FAR 24.101—Definitions.
Plain-English Summary
FAR 24.101 provides the core definitions used in the Privacy Act-related subpart of FAR Part 24. It defines who counts as an "agency," who is an "individual," and what it means to "maintain" records or operate a "system of records." It also defines "personally identifiable information (PII)," "record," and "system of records on individuals," which are the key terms used to determine when Privacy Act requirements apply to federal records and contractor-handled information. In practice, these definitions matter because they establish the threshold for whether information is protected, whether a collection of records is covered, and whether agency handling of personal data triggers Privacy Act obligations such as notice, access, disclosure controls, and recordkeeping discipline. Contractors and contracting officers use these definitions to decide when contract clauses, data handling controls, and privacy safeguards are needed for work involving personal information. The section is foundational: if a dataset, file, database, or workflow fits these definitions, the agency must treat it as a Privacy Act-sensitive system rather than ordinary administrative information.
Key Rules
Agency Has Broad Meaning
"Agency" includes executive departments, military departments, Government corporations, Government-controlled corporations, other executive branch establishments including the Executive Office of the President, and independent regulatory agencies. This broad definition determines which federal entities are subject to the Privacy Act-related requirements in this subpart.
Individual Means U.S. Citizen Or LPR
For this subpart, an "individual" is limited to a citizen of the United States or an alien lawfully admitted for permanent residence. That means the Privacy Act protections referenced here apply to records about those persons, not to every person whose information a federal system may contain.
Maintain Includes Data Handling
"Maintain" is defined expansively to include collecting, using, and disseminating information, not just storing it. This means an agency can be subject to these rules at multiple stages of the information lifecycle, including when it gathers, processes, shares, or keeps records.
System Of Records Covers Retrieval By Identifier
A "system of records on individuals" is a group of records under agency control from which information is retrieved by name or by another identifying number, symbol, or particular assigned to the individual. The retrieval method is critical: if records are organized or searched by personal identifier, the system may fall within Privacy Act coverage.
Record Requires Personal Linkage
A "record" is any item or grouping of information about an individual maintained by an agency that contains the person’s name or another identifying particular such as a fingerprint, voiceprint, or photograph. The definition is broad and includes many kinds of personal data, such as education, financial, medical, criminal, and employment history.
PII Is Distinguishable Or Traceable
Personally identifiable information is information that can distinguish or trace an individual's identity, alone or when combined with other linked or linkable information. This definition is broader than a single identifier and captures data that becomes identifying when combined with other data elements.
OMB Guidance Informs PII Interpretation
The definition of PII expressly points to OMB Circular No. A-130 for further guidance. In practice, agencies and contractors should use that guidance to interpret and manage PII consistently with federal information governance and privacy controls.
Responsibilities
Contracting Officer
Identify whether the acquisition involves records, PII, or a system of records on individuals, and ensure the solicitation and contract include appropriate privacy requirements when these definitions are met. The contracting officer should also coordinate with privacy, legal, and program officials to confirm whether Privacy Act obligations apply.
Agency Privacy Official / Program Office
Determine whether the information collected, used, stored, or shared under the program fits the definitions of record, PII, or system of records, and advise on required notices, safeguards, and disclosures. These officials should help classify data and ensure the agency’s privacy compliance posture is correct.
Contractor
Handle any covered records or PII according to contract requirements and agency instructions, and recognize that collecting, using, or disseminating such information may trigger privacy controls. Contractors must protect personal data, limit use to authorized purposes, and avoid unauthorized retrieval or disclosure.
Agency Records / Information Management Personnel
Assess whether records are maintained in a way that creates a system of records, especially where retrieval is by name or other identifier, and support proper records management and privacy documentation. They should help ensure systems are described and controlled consistently with the definitions.
System Owner / IT Staff
Design and operate systems so that personal data handling, indexing, search, and retrieval methods are understood and documented, because retrieval by identifier can create Privacy Act coverage. They should implement technical controls that support privacy compliance and limit unauthorized access or disclosure.
Practical Implications
These definitions are the gatekeeper for Privacy Act compliance: if information is about an individual and is retrieved by name or another identifier, the agency may be operating a system of records with significant legal obligations.
Contractors often underestimate how broad "maintain" and "PII" are; even temporary collection, processing, or sharing can trigger privacy requirements, not just long-term storage.
A file does not have to be labeled a "database" to be covered. Spreadsheets, case files, email folders, shared drives, and workflow tools can all become systems of records if they are organized for retrieval by personal identifier.
The definition of "individual" is narrower than common usage, so agencies should confirm whether the Privacy Act applies to non-U.S. citizens and non-permanent residents before assuming coverage under this subpart.
The retrieval method is a common pitfall. Records that are not indexed by name or identifier may fall outside the system-of-records definition, while records that are searchable by those identifiers may fall inside it, even if the underlying content is similar.
Official Regulatory Text
As used in this subpart- Agency means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. Individual means a citizen of the United States or an alien lawfully admitted for permanent residence. Maintain means maintain, collect, use, or disseminate. Operation of a system of records means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. Personally identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular No. A-130, Managing Federal Information as a Strategic Resource). Record means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history, and that contains the individual’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. System of records on individuals means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.