FAR 52.224-2—Privacy Act.
Plain-English Summary
FAR 52.224-2, Privacy Act, tells agencies when they must put Privacy Act requirements into solicitations, contracts, and subcontracts for work involving a system of records on individuals. It covers the threshold for using the clause, the contractor’s duty to comply with the Privacy Act of 1974 and agency implementing rules, subcontract flowdown requirements, the legal effect of violations, and key definitions such as “operation of a system of records,” “record,” and “system of records on individuals.” In practice, this clause matters when a contractor will design, develop, or operate a system that stores and retrieves personal information by name or other identifier for an agency function. It also makes clear that, for Privacy Act purposes, a contractor operating such a system is treated like an agency employee, which can create direct compliance and liability implications. The clause is intended to protect personal information, ensure proper handling of records, and make sure privacy obligations are carried through the prime contract and down to subcontractors.
Key Rules
Clause applies only when identified
The clause is prescribed only when the contract specifically identifies both the system of records and the design, development, or operation work the contractor will perform. This means the agency must know the privacy-sensitive system and the contractor’s role before the clause is triggered.
Contractor must follow Privacy Act
The contractor must comply with the Privacy Act of 1974 and the agency’s rules and regulations issued under the Act when performing covered work. This applies to design, development, or operation of a system of records on individuals to accomplish an agency function.
Mandatory subcontract flowdown
The contractor must include the Privacy Act notification in every solicitation and resulting subcontract, and in every subcontract awarded without a solicitation, when the subcontract work requires redesign, development, or operation of a covered system of records. The clause itself, including paragraph (3), must also be inserted into all such subcontracts.
Agency liability for violations
If the Act is violated, a civil action may be brought against the agency involved when the violation concerns design, development, or operation of the system of records. Criminal penalties may also apply to agency officers or employees when the violation concerns operation of the system of records.
Contractor treated as agency employee
For purposes of the Privacy Act, when the contract is for operation of a system of records on individuals to accomplish an agency function, the contractor is considered an employee of the agency. This is a legal fiction for Privacy Act purposes and affects how the contractor’s conduct is treated under the Act.
Definitions control scope
The clause defines “operation of a system of records” as maintaining the system, including collection, use, and dissemination of records. It defines “record” as information about an individual maintained by an agency and tied to an identifier, and “system of records” as records retrievable by name or other identifier.
Responsibilities
Contracting Officer
Determine whether the acquisition involves design, development, or operation of a system of records on individuals for an agency function, and insert the clause when the prescription is met. Ensure the contract specifically identifies the system of records and the contractor work covered.
Agency
Maintain and enforce Privacy Act rules and regulations applicable to the system of records, and manage compliance and liability associated with covered systems. Ensure the agency’s privacy requirements are reflected in the contract structure and oversight.
Contractor
Comply with the Privacy Act and agency implementing rules when performing covered work. Flow down the required notification and clause to subcontractors, and ensure subcontract terms match the privacy obligations in the prime contract.
Subcontractor
Follow the Privacy Act requirements and any agency rules incorporated through the subcontract when performing covered redesign, development, or operation work on a system of records. Accept the clause flowdown and comply with all related privacy obligations.
Agency Officers or Employees
When violations involve operation of a system of records, they may face criminal penalties under the Act. They must therefore handle covered records in strict accordance with Privacy Act requirements and agency procedures.
Practical Implications
This clause is not a generic privacy notice; it is tied to specific systems of records and specific contractor work, so acquisition teams must identify the covered system early.
Prime contractors must actively flow the clause down. A common mistake is assuming privacy obligations stop at the prime contract, but the clause requires inclusion in solicitations and subcontracts.
The definition of “system of records” is broad enough to capture many personnel, benefits, case management, and customer service databases if records are retrieved by name or another identifier.
Because the contractor is treated as an agency employee for operation of a system of records, contractor personnel may be exposed to the same Privacy Act consequences that apply to agency staff in that context.
Contracting officers and program offices should coordinate closely with privacy officials to confirm whether the work truly involves a covered system of records and to avoid missing required clause insertion or oversight obligations.
Official Regulatory Text
As prescribed in 24.104 , insert the following clause in solicitations and contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function: Privacy Act (Apr 1984) (a) The Contractor agrees to- (1) Comply with the Privacy Act of1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies- (i) The systems of records; and (ii) The design, development, or operation work that the contractor is to perform; (2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and (3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency. (c) (1) "Operation of a system of records," as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (2) "Record," as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. (3) "System of records on individuals," as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (End of clause)