24.102
General
When contractors handle systems of records on individuals for an agency, they must fully comply with the Privacy Act, facing the same legal liabilities as agency employees.
Overview
FAR 24.102 outlines the general requirements for agencies and contractors regarding the protection of individual privacy when handling systems of records on individuals under federal contracts. It mandates that the Privacy Act of 1974 applies to contractors and their employees when they design, develop, or operate such systems on behalf of an agency. The regulation clarifies that both agency personnel and contractors may face criminal or civil liability for violations, and that systems operated by contractors are considered agency systems for compliance purposes.
Key Rules
- Application of the Privacy Act
- Contractors and their employees must comply with the Privacy Act when working on systems of records on individuals for an agency.
- Criminal Liability
- Contractors and their employees are treated as agency employees for criminal penalties under the Act.
- System of Records Deemed Agency-Maintained
- Any system of records operated by a contractor is considered maintained by the agency and subject to the Act.
- Civil Liability for Agencies
- Agencies may be civilly liable if they fail to ensure contractor-operated systems comply with the Act, resulting in harm to individuals.
Responsibilities
- Contracting Officers: Ensure contract clauses require compliance with the Privacy Act and monitor contractor adherence.
- Contractors: Implement and maintain Privacy Act protections for systems of records on individuals.
- Agencies: Oversee contractor compliance and may face civil liability for failures.
Practical Implications
- This section ensures individual privacy is protected when agencies outsource record systems.
- Contractors must treat personal data with the same care as federal employees.
- Failure to comply can result in criminal or civil penalties for both agencies and contractors.