Part 324--Protection of Privacy and Freedom of Information
HHS Acquisition Regulation (HHSAR)
Sections on this page:
- Subpart 324.1--Protection of Individual Privacy
- Subpart 324.2--Freedom of Information Act
Authority: 5 U.S.C. 301; 40 U.S.C. 121(c)(2).
Subpart 324.1--Protection of Individual Privacy
324.000 Scope of subpart.
This part prescribes policies and procedures that apply requirements of the Privacy Act of 1974 (5 U.S.C. 552a) and OMB Circular A-130, Revised, November 30, 2000, to HHS contracts and cites the Freedom of Information Act (5 U.S.C. 552, as amended).
(a) It is HHS policy to protect the privacy of individuals to the maximum possible extent, while permitting the exchange of records required to fulfill HHS administrative and program responsibilities and its responsibilities for disclosing records to which the general public is entitled under the Freedom of Information Act (5 U.S.C. 552). The Privacy Act of 1974 and the HHS implementation under 45 CFR Part 5b apply "when an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish any agency function..." The key factor is whether an HHS function is involved. Therefore, the Privacy Act requirements apply to an HHS contract when, under the contract, the contractor must maintain or operate a system of records to accomplish an HHS function.
(e) The Project Officer, and, as necessary, the official designated as the OPDIV’s Privacy Act Coordinator and OGC-GLD, shall determine the applicability of the Privacy Act to each proposed acquisition. The Project Officer is required to include a statement in the AP or other acquisition request document indicating whether the Privacy Act is or is not applicable to a proposed acquisition.
(f) Whenever a Contracting Officer is informed that the Privacy Act is not applicable, but the resultant contract will involve the collection of individually identifiable personal data by the contractor, the Contracting Officer shall include provisions to protect the confidentiality of the records and the privacy of individuals identified in the records.
(a) The Contracting Officer shall review all acquisition request documentation to determine whether the Privacy Act requirements are applicable. The Privacy Act requirements apply when a contract or order will require the contractor to design, develop, or operate any Privacy Act system of records on individuals to accomplish an agency function. When applicable, the Contracting Officer shall include the two Privacy Act clauses required by FAR 24.104 in the solicitation and contract or order. In addition, the Contracting Officer shall include the two FAR Privacy Act clauses, and other pertinent information specified in this subpart, in any modification which results in the Privacy Act requirements becoming applicable to a contract or order.
(b) (1) The Contracting Officer shall identify in the SOW/PWS the system(s) of records to which the Privacy Act and the implementing regulations are applicable.
(2) The Contracting Officer shall include the clause specified in 352.224-70, Privacy Act, in solicitations, contracts, and orders that involve Privacy Act requirements to notify the contractor that it and its employees are subject to criminal penalties for violations of the Privacy Act [5 U.S.C. 552a(i)] to the same extent as HHS employees. The clause also requires the contractor to ensure that each of its employees knows the prescribed rules of conduct and each contractor employee is aware that he/she is subject to criminal penalties for violations of the Privacy Act. These requirements also apply to all subcontracts awarded under the contract or order that require the design, development, or operation of a system of records. The Contracting Officer shall send the contractor a copy of 45 CFR Part 5b, which includes the rules of conduct and other Privacy Act requirements.
(c) The Contracting Officer shall specify in the contract SOW/PWS the disposition to be made of the system(s) of records upon completion of contract performance. The contract SOW/PWS may require the contractor to destroy the records, remove personal identifiers, or turn the records over to the Contracting Officer. If there is a legitimate need for a contractor to keep copies of the records after completion of a contract, the contractor must take measures, as approved by the Contracting Officer, to keep the records confidential and protect the individuals’ privacy.
(d) For any acquisition subject to Privacy Act requirements, the Project Officer, prior to award, or the COTR, after award, shall prepare and have published in the Federal Register a "system notice," describing HHS’ intent to establish a new system of records on individuals, to make modifications to an existing system, or to disclose information in regard to an existing system. The Project Officer shall attach a copy of the system notice to the acquisition plan or other acquisition request documentation. If a system notice is not attached, the Contracting Officer shall inquire about its status and shall obtain a copy from the Project Officer for inclusion in the contract file. If a system notice has not been published in the Federal Register, the Contracting Officer may proceed with the acquisition but shall not award the contract until the system notice is published and the Contracting Officer verifies its publication.
Subpart 324.2--Freedom of Information Act
The Contracting Officer, upon receiving a FOIA request, shall follow HHS and OPDIV procedures. As necessary, the Contracting Officer shall coordinate all actions with the cognizant Freedom of Information (FOI) Officer and the OGC-GLD. Only the FOI Officer is authorized to release or deny release of records. The Contracting Officer shall be familiar with the entire FOIA regulation in 45 CFR Part 5.
Content last reviewed on August 20, 2015