FAR 52.224—[Reserved]

Privacy Act Notification.

FAR 52.224-1, Privacy Act Notification, is a solicitation and contract clause used when a contractor will design, develop, or operate a system of records on individuals to carry out an agency function. The clause alerts the contractor that the work is subject to the Privacy Act of 1974, 5 U.S.C. 552a, and to applicable agency Privacy Act regulations. Its purpose is to put the contractor on notice that handling personal information in a covered system of records is not just a routine contract task, but a legally regulated activity with potential criminal consequences for violations. In practice, this clause is a trigger for privacy compliance planning: contractors must understand whether the work involves a Privacy Act system of records, what agency rules apply, and how records must be protected, used, and disclosed. Contracting officers use the clause to ensure the contractor is formally informed of the legal framework before performance begins. The clause does not itself spell out all Privacy Act duties, but it ties the contract work to those duties and makes compliance expectations explicit.

Privacy Act.

FAR 52.224-2, Privacy Act, tells agencies when they must put Privacy Act requirements into solicitations, contracts, and subcontracts for work involving a system of records on individuals. It covers the threshold for using the clause, the contractor’s duty to comply with the Privacy Act of 1974 and agency implementing rules, subcontract flowdown requirements, the legal effect of violations, and key definitions such as “operation of a system of records,” “record,” and “system of records on individuals.” In practice, this clause matters when a contractor will design, develop, or operate a system that stores and retrieves personal information by name or other identifier for an agency function. It also makes clear that, for Privacy Act purposes, a contractor operating such a system is treated like an agency employee, which can create direct compliance and liability implications. The clause is intended to protect personal information, ensure proper handling of records, and make sure privacy obligations are carried through the prime contract and down to subcontractors.

Privacy Training.

FAR 52.224-3, Privacy Training, sets the contractor training requirements that apply when contractor personnel will handle personally identifiable information (PII) or work with a system of records on behalf of the government. It defines PII by reference to OMB Circular A-130, then requires initial and annual privacy training for employees who access a system of records, handle PII, or design, develop, maintain, or operate a system of records. The clause also specifies the minimum content of the training, including the Privacy Act of 1974, proper safeguarding and authorized use of PII and systems of records, restrictions on unauthorized equipment, prohibitions on unauthorized access or disclosure, and breach response procedures. It requires contractors to keep proof of training and provide it to the contracting officer on request, and it bars contractors from granting access or handling privileges to untrained employees. The clause also flows down to covered subcontracts, ensuring subcontractor personnel receive the same protections. Alternate I shifts the training obligation to the agency when the agency requires only agency-provided training, which is important because it changes who delivers the training but not the underlying privacy protection objective. In practice, this clause is a compliance control designed to reduce privacy incidents, support Privacy Act compliance, and make sure every covered worker understands how to protect sensitive federal information.