39.105
Privacy
IT contracts must include specific privacy protections, safeguards, and inspection requirements to comply with the Privacy Act and ensure ongoing data security.
Overview
FAR 39.105 requires agencies to ensure that contracts for information technology (IT) address privacy protection in accordance with the Privacy Act (5 U.S.C. 552a) and FAR Part 24. For contracts involving the design, development, or operation of a system of records using commercial IT services or support, agencies must include specific privacy-related provisions. These provisions mandate that contractors and their employees follow agency rules of conduct, guard against identified threats and hazards, implement specified safeguards, and comply with government inspection programs to maintain and improve privacy protections throughout contract performance.
Key Rules
- Privacy Act Compliance
- Contracts for IT must comply with the Privacy Act and FAR Part 24 requirements for protecting personal information.
- System of Records Contracts
- Contracts for IT systems of records must include: agency rules of conduct, a list of threats/hazards, required safeguards, and government inspection requirements.
Responsibilities
- Contracting Officers: Ensure all IT contracts include required privacy provisions and oversight mechanisms.
- Contractors: Adhere to agency rules, implement safeguards, guard against threats, and cooperate with inspections.
- Agencies: Develop rules of conduct, identify threats, specify safeguards, and conduct ongoing inspections.
Practical Implications
- This section exists to ensure that personal data handled by contractors is protected in line with federal law.
- It impacts daily contracting by requiring detailed privacy planning and ongoing oversight.
- Common pitfalls include failing to specify threats, inadequate safeguards, or lack of inspection protocols, which can lead to noncompliance and data breaches.