(b) Privacy training shall address the key elements necessary for ensuring the safeguarding of personally identifiable information or a system of records. The training shall be role-based, provide foundational as well as more advanced levels of training, and have measures in place to test the knowledge level of users. At a minimum, the privacy training shall cover—
- (1) The provisions of the Privacy Act of 1974 (5 U.S.C. 552a), including penalties for violations of the Act;
- (2) The appropriate handling and safeguarding of personally identifiable information;
- (3) The authorized and official use of a system of records or any other personally identifiable information;
- (4) The restriction on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose, or otherwise access personally identifiable information;
- (5) The prohibition against the unauthorized use of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information; and
- (6) Procedures to be followed in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling, or use of personally identifiable information (see Office of Management and Budget guidance for Preparing for and Responding to a Breach of Personally Identifiable Information).