Skip to main content

Informational Memorandum-COM-16-001.1

Date
To
All Approved Insurance Providers
All Risk Management Agency Field Offices
All Other Interested Parties
From
Heather Manzano, Deputy Administrator for Compliance
Subject
Non-Disclosure Statements

Background

The Privacy Act of 1974 (5 U.S.C. § 522a) requires agencies to establish appropriate administrative, technical, and physical safeguards to ensure the security of records and to protect against any anticipated threats or hazards to their security that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual about whom information is maintained.

Questions have been raised whether an approved insurance provider (AIP) must obtain a Non-Disclosure Statement from contractors of affiliates who have access to protected information. This memorandum replaces Informational Memorandum: COM-16-001.

Action

Appendix 1, SECTION XV. NON-DISCLOSURE, of the Standard Reinsurance Agreement for 2011 and subsequent years states that the AIP must ensure that its affiliates and contractors are fully aware of the need to protect information and the requirement to collect non-disclosure statements from all persons having access to Protected Information. Affiliates and contractors, in turn, must ensure that all persons having access to Protected Information who are either employed by or have contracted with them, must sign an INDIVIDUAL NON-DISCLOSURE STATEMENT (NDS) and submit it to the contractor or affiliate. The contractor or affiliate of the AIP must maintain copies of all such NDSs and have them available for inspection. This applies to any person who has the ability to access Protected Information, regardless of whether they do so in the regular course of their business. For example, if an affiliate contracts with any organization, such as those that are data processing or for e-signatures, if any of their employees has access to Protected Information, such employees must execute an INDIVIDUAL NON-DISCLOSURE STATEMENT.

Item (a)(5) specifically states that the AIP must obtain an annual certification from each of its contractors and affiliates that the respective contractor or affiliate has obtained a NDS from each person who has access to any Protected Information and who is employed by or has a contract with the contractor or the affiliate. The purpose of the annual certification is to ensure that the contractor or affiliate annually reviews its files to determine that any new employees or other persons having access to the Protected Information have signed a NDS. The AIP must maintain copies of all such certifications and have them available for inspection.

This Informational Memorandum does not change existing policy or procedure, or existing responsibilities in requiring the AIP to achieve certification for non-disclosure procedures but clarifies that NDSs are required for affiliates, contractors, and contractors of affiliates.