Government agencies, contractors, and subcontractors have specific duties to protect personal information.

In the last few decades, there’s been a proliferation of information about individuals collected, stored, and shared due to technological advances. Along with this, concerns have ratcheted about the U.S. government’s collection, aggregation, and use of personal information regarding citizens and others. Not only are individuals concerned about the government’s handling of this information, but the rise of data hackers and ways to exploit stolen personal information has also garnered great concern.

Regarding this personal information, the U.S. government has the duty to, at best, serve its citizens, at worst, not harm them intentionally or inadvertently through poor information security practices. The same goes for the government contractors it must rely on when it shares this data. 

 The Regulations 

Specific regulations have been instituted to protect this personal information. The Privacy Act of 1974 stipulates the duties of the U.S. government, its agencies, and government contractors regarding the proper collection, aggregation, and use of personal information in serving U.S. citizens. This act works alongside additions to the Federal Acquisition Regulation (FAR) that govern U.S. government contractors and subcontractors; it sets specific conditions for these parties to collect, work with, and share personal information as part of a government contract. 

Personal Information and Its Risks 

Under the regulations, personal information can pertain to a wide range of data; examples include one’s name, email, Social Security number, racial demographics, and financial information of an individual. This information can be misused or abused in two principal ways:

• A government agency can potentially use it to deny an individual of their rights, such as freedom of speech 
• A nefarious hacker can steal a person’s identity, typically to defraud them of money 

Collection and Use 

For these reasons, personal information should be subject to control. It should: 

• Only be collected for proper and specific purpose  
• Only be maintained for as long as required to serve the purpose of its collection 
• Only be disclosed or shared with others who are permitted to receive it, either by law or contract  
• Always be safeguarded from accidental or intentional disclosure 

Further, the government should not attempt to aggregate personal data not intended to serve the individual; in other words, secret databases should not be developed to track individuals.

These rules also address requirements regarding personal information handling when the technology that maintains this information may be compromised or the data is at risk of leaking out, whether inadvertently, intentionally, or by theft.

As mentioned, not only are government agencies subject to these rules, but the contractors and subcontractors that serve them also must adhere to proper personal data protections. Generally, contractors and subcontractors must maintain a personal data protection program, including a policy and procedures for appropriate collection, maintenance, disclosure, and sharing, among other elements.

Central to this program is ensuring that all employees who work with personal information under a government contract know the rules, understand proper handling protocol, and are informed about what to do if certain risks to the data arise.

These employees need to have these competencies:

• The risks to personal information due to advances in technology 
• What data must be protected under the laws and government contract 
• How to properly collect, use, and secure this data 
• When it is allowed to disclose or share the data with others 
• When to know and what to do if the technology on which this data resides suffers an incident that may compromise its security 
• When to know and what to do if the data may be vulnerable to inadvertent or improper access and disclosure 

The penalties for government contractors can be high for improper use and disclosure of this data, including suspension or debarment from government contracts.

Citizen’s personal information is not nuclear secrets, advanced encryption, or missile technology that needs to be guarded at all costs. Still, it is data for which its protection means a lot to the individuals to whom it relates. And those who work with it must adhere to high standards to protect it.

Syntrio has been providing harassment and other compliance training for over twenty years and is the industry leader. Our innovative approach focuses on ensuring that employers learn not just how to avoid liability but also a method of treating others inside and outside of work that will go a long way toward improving relationships and mitigating the stress of disrespect and bullying in the workplace. According to our research, doing so has a much greater impact than adhering to the states’ and municipalities’ training laws, which call for training on the bare minimum concepts. We look forward to speaking with a member of your organization soon to show you how we can benefit your culture, one employee at a time.