The Privacy Act of 1974 (5 U.S.C. § 522a) requires agencies to establish appropriate administrative, technical, and physical safeguards to ensure the security of records and to protect against any anticipated threats or hazards to their security that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is maintained.

Questions have been raised whether an approved insurance provider (AIP) must obtain a Non-Disclosure Statement from contractors of affiliates who have access to protected information.

Appendix 1, SECTION XV. NON-DISCLOSURE, of the Standard Reinsurance Agreement for 2011 and subsequent years states that the AIP must ensure that its affiliates and contractors are fully aware of the need to protect information and the requirement to collect non-disclosure statements from all persons having access to Protected Information. Affiliates and contractors, in turn, must ensure that all persons having access to Protected Information who are either employed by or have contracted with them, must sign an INDIVIDUAL NON-DISCLOSURE STATEMENT (NDS) and submit it to the contractor or affiliate. The contractor or affiliate of the AIP must maintain copies of all such NDSs and have them available for inspection. This applies to any person who has the ability to access Protected Information, regardless of whether they do so in the regular course of their business. For example, if an affiliate contracts with an organization like DocuSign and any DocuSign employee has access to Protected Information, such employees must execute an INDIVIDUAL NON-DISCLOSURE STATEMENT.

Item (a)(5) specifically states that the AIP must obtain an annual certification from each of its contractors and affiliates that the respective contractor or affiliate has obtained a NDS from each person who has access to any Protected Information and who is employed by or has a contract with the contractor or the affiliate. The purpose of the annual certification is to ensure that the contractor or affiliate annually reviews its files to determine that any new employees or other persons having access to the Protected Information have signed a NDS. The AIP must maintain copies of all such certifications and have them available for inspection.

This Informational Memorandum does not change existing policy or procedure, or existing responsibilities in requiring the AIP to achieve certification for non-disclosure procedures but clarifies that NDSs are required for affiliates, contractors, and contractors of affiliates.

DISPOSAL DATE: 
December 31, 2016