Blogs

Posted on Wednesday, April 12, 2017

FAR Council Issues Mandatory Privacy Training Requirements

A new FAR clause makes Privacy Act training mandatory and warns contractors handling Privacy Act records that its employees are subject to criminal penalties for violating the Act.

Last December, the FAR Council announced a new Privacy Training Rule (FAR 52.244-3), effective January 19, 2017, that requires all contractors and subcontractors with access to personally identifiable information (PII) under certain federal contracts to receive initial and annual privacy training. The rule applies to contractor employees who (i) have access to a system of records; (ii) create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle PII on behalf of the agency; or (iii) design, develop, maintain, or operate a system of records.

Contractors may provide their own training, unless the agency specifies in the contract that only agency-provided training is acceptable. Contractors are required to maintain documentation of the completion of privacy training for all applicable employees. The mandatory, role-based privacy training must:

  • Address the provisions of the Privacy Act of 1974.
  • Be completed by employees prior to working on the contract and annually thereafter.
  • Train employees on the appropriate handling and safeguarding of PII, including the restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access PII.
  • Train employees on the authorized and official use of a system of records or any other PII, including the prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of PII.
  • Train employees on the procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of PII.
  • Test the knowledge level of the employees.
  • Include information on the criminal penalties a government contractor and its employees face for violating the Privacy Act.

Criminal Penalties

Violations of the Privacy Act by a government contractor or its employees are misdemeanors punishable by a fine of up to $5,000; there is, however, no possibility of jail time.

Because the language Congress used to describe this criminal violation is so carefully drafted, it’s important to get into the law’s wording and details.

The criminal penalty provision of the Privacy Act punishes any contractor or its employees who “knowing that disclosure of the specific material is prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it.”

There have not been many reported court decisions interpreting what “knowing” and “willful” mean in this context. There have been at least two criminal prosecutions for violations of the Privacy Act, only one of which resulted in a decision that provides us with some guidance on this issue.

In the case of United States v. Trabert, the federal district court ultimately found the defendants not guilty of violating the Privacy Act, because the prosecution did not prove “beyond a reasonable doubt that defendant ‘willfully disclosed’ protected material,” and the evidence presented constituted, “at best, gross negligence” and thus was “insufficient for purposes of prosecution under § 552a(i)(1).”

Richard Trabert, an administrator of an Army hospital that was closing. One of the doctors at the closing Army hospital, who would be seeing patients at a nearby private clinic following the closure, asked Mr. Trabert to prepare a list of patients and their addresses. Mr. Trabert prepared this list, which included PII protected by the Privacy Act, and gave it to the administrator of the private clinic.

The government charged Mr. Trabert with violating the criminal provision of the Privacy Act, but a judge concluded that the government had not proven that Mr. Trabert violated the Privacy Act beyond a reasonable doubt. The government had failed to prove that there was both a “knowing disclosure” and a “willful disclosure.”

Knowing disclosure. The federal judge held that the government could prove a “knowing disclosure” from circumstantial evidence such as the fact that the employee had taken Privacy Act training, or if there had been “a specific admonition provided as to the general application of the Privacy Act,” such as a computer screen banner warning of the Privacy Act’s applicability to information in the computer every time the computer was turned on. Significantly, the judge held that the government did not have to prove that Mr. Trabert had been told specifically that the Privacy Act applied to the list he gave the private clinic’s administrator.

However, in this case, the federal judge determined that the circumstantial evidence did not support a finding that Mr. Trabert had made a “knowing disclosure.” There was no evidence that Mr. Trabert had received Privacy Act training, or that Mr. Trabert was otherwise put on notice that the information was protected by the Privacy Act. In addition, senior personnel at the hospital knew Mr. Trabert was compiling the list, but no one had told him that this was a violation of the Privacy Act or otherwise illegal. In fact, similar lists had been prepared on other occasions by other employees of the hospital without any one being charged with a crime.

Willful disclosure. To establish “willful disclosure,” the federal judge found that the government was required to show that Mr. Trabert “knew the information was protected by the Privacy Act and then voluntarily and purposely disclosed the information in violation of the Act.”

The federal judge concluded that Mr. Trabert was guilty at most of gross negligence. According to the judge, it was not clear to Mr. Trabert that the disclosure of the list was inappropriate. Mr. Trabert was not aware of any improper motive in providing the list to the clinic, and did not know that the doctor requesting the list wanted it for expanding his practice at the new clinic. Mr. Trabert did not have any financial motive for providing the list to the clinic benefit, nor did he receive anything in return.

Conclusion. Trying to distinguish an unfortunate “gross negligence” disclosure from a criminal “knowing and willful disclosure” is difficult. Mr. Trabert was wrong to prepare the list and give it to the private clinic. But he did not do it with the intention of violating someone’s privacy rights protected by the Privacy Act.

A good example of conduct that goes beyond “gross negligence” comes from civil (not criminal) lawsuits against an agency that violated the employees’ Privacy Act rights. The Department of Energy employees filled out personnel security questionnaires after being told that the information would be used only for security clearances purposes. But the information was then sent to the Department of Justice for purpose of criminal prosecution. The Department of Energy had not told the employees that questionnaire information could be used for law enforcement purposes.

Berenzweig Leonard is teaming up with Red Team Consulting for a monthly newsletter featuring upcoming contracts, key protest decisions, legal updates, events, and more. This post was published in the April 2016 Monthly Insights newsletter. For more information on how to sign up for Monthly Insights, please click here.

Terry O’Connor is the Director of Government Contracts for Berenzweig Leonard, LLP, and can be reached at toconnor@berenzweiglaw.com. Stephanie Wilson is a Partner and Co-Director of Government Contracts at Berenzweig Leonard, LLP, and can be reached at swilson@berenzweiglaw.com.