FAR 39.105—Privacy.
Plain-English Summary
FAR 39.105 requires agencies to build privacy protections into information technology contracts and to align those contracts with the Privacy Act (5 U.S.C. 552a) and FAR part 24. In practice, this section is about making sure contractors handling systems of records do not merely deliver technical services, but also operate under clear privacy-related controls. It specifically addresses contracts for the design, development, or operation of a system of records when commercial information technology services or IT support services are involved. The rule requires agencies to include contractor conduct rules, identify anticipated threats and hazards, specify the safeguards the contractor must provide, and establish a Government inspection program during performance. Its purpose is to reduce the risk of unauthorized disclosure, misuse, or loss of personal information and to ensure privacy protections remain effective throughout contract performance.
Key Rules
Privacy Act compliance required
Agencies must ensure IT contracts protect privacy in accordance with the Privacy Act and FAR part 24. This means privacy requirements are not optional add-ons; they must be incorporated into the contract structure and performance expectations.
Applies to systems of records
The additional requirements apply to contracts for the design, development, or operation of a system of records using commercial IT services or IT support services. The focus is on contracts that involve handling personal data in a way that triggers Privacy Act concerns.
Contractor conduct rules
The contract must include agency rules of conduct that the contractor and its employees are required to follow. These rules set behavioral expectations for handling records, access, disclosure, and other privacy-sensitive activities.
Threats and hazards identified
The agency must provide a list of anticipated threats and hazards the contractor must guard against. This gives the contractor a clear risk baseline and helps ensure safeguards are tailored to the actual privacy risks involved.
Specific safeguards required
The contract must describe the safeguards the contractor must specifically provide. These safeguards should be concrete enough to support compliance, monitoring, and enforcement rather than leaving protection measures vague.
Government inspection program
The contract must require a program of Government inspection during performance to verify that safeguards remain effective and efficient and to detect and counter new threats and hazards. This creates an ongoing oversight mechanism, not just a one-time compliance check.
Responsibilities
Agency
Ensure all IT contracts address privacy in accordance with the Privacy Act and FAR part 24. For covered systems of records contracts, include contractor rules of conduct, identify anticipated threats and hazards, specify required safeguards, and establish a Government inspection program.
Contracting Officer
Translate the agency’s privacy requirements into enforceable contract language, ensure the required privacy provisions are included in applicable solicitations and contracts, and support oversight mechanisms that allow inspection and enforcement during performance.
Contractor
Follow the agency’s rules of conduct, protect against the identified threats and hazards, implement the required safeguards, and cooperate with Government inspections and any corrective actions needed to maintain privacy protection.
Contractor Employees
Comply with the agency’s rules of conduct and handle records and personal information only in ways permitted by the contract and applicable privacy requirements.
Government Inspectors/Oversight Officials
Conduct inspections during performance to verify that safeguards continue to work effectively, identify emerging threats or weaknesses, and ensure corrective measures are taken when needed.
Practical Implications
Privacy requirements must be built into the contract up front; they are difficult to fix later if omitted from the solicitation or award documents.
Contract language should be specific. Vague references to “protecting privacy” are not enough if the contract involves a system of records and commercial IT services.
Contractors should expect ongoing oversight, not just initial compliance review. Government inspection can occur during performance to test whether safeguards still work.
A common pitfall is failing to distinguish ordinary IT work from work involving a system of records, which can lead to missing required Privacy Act protections.
Another risk is treating safeguards as generic cybersecurity measures only; this section requires privacy-focused controls tied to the identified threats, hazards, and rules of conduct.
Official Regulatory Text
Agencies shall ensure that contracts for information technology address protection of privacy in accordance with the Privacy Act ( 5 U.S.C. 552a ) and part 24 . In addition, each agency shall ensure that contracts for the design, development, or operation of a system of records using commercial information technology services or information technology support services include the following: (a) Agency rules of conduct that the contractor and the contractor’s employees shall be required to follow. (b) A list of the anticipated threats and hazards that the contractor must guard against. (c) A description of the safeguards that the contractor must specifically provide. (d) Requirements for a program of Government inspection during performance of the contract that will ensure the continued efficacy and efficiency of safeguards and the discovery and countering of new threats and hazards.