§ 1-1.327-1 General. This section implements the Privacy Act of 1974 (Pub. L. 93-579, December 31, 1974; 5 U.S.C. 552a), and OMB Circular No. A-108, July 9, 1975. In enacting this legislation, Congress stated that "the right to privacy is a personal and fundamental right protected by the Constitution of the United States." The Privacy Act concerns rights of a citizen or a resident alien under the Act and does not extend to the rights of proprietorships in their business capacity, partnerships, businesses, or corporations. As used herein, the following terms have the meanings set forth below: (a) The term "agency" means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. (b) The term "individual" means a citizen of the United States or an alien lawfully admitted for permanent residence. (c) The term "maintain" includes maintain, collect, use, or disseminate. (d) The term "record" means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. (e) The term "system of records on individuals" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (f) The term "operation of a system of records" means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. (g) The term "the Act" means the Privacy Act of 1974 (Pub. L. 93-579, December 31, 1974). § 1-1.327-3 Statutory requirements. (a) The purpose of the Act as it pertains to Government contracts is to guard the individual's right of privacy whenever an agency system of records on individuals is operated under contract and not by the agency. The individual's privacy is ensured by requiring the contractor to observe all the rules on privacy that apply to the agency which awards the contract. Except as otherwise provided by law, Federal agencies must maintain (see § 1-1.327-2(c)) any record of identifiable information on individuals in a manner that meets the following criteria. The action must be for a necessary and lawful purpose, the information must be current and accurate for its intended use, and adequate safeguards must be provided to prevent misuse of such inforination. Each agency that maintains a system of records on individuals is required, among other things, to establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records on individuals, or in maintaining any record. Further, each agency is required to instruct each person involved regarding the rules and requirements of Section 3 of the Act (5 U.S.C. 552a), including any rules and procedures adopted by the agency pursuant to Section 3 and the civil and criminal penalties for noncompliance. (b) The paragraph in Section 3 of the Act which pertains to Government contracts states as follows: (m) GOVERNMENT CONTRACTORS.When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section [Section 3 of the Privacy Act and the agency's implementing regulations] to be applied to such system. For purposes of subsection (1) of this section [the criminal sanctions set forth in 5 US.C. 552a (1)], any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section [September 27, 1975], shall be considered to be an employee of an agency. 124.6 FEDERAL PROCUREMENT REGULATIONS (SECOND EDITION, FPR AMENDMENT 161, DECEMBER 1975) SUBPART 1-1.3 GENERAL POLICIES 1-1.327-5 (b) However, the criminal penalties of the Act do not extend to contractors or their employees who design or develop systems of records pursuant to a Government contract. (c) An agency which, within the limits of its authority, fails to require that systems of records on individuals operated on its behalf under contracts be maintained in accordance with the Act may be civilly liable to individuals injured as a consequence of any subsequent failure to maintain records in conformance with the Act. Any officer or employee of the agency may be criminally liable for violations of the Act. The reference in the Act to the contractor and his employees as employees of the agency is intended only for the purposes of the criminal penalties of the Act and not to suggest that, by virtue of this language, they are employees for any other purposes. § 1-1.327-4 Applicability. (a) Whenever a Federal agency contracts for the design, development, operation, or maintenance of a system of records on individuals on behalf of the agency in order to accomplish an agency function, the agency must apply the requirements of the Act to the contractor and his employees working on that contract. Systems of records on individuals operated under a contract which are designed to accomplish an agency function are deemed to be maintained by the agency and are subject to Section 3 of the Act. (b) (1) In order to establish the applicability of the clause in § 1-1.327-5, it is necessary for the agency awarding a contract to determine whether a purpose of any system of records on individuals which may be involved is to accomplish an agency function. For the Act to be applicable, the contract need not have as its sole purpose the design, development, or operation of such a system of records, but the contract should specifically state whether it involves the design, development, or operation of a system of records. The Act is not applicable to a system of records used by a contractor as a result of his management discretion. For example, it is not applicable to systems of personnel records maintained by contractors on their own behalf. (2) Illustrations of systems of records to which the Act applies include the following: (1) The determinations on benefits are made by Federal agencies; (11) Records are maintained for administrative functions of & Federal agency, such as personnel and payroll; or (1) Health records are maintained by an outside