(a) The Contracting Officer shall review all acquisition request documentation to determine whether the Privacy Act requirements are applicable. The Privacy Act requirements apply when a contract or order will require the contractor to design, develop, or operate any Privacy Act system of records on individuals to accomplish an agency function. When applicable, the Contracting Officer shall include the two Privacy Act clauses required by FAR 24.104 in the solicitation and contract or order. In addition, the Contracting Officer shall include the two FAR Privacy Act clauses, and other pertinent information specified in this subpart, in any modification which results in the Privacy Act requirements becoming applicable to a contract or order.
(b)(1) The Contracting Officer shall identify in the SOW/PWS the system(s) of records to which the Privacy Act and the implementing regulations are applicable.
(2) The Contracting Officer shall include the clause specified in 352.224-70, Privacy Act, in solicitations, contracts, and orders that involve Privacy Act requirements to notify the contractor that it and its employees are subject to criminal penalties for violations of the Privacy Act (5 U.S.C. 552a(i)) to the same extent as HHS employees. The clause also requires the contractor to ensure that each of its employees knows the prescribed rules of conduct and each contractor employee is aware that he/she is subject to criminal penalties for violations of the Privacy Act. These requirements also apply to all subcontracts awarded under the contract or order that require the design, development, or operation of a system of records. The Contracting Officer shall send the contractor a copy of 45 CFR Part 5b, which includes the rules of conduct and other Privacy Act requirements.
(c) The Contracting Officer shall specify in the contract SOW/PWS the disposition to be made of the system(s) of records upon completion of contract performance. The contract SOW/PWS may require the contractor to destroy the records, remove personal identifiers, or turn the records over to the Contracting Officer. If there is a legitimate need for a contractor to keep copies of the records after completion of a contract, the contractor must take measures, as approved by the Contracting Officer, to keep the records confidential and protect the individuals' privacy.
(d) For any acquisition subject to Privacy Act requirements, the Project Officer, prior to award, or the COTR, after award, shall prepare and have published in theFederal Registera “system notice,” describing HHS' intent to establish a new system of records on individuals, to make modifications to an existing system, or to disclose information in regard to an existing system. The Project Officer shall attach a copy of the system notice to the acquisition plan or other acquisition request documentation. If a system notice is not attached, the Contracting Officer shall inquire about its status and shall obtain a copy from the Project Officer for inclusion in the contract file. If a system notice has not been published in theFederal Register,the Contracting Officer may proceed with the acquisition but shall not award the contract until the system notice is published and the Contracting Officer verifies its publication.