Permanent Note: On May 1, 2006, the Interim Internal Purchasing Guidelines were replaced by the Postal Service’s Supplying Principles and Practices (SPs and Ps).
Effective October 31, 2014, the following parts and sections of the SPs and Ps have been revised:
7 USPS Supplying Practices General Practices
Section 7-14, Privacy Considerations, has been revised as follows:
Throughout the text, the term “personally identifiable information” has been replaced with the term “Personal Information” or the term “information pertaining to individuals.” The first paragraph has been revised to state that the Postal Service makes records available to the public consistent with the public interest and the Privacy Act. The second paragraph has been revised to state that when the Postal Service purchases IT or information gathering services, or when the Postal Service purchases other services that involve the collection and generation of information pertaining to individuals, coordination with the Privacy Office and the Corporate Information Security Office (CISO) is necessary, as discussed in section 8-4, Information Technology and Handbook AS-353.
The third paragraph has been revised to change the url reference to the Postal Service’s privacy policy and add language regarding aspects of Clause 1-1, Privacy Protection.
Clauses and Provisions
Clause 1-1, Privacy Protection has been revised as follows:
- In para a: the reference to Handbook AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management, has been added to ensure the inclusion of USPS policies within the Clause and clarify that “maintaining” a system of records includes using and deleting records.
- In para b: the term “customer and employee information” has been replaced with the term “Personal Information” to ensure that the clause explicitly applies to all personal information regardless of the status of the individual.
- In para b(1): the url to the Postal Service’s Privacy Policy has been changed.
- In para b(2): language has been added stating (1) that a supplier may not maintain access to or store any Personal Information data outside the United States; (2) that, unless the contract states otherwise, the supplier must turn over all Postal Service Personal Information and any copies thereof to the Postal Service, and certify to this; and (3) that if required by the contract, the supplier must destroy the information and any copies thereof, and certify to this.
- In para b(4): the breach notification requirements have been revised to state that the supplier must notify the contracting officer and the Chief Privacy Officer as soon as possible but no later than 24 hours after the detection of a suspected or confirmed breach.
- In para b(5): a citation to 39 CFR sections 265.11 and 265.12, which specify the requirements a supplier must follow if a legal demand is made for Postal Service Personal Information, has been added.
- In para c: text has been added stating that in the circumstances discussed in the paragraph, the supplier must comply with the limitations set forth in the Official Postal Service Privacy Policy.
