Government Contacting - FAR Part 24 - Protection Of Privacy And Freedom Of Information

Get “FAR” Sighted
In 2020
J Schaus & Associates – Washington DC – PH: 202-365-0598 - Hello@JenniferSchaus.com
Join us in this complimentary webinars series as we uncover
each Part of The FAR (Federal Acquisition Regulations) so you can
better understand the rules of the (federal contracting) game.

Get “FAR” Sighted In 2020
The FAR, or Federal Acquisition Regulation
is the official rule book for how the Federal
Government purchases. It sets uniform
policies and procedures for the federal
acquisition and procurement process.
Webinars are complimentary and recorded.
NOTE: Recordings are posted to our website and YouTube channel.

The National Veteran Small Coalition (NVSBC)
is the largest non-profit trade association in the
country representing veteran and service-disabled
veteran-owned small business in the federal
marketplace as prime and subcontractors. NVSBC
provides networking, match-making, coaching, and
training opportunities for members.
Please visit: www.nvsbc.org
PARTNER:

Sponsors:

About Us:
Washington DC Based
Professional Services For Federal Contractors
- GSA Schedule
- SBA 8(a) Certification
- Proposal Writing & Pricing
- Contract Admin
Clients: Products / Professional Services / Software

Reach
Federal Government
Contractors
&
Federal Government
Advertise With Us
18,900+ Subscribers!!
hello@jenniferschaus.com

Hot Topics
In Government Contracting
Virtual Conference – Tuesday, JUNE 23 (8am-1pm)
Session 1 - CMMC Cybersecurity Status - Legal Roundtable
Session 2 - SBA New Regulations - What Does It Mean For Small Business?
Session 3 - Federal Marketing And Business Development Q4 Push - Roundtable
Session 4 - Federal Pricing & Compliance
Session 5 - GWAC and MAC Overview - Who Is Buying What?
Session 6 - COVID-Contracting - Legal Landscape, Opportunities & OTA's
ATTENDEE REGISTRATION: https://register.gotowebinar.com/register/2262848113711115533
SPONSOR REGISTRATION: https://hottopics06232020.eventbrite.com

About Our Speaker:
Janetta Brewer
Blue Alchemy Consulting
jbrewer@bluealchemyconsulting.com
www.bluealchemyconsulting.com

FAR PART 24
Protection Of Privacy And Freedom Of
Information
Link:
https://acquisition.gov/content/part-24-protection-privacy-and-freedom-information
May 29, 2020

FAR PART 24
Prescribes the policies and procedures that apply requirements of
the Privacy Act of 1974 (5 U.S.C. 552a) and OMB Circular No. A-130
to Government contracts and cites the Freedom of Information Act
(5 U.S.C. 552)

FAR PART 24 Overview
Subpart 24.1 – Protection of Individual Privacy
24.101 Definitions.
24.102 General.
24.103 Procedures.
24.104 Contract Clauses.
Subpart 24.2 – Freedom of Information Act
24.201 Authority.
24.202 Prohibitions.
24.203 Policy.

The Privacy Act of 1974
(m)(1) When an agency provides by a contract for the operation by or on behalf of the
agency of a system of records to accomplish an agency function, the agency shall,
consistent with its authority, cause the requirements of this section to be applied to such
system. For purposes of subsection (i) of this section any such contractor any employee of
such contractor, if such contract is agreed to on or after the effective date of this section,
shall be considered to be an employee of an agency.
5 U.S.C. 552a

The Privacy Act of 1974 (cont.)
(i)(1) Any officer or employee of an agency, who by virtue of his employment or official position, has
possession of, or access to, agency records which contain individually identifiable information the disclosure
of which is prohibited by this section or by rules or regulations established thereunder, and who knowing
that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any
person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
(2) Any officer or employee of any agency who willfully maintains a system of records without meeting the
notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more
than $5,000.
(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an
agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.
5 U.S.C. 552a

Purpose of The Privacy Act of 1974
To balance the government’s need to maintain information about individuals with the
rights of individuals to be protected against unwarranted invasions of their privacy
stemming from federal agencies’ collection, maintenance, use, and disclosure of personal
information about them.
Congress was concerned with curbing the illegal surveillance and investigation of
individuals by federal agencies that had been exposed during the Watergate scandal. It
was also concerned with potential abuses presented by the government’s increasing use
of computers to store and retrieve personal data by means of a universal identifier – such
as an individual’s social security number.

