AUTHORITY: 5 U.S.C. 552(a); 40 U.S.C. 121(c); 41 U.S.C. 1121(c); 41 U.S.C. 1702; 38 CFR 1.550–1.562; 1.575–1.584; and 48 CFR 1.301-1.304.
VA rules implementing the Privacy Act of 1974 are in 38 CFR 1.575 through 1.584, Safeguarding Personal Information in Department of Veterans Affairs Records.
(1) VA Handbook 6500.6, Contract Security;
(2) VA Handbook 6508.1, Procedures for Privacy Threshold Analysis and Privacy Impact Assessment;
(3) VA Handbook 6510, VA Identity and Access Management–
(i) The contracting officer will ensure that statements of work or performance work statements that require the design, development, or operation of a system of records include procedures to follow in the event of a Personally Identifiable Information (PII) breach; and
(ii) The contracting officer shall ensure that Government surveillance plans for contracts that require the design, development, or operation of a system of records include monitoring of the contractor’s adherence to Privacy Act/PII regulations. The assessing official should document contractor-caused breaches or other incidents related to PII in past performance reports. Such incidents include instances in which the contractor did not adhere to Privacy Act/PII contractual requirements.
(b) Upon receipt of a request, the contracting officer shall provide the requester with the name of the cognizant VA Freedom of Information Act (FOIA) Service Office. The VA FOIA Service Office (see http://www.oprm.va.gov/foia/) is the focal point for all FOIA requests and official information may only be released through the cognizant FOIA Service or their authorized designee.