FAR 24.302—Contract clause.
Plain-English Summary
FAR 24.302 tells contracting officers when to include the Privacy Training clause, FAR 52.224-3, in solicitations and contracts. It applies when contractor employees, on behalf of the agency, will have access to a system of records, will create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise handle personally identifiable information (PII), or will design, develop, maintain, or operate a system of records. The section also addresses the special case where the agency requires only agency-provided privacy training, in which case the contracting officer must use Alternate I of the clause. In practice, this provision is a trigger for privacy compliance obligations in contracts that involve sensitive personal data or Privacy Act systems of records. It matters because it ensures contractor personnel receive appropriate privacy training before handling protected information or working with systems that contain such information, reducing the risk of unauthorized disclosure, mishandling, or Privacy Act violations.
Key Rules
Insert Privacy Training Clause
The contracting officer must include FAR 52.224-3, Privacy Training, in solicitations and contracts when the work involves covered privacy-related activities. This is not optional once the trigger conditions are present.
Access to Systems of Records
The clause is required when contractor employees will have access to a system of records on behalf of the agency. A system of records is a Privacy Act concept, so the clause applies even if the contractor is not directly managing the data, as long as access is part of the performance.
Handling of PII
The clause must be used when contractor employees will create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise handle personally identifiable information. The rule is broad and covers nearly any lifecycle activity involving PII.
Work on Systems of Records
The clause is also required when contractor employees will design, develop, maintain, or operate a system of records. This captures contractors involved in building or supporting systems that contain Privacy Act records, not just those who directly view the data.
Use Alternate I When Required
If the agency specifies that only agency-provided privacy training is acceptable, the contracting officer must use the clause with Alternate I. This alternate reflects the agency’s requirement that contractor personnel rely on training provided by the government rather than another source.
Responsibilities
Contracting Officer
Determine whether the contract or solicitation involves access to a system of records, handling of PII, or work on a system of records, and insert FAR 52.224-3 when any trigger applies. If the agency requires only its own training, use Alternate I.
Agency
Identify when agency-provided privacy training is the only acceptable training source and communicate that requirement so the contracting officer can apply Alternate I. Ensure the training approach aligns with agency privacy policies and operational needs.
Contractor
Ensure contractor employees who will perform covered work receive the required privacy training before or as required by the contract, and comply with the agency’s privacy handling requirements when working with PII or systems of records.
Contractor Employees
Complete required privacy training and follow the rules for handling PII and systems of records while performing contract work. They must protect sensitive information and use it only as authorized.
Practical Implications
This clause is a standard privacy compliance checkpoint for contracts involving sensitive data, so contracting teams should identify it early during acquisition planning and solicitation drafting.
A common pitfall is underestimating how broad the trigger is: the clause applies not only to direct access to records, but also to many forms of PII handling and to system design or support work.
If the agency wants only its own training used, failing to include Alternate I can create a mismatch between the contract and agency policy, leading to compliance problems or the need for a contract modification.
Contractors should plan for training costs, onboarding time, and recordkeeping because privacy training may need to be completed before personnel begin covered work.
Because the rule is tied to Privacy Act concepts, teams should coordinate with privacy officials or program staff when there is any uncertainty about whether a system is a system of records or whether the work involves PII.
Official Regulatory Text
(a) The contracting officer shall insert the clause at FAR 52.224-3 , Privacy Training, in solicitations and contracts when, on behalf of the agency, contractor employees will- (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records. (b) When an agency specifies that only its agency-provided training is acceptable, use the clause with its Alternate I.