Can a DD 254 be used for contracts with requirements to accessPrivacy Act information and what regulation or policy discusses that use?
Classified information and Privacy Act information are different and have different requirements. According to The National Industrial Security Program Operating Manual (NISPOM), Chapter 4 Classification and Marking, Section 1 Classification, information is considered classified if it is designated top secret, secret, or confidential. Whereas, Privacy Act Information pertains to “… information about an individual that is maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history, and that contains the individual’s name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a fingerprint or voiceprint or a photograph” as stated in FAR 24.101.
Open full Question Details
FAR 4.4 establishes requirements for contracts that contain classified information and references the DD Form 254 in paragraph 4.403(c)(1). Then DFARS 204.4 leads to PGI 204.403 for more specific guidance regarding the use of DD Form 254 for classified information pertaining to the contract. Therefore, if your contract contains any information that is designated as top secret, secret, or confidential, then you would use a DD Form 254, as appropriate.
Regarding Privacy Act information, FAR 24.1 contains the appropriate procedures and requirements for the contracting officer. Specifically, clauses 52.224-1 Privacy Act Notification and 52.224-2 Privacy Act are required to be included in solicitations and contracts “When the design, development, or operation of a system of records on individuals is required to accomplish an agency function.. . .“ These clauses contain and/or reference the appropriate safeguarding requirements that would seem to apply in your situation as you have described it.