FAR 24.1—Subpart 24.1

Definitions.

FAR 24.101 provides the core definitions used in the Privacy Act-related subpart of FAR Part 24. It defines who counts as an "agency," who is an "individual," and what it means to "maintain" records or operate a "system of records." It also defines "personally identifiable information (PII)," "record," and "system of records on individuals," which are the key terms used to determine when Privacy Act requirements apply to federal records and contractor-handled information. In practice, these definitions matter because they establish the threshold for whether information is protected, whether a collection of records is covered, and whether agency handling of personal data triggers Privacy Act obligations such as notice, access, disclosure controls, and recordkeeping discipline. Contractors and contracting officers use these definitions to decide when contract clauses, data handling controls, and privacy safeguards are needed for work involving personal information. The section is foundational: if a dataset, file, database, or workflow fits these definitions, the agency must treat it as a Privacy Act-sensitive system rather than ordinary administrative information.

General.

FAR 24.102 explains how the Privacy Act applies when the Government uses contractors to design, develop, or operate a system of records on individuals for an agency function. It covers the core rule that the agency must flow Privacy Act requirements down to the contractor and contractor employees, the special treatment of contractor personnel as agency employees for purposes of the Act’s criminal penalties when operating a system of records, and the legal status of the contractor-operated system as a system maintained by the agency and subject to the Act. It also addresses agency exposure to civil liability if the agency fails, within its authority, to require contractor-operated systems to be run in compliance with the Act. In practice, this section is about ensuring Privacy Act compliance is built into the contract, not treated as an afterthought, because contractor handling of personal records can create the same legal risks as direct agency handling. For contracting officers and program officials, it means privacy requirements must be identified early, written into the contract, and monitored during performance. For contractors, it means they may be subject to agency-imposed Privacy Act obligations and potential criminal consequences tied to improper handling of records.

Procedures.

FAR 24.103 explains the contracting officer’s procedures when a procurement may involve a Privacy Act system of records on individuals. It covers the initial review of requirements, the determination of whether the contract will require the design, development, or operation of such a system, and the follow-on steps the contracting officer must take if any of those activities are involved. Specifically, the section requires the contracting officer to identify the system of records and the related work in the contract work statement, and to make the agency’s Privacy Act rules and regulations available in accordance with agency procedures. In practice, this section is meant to ensure privacy obligations are recognized early in acquisition planning and are built into the contract rather than addressed after award. It helps protect personal information, supports compliance with the Privacy Act, and gives contractors clear notice of the privacy-sensitive work they will perform.

Contract clauses.

FAR 24.104 tells contracting officers when they must include the Privacy Act clauses in solicitations and contracts. It applies when a contractor will design, develop, or operate a system of records on individuals in order to carry out an agency function, and it specifically requires insertion of FAR 52.224-1, Privacy Act Notification, and FAR 52.224-2, Privacy Act. In practice, this section is about making sure privacy obligations are built into the contract from the start whenever contractor performance will involve a Privacy Act system of records. The rule matters because these systems contain personal information about individuals, and the government must ensure the contractor understands notice, handling, and compliance requirements before work begins. For contracting officers, this is a mandatory clause-insertion requirement, not a discretionary best practice. For contractors, it signals that performance may involve sensitive personal data and that compliance obligations will be contractually enforceable.