FAR PART 24.101 – Definitions
Agency means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the
executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency.
Individual means a citizen of the United States or an alien lawfully admitted for permanent residence.
Maintain means maintain, collect, use, or disseminate.
Operation of a system of records means performance of any of the activities associated with maintaining the system of records, including the collection, use,
and dissemination of records.
Personally identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with
other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular No. A-130, Managing Federal
Information as a Strategic Resource).
Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education,
financial transactions, medical history, and criminal or employment history, and that contains the individual’s name, or the identifying number, symbol, or
other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.
System of records on individuals means a group of any records under the control of any agency from which information is retrieved by the name of the
individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

FAR Part 24.102 – General
(a) The Act requires that when an agency contracts for the design, development, or operation of a system of records on individuals
on behalf of the agency to accomplish an agency function the agency must apply the requirements of the Act to the contractor and its
employees working on the contract.
(b) An agency officer or employee may be criminally liable for violations of the Act. When the contract provides for operation of a
system of records on individuals, contractors and their employees are considered employees of the agency for purposes of the criminal
penalties of the Act.
(c) If a contract specifically provides for the design, development, or operation of a system of records on individuals on behalf of an
agency to accomplish an agency function, the agency must apply the requirements of the Act to the contractor and its employees
working on the contract. The system of records operated under the contract is deemed to be maintained by the agency and is subject
to the Act.
(d) Agencies, which within the limits of their authorities, fail to require that systems of records on individuals operated on their
behalf under contracts be operated in conformance with the Act may be civilly liable to individuals injured as a consequence of any
subsequent failure to maintain records in conformance with the Act.

What is a System of Record?
A group of data that—
Contains a unique personal identifier (such as name, date of birth, Social Security Number,
DoD ID number, fingerprint, etc.) ;
May contain at least one other item of personal data (e.g., such as home address,
performance rating, blood type, etc.); and
The data about the subject individual is retrieved by their unique personal identifier(s).

FAR Part 24.103 – Procedures
(a) The contracting officer shall review requirements to determine whether the
contract will involve the design, development, or operation of a system of records on
individuals to accomplish an agency function.
(b) If one or more of those tasks will be required, the contracting officer shall—
(1) Ensure that the contract work statement specifically identifies the system of
records on individuals and the design, development, or operation work to be performed;
and
(2) Make available, in accordance with agency procedures, agency rules and
regulation implementing the Act.

VA Handbook 6508.1
Procedures for Privacy Threshold Analysis (PTA) and Privacy Impact Assessment (PIA)—
The PTA a privacy compliance and risk management tool instrumental in determining
whether PII and/or Personal Health Information (PHI) is being collected and maintained by
an IT System, rulemaking, program, and/or project.
The PIA is designed to identify the privacy and security risks associated with the use of
Sensitive Personal Information by a program, project, IT system or rulemaking.

FAR Part 24.104 – Contract Clauses
When the design, development, or operation of a system of records on individuals is
required to accomplish an agency function, the contracting officer shall insert the
following clauses in solicitations and contracts:
(a) The clause at 52.224-1, Privacy Act Notification.
(b) The clause at 52.224-2, Privacy Act.

FAR Clause 52.224-1, Privacy Act Notification
PRIVACY ACT NOTIFICATION (APR 1984)
The Contractor will be required to design, develop, or operate a system of records on
individuals, to accomplish an agency function subject to the Privacy Act of1974, Public Law
93-579, December 31,1974 (5 U.S.C.552a) and applicable agency regulations. Violation of
the Act may involve the imposition of criminal penalties.

FAR Clause 52.224-2, Privacy Act
(a) The Contractor agrees to-
(1) Comply with the Privacy Act of1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to
accomplish an agency function when the contract specifically identifies—
(i) The systems of records; and
(ii) The design, development, or operation work that the contractor is to perform;
(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work
statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and
(3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.
(b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on
individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records
on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the
Contractor is considered to be an employee of the agency.
(c)(1)“Operation of a system of records,” as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and
dissemination of records.
(2)“Record,” as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education,
financial transactions, medical history, and criminal or employment history and that contains the person’s name, or the identifying number, symbol, or other identifying particular assigned to the
individual, such as a fingerprint or voiceprint or a photograph.
(3)“System of records on individuals,” as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or
by some identifying number, symbol, or other identifying particular assigned to the individual.

FAR 24.301, Privacy Training
(a) Contractors are responsible for ensuring that initial privacy training, and annual
privacy training thereafter, is completed by contractor employees who-
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or
otherwise handle personally identifiable information on behalf of the agency; or
(3) Design, develop, maintain, or operate a system of records (see FAR
subpart 24.1 and 39.105).

FAR 24.301, Privacy Training (cont.)
(b) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a
system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have
measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover-
(1) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
(2) The appropriate handling and safeguarding of personally identifiable information;
(3) The authorized and official use of a system of records or any other personally identifiable information;
(4) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose,
dispose, or otherwise access personally identifiable information;
(5) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of
personally identifiable information; and
(6) Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure,
access, handling, or use of personally identifiable information (see Office of Management and Budget guidance for Preparing for and
Responding to a Breach of Personally Identifiable Information).

FAR 24.301, Privacy Training (cont.)
(c) The contractor may provide its own training or use the training of another agency unless the
contracting agency specifies that only its agency-provided training is acceptable (see 24.302(b)).
(d) The contractor is required to maintain and, upon request, to provide documentation of completion of
privacy training for all applicable employees.
(e) No contractor employee shall be permitted to have or retain access to a system of records, create,
collect, use, process, store, maintain, disseminate, disclose, or dispose, or otherwise handle personally
identifiable information, or design, develop, maintain, or operate a system of records, unless the employee
has completed privacy training that, at a minimum, addresses the elements in paragraph (b) of this section.

