Page tree
Viewable by the world
Skip to end of metadata
Go to start of metadata

Contract Clause/Language

Berkeley Lab Implementation

Assurance Systems

Status

I.67 PRIVACY ACT NOTIFICATION (APR 1984) (PREV. I.31) (FAR 52.224-1)

The Contractor will be required to design, develop, or operate a system of records on individuals to accomplish an agency function subject to the Privacy Act of 1974, Public Law 93-579, December 31, 1974 (5 U.S.C. 552a) and applicable agency regulations. Violation of the Act may involve the imposition of criminal penalties.

Implementation of systems of records is governed by Clause H-7.

N/A

In compliance

I.68 PRIVACY ACT (APR 1984) (PREV. I.32) (FAR 52.224-2)

(a) The Contractor agrees to:
(1) Comply with the Privacy Act of 1974 (the Act) and the agency rules and regulations issued under the Act in the design, development, or operation of any system of records on individuals to accomplish an agency function when the contract specifically identifies:
(i) The systems of records; and
(ii) The design, development, or operation work that the contractor is to perform; 

Implementation of Privacy Act requirements is scoped only as to records associated with Privacy Act Systems of Records (SORs) identified under Cl. H-7, subject to the principle that many of those systems are in fact maintained by the DOE and that Berkeley Lab’s role consists of providing access to DOE to UC-proprietary records consistent with Cl. I-124(d) by means of transmitting them into these systems via upload or manual data entering into DOE-managed applications. 

N/A

In compliance

(2) Include the Privacy Act notification contained in this contract in every solicitation and resulting subcontract and in every subcontract awarded without a solicitation, when the work statement in the proposed subcontract requires the redesign, development, or operation of a system of records on individuals that is subject to the Act; and

Berkeley Lab has not engaged any subcontractors to assist in managing DOE SORs. Berkeley Lab would only flow down Privacy Act requirements where the substantive work (i.e. viewing personal information, conducting background checks, etc.) on the SOR was outsourced to a subcontractor. Regardless, Berkeley lab implements standard clauses addressing privacy and security requirements for any procurements involving data access and/or technology related to the processing of personal information. 

N/A

In compliance

(3) Include this clause, including this subparagraph (3), in all subcontracts awarded under this contract which requires the design, development, or operation of such a system of records.

Berkeley Lab has not engaged any subcontractors to assist in managing DOE SORs. See above, (a)(1)-(2).

N/A

In compliance

(b) 

In the event of violations of the Act, a civil action may be brought against the agency involved when the violation concerns the design, development, or operation of a system of records on individuals to accomplish an agency function, and criminal penalties may be imposed upon the officers or employees of the agency when the violation concerns the operation of a system of records on individuals to accomplish an agency function. For purposes of the Act, when the contract is for the operation of a system of records on individuals to accomplish an agency function, the Contractor is considered to be an employee of the agency.

This provision highlights potential criminal and civil penalties for violating the Privacy Act. 

N/A

In compliance

(c) 

(1) Operation of a system of records, as used in this clause, means performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records. 

(2) Record, as used in this clause, means any item, collection, or grouping of information about an individual that is maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the person's name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph. 

(3) System of records on individuals, as used in this clause, means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.

No required action. This subparagraph simply highlights definitions and interpretations of Privacy Act requirements, consistent with relevant precedent and agency guidance. 

N/A

In compliance

I.69 PRIVACY TRAINING (JAN 2017) (PREV. I.163) (FAR 52.224-3)

(a) Definition. As used in this clause, “personally identifiable information” means information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (See Office of Management and Budget (OMB) Circular A130, Managing Federal Information as a Strategic Resource).

No action required.

N/A

N/A

(b) The Contractor shall ensure that initial privacy training, and annual privacy training thereafter, is completed by contractor employees who– 

(1) Have access to a system of records; 

(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information on behalf of an agency; or 

(3) Design, develop, maintain, or operate a system of records (see also FAR subpart 24.1 and 39.105).

Berkeley lab has implemented several training modules that implement key requirements under this clause, specifically: 

Compliance with training requirements is tracked systematically, and role-based module  assignments are reviewed periodically.

In compliance. The training modules are under revision. All modules will require yearly refresher as of FY 2022.

(c) 

(1) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover– 

(i) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;

(ii) The appropriate handling and safeguarding of personally identifiable information; 

(iii) The authorized and official use of a system of records or any other personally identifiable information; 

(iv) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise access personally identifiable information; 

(v) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and 

(vi) The procedures to be followed in the event of a suspected or confirmed breach of a system of records or the unauthorized disclosure, access, handling, or use of personally identifiable information (see OMB guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).

(2) Completion of an agency-developed or agency-conducted training course shall be deemed to satisfy these elements;

These requirements have been implemented through SEC0220 - Protected Information Training.