contractor engaged to provide health services to agency personnel. (3) Illustrations of systems of records to which the Act does not apply include the following: (1) Records are maintained by the contractor on individuals whom the contractor employs in the process of providing goods and services to the Federal Government; or (ii) An agency contracts with a State or private educational organization to provide training, and the records generated on contract students pursuant to their attendance (admission forms, grade reports) are similar to those maintained on other students and are commingled with their records on other students. § 1-1.327-5 Procedures. (a) All procurement requirements shall be reviewed to determine whether the design, development, or operation of a system of records on individuals to accomplish an agency function will be required, and the related contract shall identify specifically which of those functions is to be performed by the contractor. If the design, development, or operation of such a system is required, related solicitations and contracts shall include the notification set forth in § 1-1.327-5 (b) and the clause set forth in § 1-1.3275(c). Pertinent implementing agency rules and regulations shall be made available in accordance with agency procedures. All contract work statements shall specifically identify (1) the system or systems of records and (2) the work to be performed by the contractor in terms of any one of the following: (1) design, (ii) development, or (ii) operation. (b) The following notification shall be included in every solicitation and resulting contract, and in every contract awarded without a solicitation, when the statement of work requires the design, FEDERAL PROCUREMENT REGULATIONS (SECOND EDITION, FPR AMENDMENT 161, DECEMBER 1975) 124.7 development, or operation of a system of records on individuals for an agency function: PRIVACY ACT NOTIFICATION This procurement action requires the Contractor to do one or more of the following: design, develop, or operate a system of records on individuals to accomplish an agency function in accordance with the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties. (c) The following clause shall be included in every solicitation and resulting contract, and in every contract awarded without a solicitation, when the statement of work requires the design, development, or operation of a system of records on individuals to accomplish an agency function. PRIVACY ACT (a) The Contractor agrees: (1) To comply with the Privacy Act of 1974 and the rules and regulations issued pursuant to the Act in the design, development, or operation of any system of records on individuals in order to accomplish an agency function when the contract specifically identifies (1) the system or systems of records and (11) the work to be performed by the contractor in terms of any one or combination of the following: (A) design, (B) development, or (C) operation; (2) to include the solicitation notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation when the statement of work in the proposed subcontract requires the design, development, or operation of a system of records on individuals to accomplish an agency function; and (3) to include this clause, including this paragraph (3), in all subcontracts awarded pursuant to this contract which require the design, development, or operation of such a system of records. (b) In the event of violations of the Act, a civil action may be brought against the agency involved where the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency where the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act when the contract is for the operation of a system of records on individuals to accomplish an agency function, the contractor and any employee of the contractor is considered to be an employee of the agency. (c) The terms used in this clause have the following meanings: (1) "Operation of a system of records" means performance of any of the activities associated with maintaining the system of records including the collection, use, and dissemination of records. (2) "Record" means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, inancial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. (3) "System of records" on individuals means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 124. 8 (NEXT PAGE IS 125) FEDERAL PROCUREMENT REGULATIONS (SECOND EDITION, FPR AMENDMENT 161, DECEMBER 1975) SUBPART 101-32.17 PRIVACY AND DATA SECURITY FOR Subpart 101-32.17-Privacy and Data Security for ADP and Telecommunications Systems § 101-32.1700 Scope of subpart. tation documents and certifications for procuring ADP and telecommunciations equipment, software, and services. (e) "System of records" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (f) Th.eats and hazards" means any man-made or natural event, the occurrence of which may result in the loss, alteration, or unauthorized access to data. The Privacy Act of 1974 (5 U.S.C. 552a) (Act) sets forth certain safeguards to protect personal privacy by requiring agencies to abide by the provisions of the Act. Keeping only an essential minimum of records is the most effective protection against further incursions into personal privacy and is a major goal of this Act. This subpart applies to interagency, intra-agency, ADP and commercial service arrangements. This subpart in(g) "Safeguards" means those proceforms the agencies of rules and procedures, methods, and devices which have dures concerning ADP and telecommunications to be followed by agencies in making use of, or providing, interagency ADP services