FAR 24.102—General.
Plain-English Summary
FAR 24.102 explains how the Privacy Act applies when the Government uses contractors to design, develop, or operate a system of records on individuals for an agency function. It covers the core rule that the agency must flow Privacy Act requirements down to the contractor and contractor employees, the special treatment of contractor personnel as agency employees for purposes of the Act’s criminal penalties when operating a system of records, and the legal status of the contractor-operated system as a system maintained by the agency and subject to the Act. It also addresses agency exposure to civil liability if the agency fails, within its authority, to require contractor-operated systems to be run in compliance with the Act. In practice, this section is about ensuring Privacy Act compliance is built into the contract, not treated as an afterthought, because contractor handling of personal records can create the same legal risks as direct agency handling. For contracting officers and program officials, it means privacy requirements must be identified early, written into the contract, and monitored during performance. For contractors, it means they may be subject to agency-imposed Privacy Act obligations and potential criminal consequences tied to improper handling of records.
Key Rules
Privacy Act flows to contractors
When an agency contracts for the design, development, or operation of a system of records on individuals to carry out an agency function, the agency must apply the Privacy Act requirements to the contractor and its employees working on the contract. The contractor is not outside the Act simply because the work is outsourced.
Contract language must trigger coverage
If the contract specifically provides for design, development, or operation of a system of records on individuals on behalf of the agency, the agency must apply the Act’s requirements to the contractor and its employees. This makes the contract the vehicle for imposing the required privacy obligations.
Contractor-operated systems are agency systems
A system of records operated under such a contract is deemed to be maintained by the agency and is subject to the Privacy Act. That means the agency cannot avoid Privacy Act responsibilities by placing the system in contractor hands.
Criminal penalties can apply to contractor personnel
When a contract provides for operation of a system of records on individuals, contractor employees are treated as agency employees for purposes of the Act’s criminal penalties. Improper conduct involving the records can therefore create personal legal exposure.
Agency may face civil liability
If an agency, within the limits of its authority, fails to require contractor-operated systems to be run in conformance with the Act, the agency may be civilly liable to individuals harmed by later failures to maintain records properly. The agency must therefore ensure compliance controls are actually required and enforced.
Responsibilities
Contracting Officer
Identify when a procurement involves design, development, or operation of a system of records on individuals; ensure Privacy Act requirements are included in the solicitation and contract; and make sure the contract clearly requires contractor compliance with the Act.
Program/Requirements Officials
Tell the contracting office when the work will involve personal records or a system of records; define the privacy and operational controls needed; and support oversight to ensure the contractor handles records in accordance with the Act.
Agency
Apply the Privacy Act requirements to contractor performance, treat contractor-operated systems as agency-maintained systems, and require conformance to the Act to reduce civil liability exposure.
Contractor
Follow the Privacy Act requirements imposed by the contract, ensure employees working on the contract comply with those requirements, and protect records in a manner consistent with agency instructions and the Act.
Contractor Employees
Handle records only as authorized, comply with Privacy Act-related contract requirements, and recognize that improper conduct involving a system of records may carry criminal consequences.
Practical Implications
Privacy Act issues must be identified early in acquisition planning; waiting until award or performance can leave the agency without the right contract clauses and controls.
The key trigger is not just any data handling, but design, development, or operation of a system of records on individuals for an agency function.
Contractor personnel working on covered systems should receive clear instructions and training, because they may be treated like agency employees for criminal penalty purposes.
Agencies should not assume outsourcing reduces Privacy Act risk; the system remains an agency responsibility and can create civil liability if compliance is not required.
Common pitfalls include failing to recognize a system of records, omitting privacy requirements from the contract, and not monitoring contractor compliance after award.
Official Regulatory Text
(a) The Act requires that when an agency contracts for the design, development, or operation of a system of records on individuals on behalf of the agency to accomplish an agency function the agency must apply the requirements of the Act to the contractor and its employees working on the contract. (b) An agency officer or employee may be criminally liable for violations of the Act. When the contract provides for operation of a system of records on individuals, contractors and their employees are considered employees of the agency for purposes of the criminal penalties of the Act. (c) If a contract specifically provides for the design, development, or operation of a system of records on individuals on behalf of an agency to accomplish an agency function, the agency must apply the requirements of the Act to the contractor and its employees working on the contract. The system of records operated under the contract is deemed to be maintained by the agency and is subject to the Act. (d) Agencies, which within the limits of their authorities, fail to require that systems of records on individuals operated on their behalf under contracts be operated in conformance with the Act may be civilly liable to individuals injured as a consequence of any subsequent failure to maintain records in conformance with the Act.