5124.103 Procedures.
(b)(i) The Contracting officer shall reference the following documents in solicitations and contracts that require the design, development, or operation of a system of records:
(A) DoD Directive 5400.11 (DoD Privacy and Civil Liberties Programs).
(B) DoD 5400.11-R (DoD Privacy Program).
(C) Regulations for community-specific protected information, as applicable, e.g. DoD Manual 6025.18, Implementation of the Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule in DoD Health Care Programs..
(ii) The Contracting officer will ensure that work statements that require the design, development, or operation of a system of records include procedures to follow in the event of a Personal Identifiable Information (PII) breach.
(iii) The Contracting officer should ensure that Government surveillance plans for contracts that require the design, development, or operation of a system of records include monitoring of the contractor’s adherence to Privacy Act/PII regulations. The assessing official should document contractor-caused breaches or other incidents related to PII in past performance reports. (See AFARS 5142.1503-90(b).) Such incidents include instances in which the contractor did not adhere to Privacy Act/PII contractual requirements.