Overview
This section establishes the foundational terminology used in FAR Subpart 24.1 regarding the Protection of Individual Privacy, ensuring consistent interpretation of the Privacy Act of 1974 as it applies to federal procurement. It defines the scope of protected information, the entities involved, and the specific actions that constitute the management of personal data.
Key Rules
- Scope of "Individual": Privacy protections under this subpart are specifically limited to U.S. citizens and aliens lawfully admitted for permanent residence.
- Expansive View of "Maintain": The term is defined broadly to include not just storage, but the collection, use, or dissemination of data.
- PII Standard: Personally Identifiable Information is defined by its ability to distinguish or trace an identity, either alone or when combined with other linked information, per OMB Circular A-130.
- System of Records Criteria: A "system of records" only exists if the agency (or contractor) retrieves the information using a specific personal identifier (e.g., name, SSN, or biometric data).
- Agency Coverage: The definition includes all executive and military departments, government-controlled corporations, and independent regulatory agencies.
Practical Implications
- Contractual Triggers: Contractors must determine if their performance requires the "operation of a system of records" on behalf of the government; if so, specific FAR clauses (52.224-1 and 52.224-2) must be included in the contract, and the contractor becomes subject to criminal penalties for violations of the Privacy Act.
- Compliance Boundary: Because "Individual" excludes non-resident aliens, contractors must distinguish between data sets to determine which specific records fall under the mandatory FAR privacy protections versus general data security requirements.