Skip to main content

GSA Contracting

Note: The information on this page is intended to inform members of the public of GSA's privacy policies and practices as they apply to GSA employees, contractors, and clients.

 Privacy Act Contracting Mandates

  • The Privacy Act applies to Federal government contractors who operate systems of records containing personal information.
  • When an agency contracts for the design, operation, maintenance, or use of systems containing information covered by the Privacy Act, the contractor and its employees are considered employees of that agency and are subject to the same requirements for safeguarding information as Federal employees. 
  • The contractors and their employees also are subject to civil and criminal sanctions under the Act  for any violation that may occur due to oversight or negligence. 
  • An agency which fails to require that systems of records operated on its behalf under contracts be maintained according to the Act may be civilly liable to individuals injured as a consequence of any failure to maintain records in conformance with the Act.  Officers or employees of the agency may be criminally liable for any violations of the Act. 


GSA Contracting Requirements

Contract protections

The following privacy protections apply to all GSA contracts involving personal information covered by the Privacy Act: 

  • All GSA contracts and Requests for Proposals (RFP) involving Privacy Act information must adhere to the Federal Acquisition Regulations (FAR) Privacy Act provisions (Subparts 24.1 and 24.2) and include the specified contract clauses (Parts 52.224-1 and 52.224-2), as appropriate, to ensure that personal information by contractors who work on GSA-owned systems of records and the system data are protected as mandated. 
  • Any additional protections which are determined to be necessary by the program and system managers who are responsible for the system, must also be included in the contract or RFP.  

IT contract requirements

The following requirements are specific to GSA IT system contracts.  These requirements shall be incorporated into all GSA IT support contracts that contain personal data under the Privacy Act. 

  • All IT systems accessible from the Internet shall be protected by a firewall and an Intrusion Detection System and have outbound server filtering (egress) implemented at the firewall.
  • Two-factor authentication shall be used for anyone who has access to a significant number of Privacy Act data records from the Internet. 
  • Record and/or field level access controls shall be implemented on all databases.
    Security audit logging shall be implemented for all Privacy Act data accesses. 
    Log files shall be reviewed daily. 
  • All Privacy Act data shall be removed from IT systems by overwriting the media 3 times with 0s and 1s before disposal or transfer outside of GSA. 
  • All IT systems accessible from the Internet shall undergo vulnerability scanning quarterly. 
  • All IT systems shall use at least 128-bit key encryption to transfer data outside the GSA firewall. 
  • IT systems developers will only have access to Privacy Act data when it is required in the performance of their duties and compensating controls are in place, discussed and monitored. 
  • Privacy Impact Assessments (PIAs) must be completed for IT systems that are new, under development, or undergoing major modifications which impact Privacy Act data.


Federal Acquisition Regulations (FAR) Privacy Act Provisions

(Excerpted from the FAR)

24.000 Scope of Part

This part prescribes policies and procedures that apply requirements of the Privacy Act of 1974 (5 U.S.C. 552a) (the Act) and OMB Circular No. A-130, December 12, 1985, to Government contracts and cites the Freedom of Information Act (5 U.S.C. 552, as amended).

Subpart 24.1- Protection of Individual Privacy

24.101 Definitions

As used in this subpart-

"Agency" means any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency.

"Individual" means a citizen of the United States or an alien lawfully admitted for permanent residence.

"Maintain" means maintain, collect, use, or disseminate.

"Operation of a system of records" means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.

"Record" means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history, and that contains the individual's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.

"System of records on individuals" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

24.102 General

(a) The Act requires that when an agency contracts for the design, development, or operation of a system of records on individuals on behalf of the agency to accomplish an agency function the agency must apply the requirements of the Act to the contractor and its employees working on the contract.

 (b) An agency officer or employee may be criminally liable for violations of the Act. When the contract provides for operation of a system of records on individuals, contractors and their employees are considered employees of the agency for purposes of the criminal penalties of the Act.

 (c) If a contract specifically provides for the design, development, or operation of a system of records on individuals on behalf of an agency to accomplish an agency function, the agency must apply the requirements of the Act to the contractor and its employees working on the contract. The system of records operated under the contract is deemed to be maintained by the agency and is subject to the Act.

 (d) Agencies, which within the limits of their authorities, fail to require that systems of records on individuals operated on their behalf under contracts be operated in conformance with the Act may be civilly liable to individuals injured as a consequence of any subsequent failure to maintain records in conformance with the Act.

24.103 Procedures

(a) The contracting officer shall review requirements to determine whether the contract will involve the design, development, or operation of a system of records on individuals to accomplish an agency function.

 (b) If one or more of those tasks will be required, the contracting officer shall-

 (1) Ensure that the contract work statement specifically identifies the system of records on individuals and the design, development, or operation work to be performed; and

 (2) Make available, in accordance with agency procedures, agency rules and regulation implementing the Act.

24.104 Contract Clauses

When the design, development, or operation of a system of records on individuals is required to accomplish an agency function, the contracting officer shall insert the following clauses in solicitations and contracts:

(a) The clause at 52.224-1, Privacy Act Notification.

(b) The clause at 52.224-2, Privacy Act.

 

52.224-1 Privacy Act Notification

As prescribed in 24.104, insert the following clause in solicitations and contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function:

Privacy Act Notification (Apr 1984)

The Contractor will be required to design, develop, or operate a system of records on individuals, to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties.

(End of clause)
 

52.224-2 Privacy Act

As prescribed in 24.104, insert the following clause in solicitations and contracts, when the design, development, or operation of a system of records on individuals is required to accomplish an agency function:

Privacy Act (Apr 1984)

(a) The Contractor agrees to-

(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies-

(i)          The systems of records; and

(ii)       The design, development, or operation work that the contractor is to perform;

(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and

(3) Include this clause, including this paragraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.

(b) In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency.

(c)(1) "Operation of a system of records," as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.

(2) "Record," as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph.

(3) "System of records on individuals," as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

(End of clause)


Contracting/Acquisition References

General Services Administration Acquisition Manual Subpart 524.1, Protection of Individual Privacy

Federal Acquisition Regulations (FAR) Subpart 24.1 Protection of Individual Privacy, and Subpart 39.1 Acquisition of Information Technology, General


FAR requirements, privacy act contracting mandates, contracting, acquisition, privacy impact assessment