FAR 52.224-3 - 52.224-3 Privacy Training.
Current Status
DEVIATION ACTIVE
WARNING: This clause is affected by 1 active class deviation. Use the deviation text, NOT the standard clause text from the eCFR.
| Last Checked | 2026-03-11 19:35 UTC |
| Authoritative Source | https://www.ecfr.gov/current/title-48/section-52.224-3 |
Active Class Deviations
2023-O0008 - Class Deviation 2023-O0008 â Commercial Products and Commercial Services Omnibus Clause for Acquisitions Using the Procurement Desktop-Defense System
Effective: None
Effect: MODIFY
Modify clause 52.224-3
Compare clause text (side-by-side)
Standard Clause Text (eCFR)
(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or (3) Design, develop, maintain, or operate a system of records (see also FAR subpart 24.1 and 39.105). (c)(1) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall coverâ (i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act; (ii) The appropriate handling and safeguarding of personally identifiable information; (iii) The authorized and official use of a system of records or any other personally identifiable information; (iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information; (v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and (vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information). (2) Completion of an agency-developed or agency-conducted training course shall be deemed to satisfy these elements.
(End of clause)
Alternate I (JAN 2017). As prescribed in 24.302(b), if the agency specifies that only its agency-provided training is acceptable, substitute the following paragraph (c) for paragraph (c) of the basic clause: (c) The contracting agency will provide initial privacy training, and annual privacy training thereafter, to Contractor employees for the duration of this contract. [81 FR 93481, Dec. 20, 2016]
As Modified by Deviation
52.224-3, Privacy Training (JAN 2017) (5 U.S.C. 552a).
(B) Alternate I (JAN 2017) of 52.224-3.
(xxi) 52.225-26, Contractors Performing Private Security Functions Outside the
United States (OCT 2016) (Section 862, as amended, of the National Defense Authorization Act
for Fiscal Year 2008; 10 U.S.C. Subtitle A, Part V, Subpart G Note). (xxii) 52.226-6, Promoting Excess Food Donation to Nonprofit Organizations (JUN 2020) (42 U.S.C. 1792). Flow down required in accordance with paragraph (e) of FAR clause
52.226-6.
(xxiii) 52.232–40, Providing Accelerated Payments to Small Business Subcontractors (MAR 2023) (31 U.S.C. 3903 and 10 U.S.C. 3801). Flow down required in accordance with paragraph (c) of 52.232–40. (xxiv) 52.247–64, Preference for Privately Owned U.S.-Flag Commercial Vessels (NOV 2021) (46 U.S.C. 55305 and 10 U.S.C. 2631). Flow down required in accordance with
paragraph (d) of FAR clause 52.247–64.
(2) While not required, the Contractor may include in its subcontracts for commercial products and commercial services a minimal number of additional clauses necessary to satisfy its
contractual obligations.
(End of clause)
Alternate I (2023-OZZZZ) (OCT 2023). As prescribed in 12.301(b)(4)(i), delete paragraph (a) from the basic deviation clause, redesignate paragraph (b)(1) as paragraph (a), and redesignate paragraphs (b)(1)(i) through (b)(1)(xxiv) as paragraphs (a)(1) through (a)(24) and redesignate paragraph (b)(2) as paragraph (b). Alternate II (2023-OZZZZ) (OCT 2023). As prescribed in 12.301(b)(4)(ii), substitute the following paragraphs (a)(1) and (b)(1) for paragraphs (a)(1) and (b)(1) of the basic deviation clause as follows: Page 3 of 5 Attachment Class Deviation 2023-O0008 Commercial Products and Commercial Services Omnibus Clause for Acquisitions Using the Procurement Desktop-Defense System Changes are indicated by a change bar in the right-hand margin. (a)(1) The Comptroller General of the United States, an appropriate Inspector General appointed under section 3 or 8G of the Inspector General Act of 1978 (5 U.S.C. App.), or an authorized representative of either of the foregoing officials shall have access to and right to— (i) Examine any of the Contractor’s or any subcontractors’ records that pertain to, and involve transactions relating to, this contract; and (ii) Interview any officer or employee regarding such transactions. (b)(1) Notwithstanding the requirements of any other clause in this contract, the Contractor is not required to flow down any FAR clause in a subcontract for commercial products or commercial services, other than— (i) Paragraph (a) of this clause. This paragraph flows down to all subcontracts, except the authority of the Inspector General under paragraph (a)(1)(ii) does not flow down; and (ii) Those clauses listed in this paragraph (b)(1). Unless otherwise indicated below, the extent of the flow down shall be as required by the clause— (A) 52.203-13, Contractor Code of Business Ethics and Conduct (NOV 2021)(41 U.S.C. 3509). (B) 52.203-15, Whistleblower Protections Under the American Recovery and Reinvestment Act of 2009 (JUN 2010) (Section 1553 of Pub. L. 111-5). (C) 52.204-23, Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab and Other Covered Entities (NOV 2021)(Section 1634 of Pub. L. 115-91). (D) 52.204–25, Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment. (NOV 2021) (Section 889(a)(1)(A) of Pub. L. 115– 232). (E) 52.204–27, Prohibition on a ByteDance Covered Application (JUN 2023) (Section 102 of Division R of Pub. L. 117–328). (F) 52.219-8, Utilization of Small Business Concerns (SEP 2023) (15 U.S.C. 637(d)(2) and (3)), in all subcontracts that offer further subcontracting opportunities. If the subcontract (except subcontracts to small business concerns) exceeds the applicable threshold specified in FAR 19.702(a) on the date of subcontract award, the subcontractor must include 52.219–8 in lower tier subcontracts that offer subcontracting opportunities. (G) 52.222-21, Prohibition on Segregated Facilities (APR 2015) (H) 52.222-26, Equal Opportunity (SEP 2016) (E.O. 11246). (I) 52.222-35, Equal Opportunity for Veterans (JUN 2020) (38 U.S.C. 4212). (J) 52.222-36, Equal Opportunity for Workers with Disabilities (JUN 2020) (29 U.S.C. 793). Page 4 of 5 Attachment Class Deviation 2023-O0008 Commercial Products and Commercial Services Omnibus Clause for Acquisitions Using the Procurement Desktop-Defense System Changes are indicated by a change bar in the right-hand margin. (K) 52.222-40, Notification of Employee Rights Under the National Labor Relations Act (DEC 2010) (E.O. 13496). Flow down required in accordance with paragraph (f) of FAR clause 52.222-40. (L) 52.222-41, Service Contract Labor Standards (AUG 2018) (41 U.S.C. Chapter 67). (M)__(1) 52.222-50, Combating Trafficking in Persons (NOV 2021) (22 U.S.C. Chapter 78 and E.O. 13627). __(2) Alternate I (MAR 2015) of...
Full Current Text
Show full clause text
52.224-3 Privacy Training. As prescribed in 24.302(a), insert the following clause: Privacy Training (JAN 2017) (a) Definition. As used in this clause, personally identifiable information means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular A-130, Managing Federal Information as a Strategic Resource). (b) The Contractor shall ensure that initial privacy training, and annual privacy training thereafter, is completed by contractor employees whoâ (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or (3) Design, develop, maintain, or operate a system of records (see also FAR subpart 24.1 and 39.105). (c)(1) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall coverâ (i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act; (ii) The appropriate handling and safeguarding of personally identifiable information; (iii) The authorized and official use of a system of records or any other personally identifiable information; (iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information; (v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and (vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information). (2) Completion of an agency-developed or agency-conducted training course shall be deemed to satisfy these elements. (d) The Contractor shall maintain and, upon request, provide documentation of completion of privacy training to the Contracting Officer. (e) The Contractor shall not allow any employee access to a system of records, or permit any employee to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle personally identifiable information, or to design, develop, maintain, or operate a system of records unless the employee has completed privacy training, as required by this clause. (f) The substance of this clause, including this paragraph (f), shall be included in all subcontracts under this contract, when subcontractor employees willâ (1) Have access to a system of records; (2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or (3) Design, develop, maintain, or operate a system of records. (End of clause) Alternate I (JAN 2017). As prescribed in 24.302(b), if the agency specifies that only its agency-provided training is acceptable, substitute the following paragraph (c) for paragraph (c) of the basic clause: (c) The contracting agency will provide initial privacy training, and annual privacy training thereafter, to Contractor employees for the duration of this contract. [81 FR 93481, Dec. 20, 2016]