Federal agencies are required to establish rules of behavior for employees and contractors with access to personally identifiable information (PII) and hold agency personnel accountable for complying with applicable privacy requirements and managing privacy risks. This necessarily requires developing, maintaining, and providing agency-wide privacy awareness and training programs for all employees and contractors.
Related Laws, Policies, and Resources:
Executive Order 13719, Establishment of the Federal Privacy Council (February 9, 2016)
This Executive Order establishes the Federal Privacy Council as the principal interagency forum to improve the privacy practices of Federal agencies and entities acting on their behalf. Among other things, it requires the Federal Privacy Council to assess and recommend how best to address the hiring, training, and professional development needs of the Federal Government with respect to privacy matters.
OMB Circular A-130, Managing Information as a Strategic Resource (July 28, 2016)
This Circular establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources, and supporting infrastructure and services. Among other things, it requires Federal agencies to develop, maintain, and provide agency-wide privacy awareness and training programs for all employees and contractors.
OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017)
This Memorandum sets forth the policy for Federal agencies to prepare for and respond to a breach of PII. Among other things, it requires Federal agencies to establish rules of behavior, including consequences for violating such rules, for employees, contractors, and others who have access to Federal information or information systems.
OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003)
This Memorandum provides information to agencies on implementing the privacy provisions of the E-Government Act of 2002. Among other things, it requires Federal agencies to inform and educate employees and contractors of their responsibility for protecting PII.