FAR Clause 52.224-3, Privacy Training
The cause contains the requirements at FAR 24.301, Privacy Training
Mandatory Flow-down—
(f) The substance of this clause, including this paragraph (f), shall be included in all subcontracts under this contract, when
subcontractor employees will-
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable
information; or
(3) Design, develop, maintain, or operate a system of records.
Alternate I (JAN 2017). If the agency specifies that only its agency-provided training is acceptable, substitute the following paragraph
(c) for paragraph (c) of the basic clause:
(c) The contracting agency will provide initial privacy training, and annual privacy training thereafter, to Contractor employees for the
duration of this contract.

Tips for Avoiding PII Breaches
Take protection of PII seriously.
Respect the privacy of others.
Alert a management official when you see PII left unattended.
Know Privacy Act requirements.
Ensure that all message traffic, faxes, and email containing PII are properly marked and
email is encrypted.
Do not email the PII of others to a personal email account.

The Freedom of Information Act (FOIA)
The basic function of the Freedom of Information Act is to ensure informed citizens, vital
to the functioning of a democratic society. Since 1967, the Freedom of Information Act
(FOIA) has provided the public the right to request access to records from any federal
agency.
Federal agencies are required to disclose any information requested under the FOIA
unless it falls under one of nine exemptions. Congress established nine categories of
information that are not required to be released in response to a FOIA request because
release would be harmful to a governmental or private interest

FOIA Exemptions
1. Interest of national defense or foreign policy.
2. Internal personnel rules and practices of an agency.
3. Exempted from disclosure by another statute.
4. Trade secrets and commercial or financial information that is obtained from outside the government
and that is privileged or confidential.
5. Privileged from civil discovery.
6. Personnel and medical files.
7. Compiled for law enforcement purposes.
8. Examination, operating or condition reports re. regulation or supervision of financial institutions.
9. Geological and geophysical information.

Subpart 24.2 – Freedom of Information Act
24.201 Authority.
The Freedom of Information Act (5 U.S.C. 552, as amended) provides that information is to
be made available to the public either by-
(a) Publication in the Federal Register;
(b) Providing an opportunity to read and copy records at convenient locations; or
(c) Upon request, providing a copy of a reasonably described record.

Subpart 24.202 – Prohibitions
(a) A proposal in the possession or control of the Government, submitted in response to a competitive
solicitation, shall not be made available to any person under the Freedom of Information Act. This
prohibition does not apply to a proposal, or any part of a proposal, that is set forth or incorporated by
reference in a contract between the Government and the contractor that submitted the proposal. (See 10
U.S.C.2305(g) and 41 U.S.C.4702.)
(b) No agency shall disclose any information obtained pursuant to 15.403-3(b) that is exempt from
disclosure under the Freedom of Information Act. (See 10 U.S.C.2306a(d)(2)(C) and 41 U.S.C.3505(b)(3).)
(c) A dispute resolution communication that is between a neutral person and a party to alternative
dispute resolution proceedings, and that may not be disclosed under 5 U.S.C.574, is exempt from disclosure
under the Freedom of Information Act (5 U.S.C.552(b)(3)).

Subpart 24.203 – Policy
(a) The Act specifies, among other things, how agencies shall make their records available upon public request, imposes strict time
standards for agency responses, and exempts certain records from public disclosure. Each agency’s implementation of these
requirements is located in its respective title of the Code of Federal Regulations and referenced in subpart 24.2 of its implementing
acquisition regulations.
(b) Contracting officers may receive requests for records that may be exempted from mandatory public disclosure. The exemptions
most often applicable are those relating to classified information, to trade secrets and confidential commercial or financial information,
to interagency or intra-agency memoranda, or to personal and medical information pertaining to an individual. Other exemptions
include agency personnel practices, and law enforcement. Since these requests often involve complex issues requiring an in-depth
knowledge of a large and increasing body of court rulings and policy guidance, contracting officers are cautioned to comply with the
implementing regulations of their agency and to obtain necessary guidance from the agency officials having Freedom of Information
Act responsibility. If additional assistance is needed, authorized agency officials may contact the Department of Justice, Office of
Information and Privacy. A Freedom of Information Act guide and other resources are available at the Department of Justice website
under FOIA reference materials: http://www.usdoj.gov/oip.

Thank You For Joining Us!
Janetta Brewer
jbrewer@bluealchemyconsulting.com
571-279-7236

Brought To You By:
JSchaus & Associates
Washington DC
PH: 202-365-0598
Hello@JenniferSchaus.com

Government Contacting - FAR Part 24 - Protection Of Privacy And Freedom Of Information

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Government Contacting - FAR Part 24 - Protection Of Privacy And Freedom Of Information

Similar to Government Contacting - FAR Part 24 - Protection Of Privacy And Freedom Of Information (20)

More from JSchaus & Associates

More from JSchaus & Associates (20)

Recently uploaded

Recently uploaded (20)

Government Contacting - FAR Part 24 - Protection Of Privacy And Freedom Of Information