Subpart 824.1 - Protection of Individual Privacy

824.102 General.

VA rules implementing the Privacy Act of 1974 are in 38 CFR 1.575 through 1.584, Safeguarding Personal Information in Department of Veterans Affairs Records.

824.103 Procedures.

(c) The contracting officer shall reference the following documents in solicitations and contracts that require the design, development, or operation of a system of records -

(1) VA Handbook 6500.6, Contract Security;

(2) VA Handbook 6508.1, Procedures for Privacy Threshold Analysis and Privacy Impact Assessment;

(3) VA Handbook 6510, VA Identity and Access Management -

(i) The contracting officer will ensure that statements of work or performance work statements that require the design, development, or operation of a system of records include procedures to follow in the event of a Personally Identifiable Information (PII) breach; and

(ii) The contracting officer shall ensure that Government surveillance plans for contracts that require the design, development, or operation of a system of records include monitoring of the contractor's adherence to Privacy Act/PII regulations. The assessing official should document contractor-caused breaches or other incidents related to PII in past performance reports. Such incidents include instances in which the contractor did not adhere to Privacy Act/PII contractual requirements.