involving or potentially involving a system of records, as defined by the Act. This subpart also sets forth the procedures to be followed by agencies in preparing solicitation documents and certifications for procuring ADP and telecommunications equipment, software, maintenance, and services which involve or are planned to involve a system of records, as defined by the Act. Terms used in this subpart are defined as follows: (a) "Agency" as defined in section 551 (1) of title 5, United States Code, includes any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. (b) "Individual" means a citizen of the United States or an alien lawfully admitted for permanent residence. (c) "Maintain" includes maintain, collect, use or disseminate. (d) "Record" means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment as their specific function the prevention of threats and hazards or the mitigation of their effects. (h) "Rules of conduct" means those administrative procedures, methods of work, and standards of conduct which together define the manner in which persons involved in the design, development, operation, or maintenance of systems of records will design, maintain, collect, use, or disseminate such records. (i) "Government contractor" means any individual or other entity who contracts to operate by or on behalf of an agency a system of records to accomplish an agency function. § 101-32.1703 Security and privacy requirements. (a) The Privacy Act of 1974 requires that each agency that maintains a system of records shall: (1) Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive order of the President (5 U.S.C. 552a(e) (1)). Thus, protection of privacy is promoted by limiting the amount of information maintained. (2) Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records or in maintaining any record, and instruct each such person with respect to those rules and the requirements of this section, including rules and procedures adopted pursuant to this section and the penalties for noncompliance (5 U.S.C. 552a (e) (9)). (3) Establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against any FEDERAL PROPERTY MANAGEMENT REGULATIONS 3241 3242 PART 101-32 GOVERNMENT - WIDE AUTOMATED DATA 101-32.1703(a) anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained (5 U.S.C. 552a (e) (10)). It should be noted that the development of appropriate safeguards will necessarily be tailored to the requirements of the system of records being maintained. In addition, the need to provide safeguards may be influenced by other considerations such as ensuring continuity of agency operations, protecting proprietary data, protecting national security information, and ensuring accuracy and reliability of information. (b) Guidelines and a definition of responsibilities for implementing the Act are described in the Office of Management and Budget (OMB) Circular No. A-108, dated July 1, 1975, and supplements thereto. (a) Make all reports and notices required under OMB Circular No. A-108 and supplements thereto; (b) Determine its data confidentiality and security requirements before storing, processing, or transmitting systems of records at a provider agency's facility; (c) Include in its screening of ADP and telecommunications services and/or equipment resources an examination of the ability of each (provider agency) resource to meet its data confidentiality and security requirements. (Specifically, the adequacy of available technical, administrative, and physical safeguards to counter anticipated threats and hazards must be evaluated); (d) Satisfy itself that the rules of conduct governing the activities of personnel of the provider agency are commensurate with its data confidentiality and security requirements; (e) Obtain services from only those provider agencies that fully meet the user agency's data confidentiality and security requirements; (f) Recognize that the records it transmits, stores, or processes at the facility of a provider agency will be considered to be maintained by the user agency; and (g) Establish written rules govering the disclosure by a provider agency of records considered to be maintained by the user agency. A provider agency shall: (a) As specified in § 101-32.1703(a), develop rules of conduct for personnel involved in design, development, operation, or mainte ance of equipment, systems, or services used to store, process, or transmit systems of records; (b) In accordance with § 101-32.1703 (a), undertake a continuing program of review of its operations to ensure that threats and hazards to data confidentiality and security are properly identified and that appropriate safeguards are implemented; (c) Make available rules of conduct and information on safeguards to user agencies; (d) Refrain from disclosing any records stored, processed, or transmitted for a user agency except to that agency or under written rules established and provided by that user agency; and (e) Make known to user agencies changes in its perception of threats and hazards to data confidentiality and security or any changes in the safeguards implemented to protect against those threats and hazards. User agencies may use information on such changes to reevaluate their usage of the provider agency's services or equipment. § 101-32.1705 Contractors' responsibil ities. Subsequent to the effective date of the Act (September 27, 1975), all persons, including contractors, who are involved in the design, development, operation, or maintenance of any system of records, or the maintenance of any record, are sub FEDERAL PROPERTY MANAGEMENT REGULATIONS (AMENDMENT E-184, MARCH 1976) L |