FAR 24.3—Subpart 24.3

Privacy training.

FAR 24.301 establishes the contractor privacy training requirement for employees who handle Privacy Act information or work with systems of records. It covers who must be trained, when training must occur, what the training must include, who may provide the training, what records the contractor must keep, and the access restriction that bars untrained employees from handling personally identifiable information (PII) or working on a system of records. In practice, this section is meant to reduce Privacy Act violations, prevent unauthorized disclosure or misuse of PII, and ensure contractor personnel understand how to safeguard sensitive government information. It also ties privacy training to breach response, so employees know what to do if a suspected or confirmed breach occurs. For contractors, this means privacy training is not optional or merely administrative; it is a condition for allowing covered employees to access or handle protected information. For contracting officers and agencies, it provides a compliance tool to ensure contractor personnel are trained to the same basic privacy standards expected of federal employees.

Contract clause.

FAR 24.302 tells contracting officers when to include the Privacy Training clause, FAR 52.224-3, in solicitations and contracts. It applies when contractor employees, on behalf of the agency, will have access to a system of records, will create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise handle personally identifiable information (PII), or will design, develop, maintain, or operate a system of records. The section also addresses the special case where the agency requires only agency-provided privacy training, in which case the contracting officer must use Alternate I of the clause. In practice, this provision is a trigger for privacy compliance obligations in contracts that involve sensitive personal data or Privacy Act systems of records. It matters because it ensures contractor personnel receive appropriate privacy training before handling protected information or working with systems that contain such information, reducing the risk of unauthorized disclosure, mishandling, or Privacy Act violations.