON PII training.
- DON support contractors must comply with all privacy protections under the Privacy Act when accessing PII.
- Unauthorized disclosure of privacy sensitive information by support contractors through negligence or misconduct can lead to contractor removal or, depending on the severity of the disclosure, contract termination.
- Upon discovery of a PII breach, DON support contractors must immediately notify their DON chain-of-command.
- Sub contractors must comply with the same privacy protections as the prime support contractor.
- Contractors responsible for the unauthorized disclosure of PII may be held accountable for any costs associated with breach mitigation, including those incurred as a result of having to notify personnel.
- Contractor-owned or maintained-IT systems under contract to DON must be registered in the Department of Defense IT Portfolio Registry (DITPR)-DON.
- Contractors shall not store government PII on their personal computers.
- As a best practice, commands should consider use of nondisclosure agreements as a condition of contractor access to privacy sensitive information. Non-disclosure agreements improve accountability by informing contractors of their responsibilities and the consequences that may result from their failure to meet those responsibilities.
- There are many IT systems that are contractor owned or operated and contracts between the commercial vendor and the DON and in accordance with the Federal Acquisition Regulation (FAR), must contain two specific contract clauses as noted in the paragraphs below.
The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties.
52.224 - 2 - Privacy Act
(a) The Contractor agrees to
(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies
(i) The systems of records; and
(ii) The design, development, or operation work that the contractor is to perform;
(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the design, development, or operation of a system of records on individuals that is subject to the Act; and
(3) Include this clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.
(b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor and any employee of the Contractor is considered to be an employee of the agency.
(c) For Systems of Record,
(1) Operation of a system of records, as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.
(2) Record, as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.
(3) System of records on individuals, as used in this clause means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
Steve Muck is the DON privacy team lead. He can be reached at firstname.lastname@example.org