Overview
This section mandates the inclusion of specific Privacy Act clauses in federal solicitations and contracts when a contractor is tasked with designing, developing, or operating a system of records on individuals to fulfill an agency function.
Key Rules
- Trigger for Use: The requirement applies specifically when a contractor handles a "system of records" (information retrieved by an individual's name or identifier) to perform an agency's mission.
- Mandatory Clauses: The Contracting Officer is required to insert:
- FAR 52.224-1 (Privacy Act Notification): Notifies the contractor that the system of records is subject to the Privacy Act of 1974.
- FAR 52.224-2 (Privacy Act): Outlines the specific compliance requirements and potential criminal penalties for non-compliance.
- Agency Function: The rules apply only when the work is being done to accomplish a function of the government agency, effectively treating the contractor as an extension of the agency for privacy purposes.
Practical Implications
- Legal Liability: Contractors must recognize that under these clauses, they and their employees can be held civilly and criminally liable for violations of the Privacy Act, just as government employees are.
- Operational Requirements: Contractors must implement strict administrative, technical, and physical safeguards to protect personal data, as defined by the underlying agency’s privacy regulations.