Part 24 - Protection of Privacy and Freedom of Information
Subpart 24.1 - Protection of Individual Privacy
Subpart 24.2 - Freedom of Information Act
24.000 Scope of part.
This part prescribes policies and procedures that apply requirements of the Privacy Act of1974 ( 5 U.S.C. 552a) (the Act) and OMB CircularNo.A-130, December 12,1985, to Government contracts and cites the Freedom of Information Act ( 5 U.S.C.552, as amended).
Subpart 24.1 - Protection of Individual Privacy
24.101 Definitions.
As used in this subpart-
Agency means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency.
Individual means a citizen of the United States or an alien lawfully admitted for permanent residence.
Maintain means maintain, collect, use, or disseminate.
Operation of a system of records means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.
Personally identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular No. A-130, Managing Federal Information as a Strategic Resource).
Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history, and that contains the individual’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.
System of records on individuals means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.
24.102 General.
(a) The Act requires that when an agency contracts for the design, development, or operation of a system of records on individuals on behalf of the agency to accomplish an agency function the agency must apply the requirements of the Act to the contractor and its employees working on the contract.
(b) An agency officer or employee may be criminally liable for violations of the Act. When the contract provides for operation of a system of records on individuals, contractors and their employees are considered employees of the agency for purposes of the criminal penalties of the Act.
(c) If a contract specifically provides for the design, development, or operation of a system of records on individuals on behalf of an agency to accomplish an agency function, the agency must apply the requirements of the Act to the contractor and its employees working on the contract. The system of records operated under the contract is deemed to be maintained by the agency and is subject to the Act.
(d) Agencies, which within the limits of their authorities, fail to require that systems of records on individuals operated on their behalf under contracts be operated in conformance with the Act may be civilly liable to individuals injured as a consequence of any subsequent failure to maintain records in conformance with the Act.
24.103 Procedures.
(a) The contracting officer shall review requirements to determine whether the contract will involve the design, development, or operation of a system of records on individuals to accomplish an agency function.
(b) If one or more of those tasks will be required, the contracting officer shall-
(1) Ensure that the contract work statement specifically identifies the system of records on individuals and the design, development, or operation work to be performed; and
(2) Make available, in accordance with agency procedures, agency rules and regulation implementing the Act.
24.104 Contract clauses.
When the design, development, or operation of a system of records on individuals is required to accomplish an agency function, the contracting officer shall insert the following clauses in solicitations and contracts:
(a) The clause at 52.224-1, Privacy Act Notification.
(b) The clause at 52.224-2, Privacy Act.
Subpart 24.2 - Freedom of Information Act
24.201 Authority.
The Freedom of Information Act ( 5 U.S.C.552, as amended) provides that information is to be made available to the public either by-
(a) Publication in the Federal Register;
(b) Providing an opportunity to read and copy records at convenient locations; or
(c) Upon request, providing a copy of a reasonably described record.
24.202 Prohibitions.
(a) A proposal in the possession or control of the Government, submitted in response to a competitive solicitation, shall not be made available to any person under the Freedom of Information Act. This prohibition does not apply to a proposal, or any part of a proposal, that is set forth or incorporated by reference in a contract between the Government and the contractor that submitted the proposal. (See 10 U.S.C. 3309 and 41 U.S.C. 4702.)
(b) No agency shall disclose any information obtained pursuant to 15.403-3(b) that is exempt from disclosure under the Freedom of Information Act. (See 10 U.S.C. 3705(c)(3) and 41 U.S.C. 3505(b)(3).)
(c) A dispute resolution communication that is between a neutral person and a party to alternative dispute resolution proceedings, and that may not be disclosed under 5 U.S.C.574, is exempt from disclosure under the Freedom of Information Act ( 5 U.S.C. 552(b)(3)).
24.203 Policy.
(a) The Act specifies, among other things, how agencies shall make their records available upon public request, imposes strict time standards for agency responses, and exempts certain records from public disclosure. Each agency’s implementation of these requirements is located in its respective title of the Code of Federal Regulations and referenced in subpart 24.2 of its implementing acquisition regulations.
(b) Contracting officers may receive requests for records that may be exempted from mandatory public disclosure. The exemptions most often applicable are those relating to classified information, to trade secrets and confidential commercial or financial information, to interagency or intra-agency memoranda, or to personal and medical information pertaining to an individual. Other exemptions include agency personnel practices, and law enforcement. Since these requests often involve complex issues requiring an in-depth knowledge of a large and increasing body of court rulings and policy guidance, contracting officers are cautioned to comply with the implementing regulations of their agency and to obtain necessary guidance from the agency officials having Freedom of Information Act responsibility. If additional assistance is needed, authorized agency officials may contact the Department of Justice, Office of Information and Privacy. A Freedom of Information Act guide and other resources are available at the Department of Justice website under FOIA reference materials: http://www.usdoj.gov/oip.
Subpart 24.3 - Privacy Training
24.301 Privacy training.
(a) Contractors are responsible for ensuring that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who-
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of the agency; or
(3) Design, develop, maintain, or operate a system of records (see FAR subpart 24.1 and 39.105).
(b) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover-
(1) The provisions of the Privacy Act of 1974 ( 5 U.S.C. 552a), including penalties for violations of the Act;
(2) The appropriate handling and safeguarding of personally identifiable information;
(3) The authorized and official use of a system of records or any other personally identifiable information;
(4) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information;
(5) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
(6) Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information (see Office of Management and Budget guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).
(c) The contractor may provide its own training or use the training of another agency unless the contracting agency specifies that only its agency-provided training is acceptable (see 24.302(b)).
(d) The contractor is required to maintain and, upon request, to provide documentation of completion of privacy training for all applicable employees.
(e) No contractor employee shall be permitted to have or retain access to a system of records, create, collect, use, process, store, maintain, disseminate, disclose, or dispose, or otherwise handle personally identifiable information, or design, develop, maintain, or operate a system of records, unless the employee has completed privacy training that, at a minimum, addresses the elements in paragraph (b) of this section.
24.302 Contract clause.
(a) The contracting officer shall insert the clause at FAR 52.224-3, Privacy Training, in solicitations and contracts when, on behalf of the agency, contractor employees will-
(1) Have access to a system of records;
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or
(3) Design, develop, maintain, or operate a system of records.
(b) When an agency specifies that only its agency-provided training is acceptable, use the clause with its Alternate I.