FAR 52.224-3—Privacy Training.
Plain-English Summary
FAR 52.224-3, Privacy Training, sets the contractor training requirements that apply when contractor personnel will handle personally identifiable information (PII) or work with a system of records on behalf of the government. It defines PII by reference to OMB Circular A-130, then requires initial and annual privacy training for employees who access a system of records, handle PII, or design, develop, maintain, or operate a system of records. The clause also specifies the minimum content of the training, including the Privacy Act of 1974, proper safeguarding and authorized use of PII and systems of records, restrictions on unauthorized equipment, prohibitions on unauthorized access or disclosure, and breach response procedures. It requires contractors to keep proof of training and provide it to the contracting officer on request, and it bars contractors from granting access or handling privileges to untrained employees. The clause also flows down to covered subcontracts, ensuring subcontractor personnel receive the same protections. Alternate I shifts the training obligation to the agency when the agency requires only agency-provided training, which is important because it changes who delivers the training but not the underlying privacy protection objective. In practice, this clause is a compliance control designed to reduce privacy incidents, support Privacy Act compliance, and make sure every covered worker understands how to protect sensitive federal information.
Key Rules
PII definition controls scope
The clause defines personally identifiable information by reference to OMB Circular A-130, focusing on information that can identify or trace an individual alone or when combined with other data. This definition determines which employees and activities fall within the training requirement.
Training is mandatory and recurring
Covered contractor employees must complete initial privacy training and annual refresher training thereafter. The requirement applies before or during performance as needed to ensure no covered employee works without current training.
Covered employees are broadly identified
Training is required for employees who access a system of records, handle PII on behalf of an agency, or design, develop, maintain, or operate a system of records. The clause reaches both direct handling of data and technical support roles that affect the system.
Training content must be role-based
Privacy training must be tailored to the employee’s role and include foundational and more advanced material, with testing or other measures to verify understanding. At a minimum, it must cover the Privacy Act, safeguarding PII, authorized use, restrictions on unauthorized equipment, prohibitions on unauthorized access or disclosure, and breach response procedures.
Agency training may satisfy the requirement
Completion of an agency-developed or agency-conducted training course is deemed to satisfy the clause’s content requirements. Under Alternate I, if the agency specifies that only agency-provided training is acceptable, the agency must provide the initial and annual training for the contract term.
Documentation must be maintained
The contractor must keep records showing completion of privacy training and provide that documentation to the contracting officer upon request. This creates an audit trail and supports oversight and compliance verification.
No access without training
The contractor may not allow an employee access to a system of records or permit the employee to handle PII unless the employee has completed the required privacy training. This makes training a condition precedent to access and work authorization.
Flowdown to subcontractors is required
The substance of the clause, including paragraph (f), must be included in subcontracts when subcontractor employees will access a system of records, handle PII, or work on a system of records. Prime contractors must ensure subcontractors meet the same privacy training obligations.
Responsibilities
Contracting Officer
Ensure the clause is included when prescribed, request and review training documentation as needed, and oversee contractor compliance with privacy training and flowdown requirements. Under Alternate I, the contracting officer must rely on the agency’s provision of training if the agency has specified that only agency-provided training is acceptable.
Contractor
Identify all covered employees, ensure they complete initial and annual privacy training, maintain proof of completion, deny access or PII-handling duties to untrained employees, and flow the clause down to applicable subcontracts. The contractor must also ensure training content meets the clause’s minimum requirements unless agency-provided training is used.
Contractor Employees
Complete required privacy training before being allowed to access a system of records or handle PII, follow the Privacy Act and agency privacy rules, use only authorized equipment and methods, and report suspected or confirmed breaches promptly through required procedures.
Agency
When Alternate I applies, provide initial and annual privacy training for contractor employees for the duration of the contract. Agencies may also develop or conduct training that satisfies the clause’s content requirements under the basic clause.
Subcontractors
Ensure their covered employees receive the required privacy training and comply with the same privacy protections, training standards, and access restrictions that apply to the prime contractor’s workforce.
Practical Implications
Contractors need a reliable way to identify which employees are covered, because the trigger is not limited to IT staff; anyone who touches PII or a system of records may need training.
Training must be current before access is granted, so onboarding and role changes should be tied to a compliance check rather than handled informally.
The clause is not satisfied by generic cybersecurity awareness training alone; the content must address Privacy Act obligations, PII handling, unauthorized equipment, and breach response.
Documentation matters. If the contracting officer asks for proof, the contractor should be able to produce completion records quickly and accurately.
Flowdown is easy to miss in subcontracting, but failure to include the clause can create a compliance gap for subcontractor personnel who handle PII or systems of records.
Under Alternate I, contractors should confirm early whether the agency will provide the training, because that affects scheduling, access control, and contract administration.
Official Regulatory Text
As prescribed in 24.302 , insert the following clause: Privacy Training (Jan 2017) (a) Definition . As used in this clause, "personally identifiable information" means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular A-130, Managing Federal Information as a Strategic Resource). (b) The Contractor shall ensure that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who- (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or (3) Design, develop, maintain, or operate a system of records (see also FAR subpart 24.3 and 39.105 ). (c) (1) "Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover- (i) The provisions of the Privacy Act of 1974 ( 5 U.S.C. 552a ), including penalties for violations of the Act; (ii) The appropriate handling and safeguarding of personally identifiable information; (iii) The authorized and official use of a system of records or any other personally identifiable information; (iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information; (v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and (vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information). (2) Completion of an agency-developed or agency-conducted training course shall be deemed to satisfy these elements. (d) The Contractor shall maintain and, upon request, provide documentation of completion of privacy training to the Contracting Officer. (e) The Contractor shall not allow any employee access to a system of records, or permit any employee to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle personally identifiable information, or to design, develop, maintain, or operate a system of records unless the employee has completed privacy training, as required by this clause. (f) The substance of this clause, including this paragraph (f), shall be included in all subcontracts under this contract, when subcontractor employees will- (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records. (End of clause) Alternate I (Jan 2017) . As prescribed in 24.302 (b), if the agency specifies that only its agency-provided training is acceptable, substitute the following paragraph (c) for paragraph (c) of the basic clause: (c) The contracting agency will provide initial privacy training, and annual privacy training thereafter, to Contractor employees for the duration of this contract.