Privacy training modules are reviewed and updated regularly as a result of changes in Berkeley Lab policy and/or law, requests by Site Office personnel, or feedback by trainees. These records are maintained in the institutional training systems (BLT).

In compliance. Training module is under revision. Privacy Act requirements are currently addressed but will be revised in connection with updated training. 

(d) The Contractor shall maintain and, upon request, provide documentation of completion of privacy training to the Contracting Officer. 

Berkeley Lab maintains and, upon request, may provide access to training records as required under this paragraph.

Training records and compliance rates are reviewed during audits by Laboratory Institutional Assurance and Integrity. 

In compliance

(e) The Contractor shall not allow any employee access to a system of records, or permit any employee to create, collect, use, process, store, maintain, disseminate, disclose, dispose or otherwise handle personally identifiable information, or to design, develop, maintain, or operate a system of records unless the employee has completed privacy training, as required by this clause.

This has been implemented as to the Systems of Records listed under H-7 and individuals authorized to access those systems must complete Sec 220 prior to accessing the system.

Training records and compliance rates are reviewed during audits by Laboratory Institutional Assurance and Integrity.

In compliance

(f) The substance of this clause, including this paragraph (f), shall be included in all subcontracts under this contract, when subcontractor employees will– 

(1) Have access to a system of records; 

(2) Create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise handle personally identifiable information; or 

(3) Design, develop, maintain, or operate a system of records.

Berkeley Lab has not entered into a subcontract involving subcontractor employees conducting any tasks within scope of this clause. But our standard procurement templates incorporate this requirement in the event that we ever engage in subcontracting for maintaining a system of records.

N/A

N/A

I.108 COMPUTER SECURITY (AUG 2006) (PREV. I.124) (DEAR 952.204-77)

(a) Definitions.

(1) Computer means desktop computers, portable computers, computer networks (including the DOE Network and local area networks at or controlled by DOE organizations), network devices, automated information systems, and or other related computer equipment owned by, leased, or operated on behalf of the DOE.

(2) Individual means a DOE contractor or subcontractor employee, or any other person who has been granted access to a DOE computer or to

information on a DOE computer, and does not include a member of the public who sends an e-mail message to a DOE computer or who obtains

information available to the public on DOE Web sites.

No action required.

N/A

N/A

(b) Access to DOE computers. A contractor shall not allow an individual to have access to information on a DOE computer unless-- (1) The individual has acknowledged in writing that the individual has no expectation of privacy in the use of a DOE computer; and, (2) The individual has consented in writing to permit access by an authorized investigative agency to any DOE computer used during the period of that individual’s access to information on a DOE computer, and for a period of three years thereafter.

This has been implemented.

Individuals acknowledgement of no expectation of privacy and consent to access is tracked via SEC 0203. Berkeley Lab does not require acknowledgment "before" granting access to a computer. This would potentially cause a chicken and egg problem since training is conducted online and requires access. It is expected that training is completed within a reasonable time of being “granted access.” This variance is explicitly acknowledged in CSPAM.

Berkeley Lab management tracks completion of SEC 0203  and takes action to ensure appropriate certifications are completed in a timely fashion.

In Compliance

(c) No expectation of privacy. Notwithstanding any other provision of law (including any provision of law enacted by the Electronic Communications Privacy Act of 1986), no individual using a DOE computer shall have any expectation of privacy

in the use of that computer.

This has been implemented. All access to Berkeley Lab systems are subject to compliance with terms and conditions made available publicly, see Terms and Conditions (lbl.gov) and Berkeley Lab policies. Internal workforce are subject to reminders through training and certify as to their understanding of these requirements through Berkeley Lab Training Module SEC 0203.

Berkeley Lab management tracks completion of SEC 0203  and takes action to ensure appropriate certifications are completed in a timely fashion.

In Compliance

(d) Written records. The Contractor is responsible for maintaining written records for itself and subcontractors demonstrating compliance with the provisions of paragraph (b) of this section. The Contractor agrees to provide access to these

records to the DOE, or its authorized agents, upon request.

This has been implemented. Berkeley Lab maintains substantial information reflecting and demonstrating is compliance with applicable DOE requirements, laws, and regulations. 

Berkeley Lab maintains all documentation, updating documents frequently to reflect new requirements, implementation of new controls, and other topics. All documentation is inspected during assessments and audits. 

In Compliance

(c) Subcontracts. The Contractor shall insert this clause, including this paragraph (e), in subcontracts under this contract that may provide access to computers owned, leased or operated on behalf of the DOE.

