By final rule issued January 27, the Department of Defense (DoD) updated its Privacy Program, meaning that effective February 26, 2015, certain DoD contractors will be required to comply with additional “rules of conduct.” These rules of conduct are consistent with the types of requirements imposed on federal agencies by the Privacy Act.
The final rule applies to all DoD components and to all DoD contractors (and any employee of such a contractor) involved in the “design, development, operation, or maintenance of any system of records.” Such contractors will be required to comply with expanded rules of conduct. Specifically contractors must (new requirements are in bold):
- preserve the security and confidentiality of Personally Identifiable Information (PII) on its systems;
- refrain from disclosing any PII, except as authorized by applicable statutes, or be subject to criminal penalties and/or administrative sanctions;
- report unauthorized disclosures of PII or any maintenance of a system of records not authorized by the DoD Privacy Program to the relevant privacy point of contact;
- ensure anyone with access to a system of records is properly trained under the DoD Privacy Program;
- prepare any required system of records notices (SORNs) for publication in the Federal Register;
- refrain from maintaining a system of records without first ensuring a SORN was published in the Federal Register, or face criminal penalties and/or administrative sanctions;
- minimize the collection of PII to that which is relevant and necessary to accomplish a DoD purpose;
- refrain from maintaining records describing how any individual exercises his/her First Amendment rights, except when (1) authorized by statute; (2) authorized by the individual the record is about; (3) the record is pertinent and within the scope of an authorized law enforcement activity (including intelligence or administrative activities);
- safeguard the privacy of all individuals and the confidentiality of all PII;
- limit the availability of records containing PII to DoD personnel and contractors with a need to know;
- prohibit unlawful possession, collection, or disclosure of PII whether or not within a system of records; and
- maintain all records in a mixed system of records (a system that comingles the data of U.S. citizens and non-citizens) as if all records are subject to the Privacy Act.
Implementation of this final rule may present some difficulties. For example, some of the requirements are quite vague, such as “safeguard[ing] the privacy of all individuals and the confidentiality of all PII” and minimizing “the collection of PII to that which is relevant and necessary to accomplish a DoD purpose.” The rule does provide that “DoD personnel and DoD contractors” will be provided “appropriate training” regarding the “information privacy laws, regulations, policies, and procedures governing DoD-specific procedures for handling PII.” It is unclear from the rule who will provide and pay for this training – contractors or the Government. Furthermore, failure to satisfy the requirements of the Privacy Program could result in criminal penalties under the Privacy Act, which includes misdemeanor charges and fines up to $5,000. Thus, contractors need to assess whether they already are performing contracts that involve the “design, development, operation, or maintenance of any system of records” and ensure they have processes in place to properly protect PII. To the extent contractors are required to modify their approach or implement new requirements, there may be a basis for a compensable change. For new solicitations, contractors need to factor these requirements and any resulting costs.
 A “System of Records” is a group of records under the control of a DoD component through which PII is retrieved using an individual’s name or another identifying item uniquely assigned to an individual.