This has been implemented. Berkeley Lab’s standard contractual clauses address compliance with this clause.Berkeley Lab’s standard contractual clauses are reviewed periodically to ensure they remain compliant with this and other requirements. In Compliance

I.124 ACCESS TO AND OWNERSHIP OF RECORDS (OCT 2014) 

(DEVIATION PER POLICY FLASH 2015-23) (PREV. I.80) (DEAR 970.5204-3)

(a) Government-owned records. Except as provided in paragraph (b) of this clause, all records acquired or generated by the contractor in its performance of this contract, including records series described within the contract as Privacy Act systems of records, shall be the property of the Government and shall be maintained in accordance with 36 Code of Federal Regulations (CFR), Chapter XII, -- Subchapter B, “Records Management.” The contractor shall ensure records classified as Privacy Act system of records are maintained in accordance with FAR 52.224.2 “Privacy Act.”

No action required.

N/A

N/A

(b) (b) Contractor-owned records. The following records are considered the property of the contractor and are not within the scope of paragraph (a) of this clause. 

(1) Employment-related records (such as worker’s compensation files; employee relations records, records on salary and employee benefits; drug testing records, labor negotiation records; records on ethics, employee concerns; records generated during the course of responding to allegations of research misconduct; records generated during other employee related investigations conducted under an expectation of confidentiality; employee assistance program records; and personnel and medical/health-related records and similar files), and non-employee patient medical/health-related records, except those records described by the contract as being operated and maintained by the Contractor in Privacy Act system of records. 

(2) Confidential contractor financial information, internal corporate governance records and correspondence between the contractor and other segments of the contractor located away from the DOE facility (i.e., the contractor's corporate headquarters); 

(3) Records relating to any procurement action by the contractor, except for records that under 48 CFR 970.5232-3 are described as the property of the Government; and 

(4) Legal records, including legal opinions, litigation files, and documents covered by the attorney-client and attorney work product privileges; and 

(5) The following categories of records maintained pursuant to the technology transfer clause of this contract:

(i) Executed license agreements, including exhibits or appendices containing information on royalties, royalty rates, other financial information, or commercialization plans, and all related documents, notes and correspondence. 

(ii) The contractor's protected Cooperative Research and Development Agreement (CRADA) information and appendices to a CRADA that contain licensing terms and conditions, or royalty or royalty rate information. 

(iii) Patent, copyright, mask work, and trademark application files and related contractor invention disclosures, documents and correspondence, where the contractor has elected rights or has permission to assert rights and has not relinquished such rights or turned such rights over to the Government.

No action required.

N/A

N/A

(c) Contract completion or termination. Upon contract completion or termination, the contractor shall ensure final disposition of all Government-owned records to a Federal Record Center, the National Archives and Records Administration, to a successor contractor, its designee, or other destinations, as directed by the Contracting Officer. Upon the request of the Government, the contractor shall provide either the original contractor-owned records or copies of the records identified in paragraph (b) of this clause, to DOE or its designees, including successor contractors. Upon delivery, title to such records shall vest in DOE or its designees, and such records shall be protected in accordance with applicable federal laws (including the Privacy Act) as appropriate. If the contractor chooses to provide its original contractor-owned records to the Government or its designee, the contractor shall retain future rights to access and copy such records as needed.

No action required.

N/A

N/A

(d) Inspection, copying, and audit of records. All records acquired or generated by the Contractor under this contract in the possession of the Contractor, including those described at paragraph (b) of this clause, shall be subject to inspection, copying, and audit by the Government or its designees at all reasonable times, and the Contractor shall afford the Government or its designees reasonable facilities for such inspection, copying, and audit; provided, however, that upon request by the Contracting Officer, the Contractor shall deliver such records to a location specified by the Contracting Officer for inspection, copying, and audit. The Government or its designees shall use such records in accordance with applicable federal laws (including the Privacy Act), as appropriate.

No action required. DOE may seek access to UC-owned records and Berkeley Lab will provide such access on request to the fullest extent required under the Contract and permitted by applicable laws and regulations. 

N/A

N/A

(e) Applicability. This clause applies to all records created, received and maintained by the contractor without regard to the date or origination of such records including all records acquired from a predecessor contractor.

No action required.

N/A

N/A

(f) Records maintenance and retention. Contractor shall create, maintain, safeguard, and disposition records in accordance with 36 Code of Federal Regulations (CFR), Chapter XII, -- Subchapter B, “Records Management” and the National Archives and Records Administration (NARA)-approved Records Disposition Schedules. Records retention standards are applicable for all classes of records, whether or not the records are owned by the Government or the contractor. The Government may waive application of the NARA-approved Records Disposition Schedules, if, upon termination or completion of the contract, the Government exercises its right under paragraph (c) of this clause to obtain copies of records described in paragraph (b) and delivery of records described in paragraph (a) of this clause.

This has been implemented, see 243.1B Implementation

N/A

N/A

(g) Subcontracts

[omitted]

Omitted from this analysis as the requirements are unrelated to privacy.

N/A

N/A

  • No labels