An essential component of the Department of Veterans Affairs’ (VA) mission is respecting and protecting personally identifiable information (PII) of Veterans, their families, and beneficiaries. The VA privacy workforce upholds this component through their established duties and responsibilities as set forth in VA Directive 6509.
These duties and responsibilities are driven by OMB guidance, including A-130 Managing Information as a Strategic Resource, federal regulation such as The Privacy Act of 1974, and most importantly, by VA’s Privacy Principles. These 10 principles establish an overarching privacy framework for all VA personnel, contractors, and business partners who maintain Veteran and employee data on behalf of VA.
The table below provides the 10 principles, a description of each, and examples of how they are used.
| Principle | Description | Use Case |
|---|---|---|
| Openness | When collecting PII, inform individuals of intended uses, disclosures, and authorities for data collection. | Ensure an adequate privacy notice is always provided to Veterans and the public when data is collected. |
| Individual Participation | Individuals will be granted access to their records upon request and provided the opportunity to make corrections to their file if errors are identified. | Ensure information provided for access request disclosures only pertains to the individual making the request. |
| Limited Collection | Collect only those personal data elements required to fulfill an official function or mission. | Understand the purpose of projects and systems to ensure data minimization is implemented throughout systems. |
| Limited Retention | Retain personal information only for as long as necessary to fulfill the purposes for which it is collected. | Collaborate with Records Liaison Officers to implement processes to facilitate proper retention and disposal of records. |
| Data Quality | Make every effort to maintain accurate, relevant, timely and complete data about individuals. | Collaborate with data owners and system owners to ensure information is kept accurate and up to date. |
| Limited Internal Use | Use personal data only for lawful purposes. Access to any personal data will be limited to those individuals within VA with an official need for the data. | The System of Records Notice (SORN) program publishes the purpose for which PII is collected and which information about an individual is to be used, processed, stored, maintained, disseminated, or disclosed. The use and management of PII is limited to the parameters identified in the SORN (see VA Directive 6500). |
| Disclosure | Guard all Veteran and VA employee personal data to ensure that all disclosures are made with written permission or in strict accordance with privacy laws. | Ensure Privacy Impact Assessments and System of Records Notices clearly explain information disclosures (see Release of Information VA Handbook 6300.4 Procedures for Processing Requests for Records Subject to the Privacy Act.). |
| Security | All Veteran and VA employee personal data shall be protected to ensure security and confidentiality. Systems will be reviewed for compliance with The Privacy Act of 1974, the Computer Security Act of 1987, the Heath Insurance Portability and Accountability Act (HIPAA) of 1996, and other statutes. | Coordinate with facility Information System Security Officers (ISSOs) to confirm that security safeguards, including administrative, technical, and physical safeguards are implemented and periodically reviewed. |
| Accountability | VA, its employees, and contractors are subject to civil and criminal penalties for certain breaches of privacy. VA shall be diligent in sanctioning individuals who violate privacy rules. | Coordinate with facility ISSOs and Office of General Counsel to ensure consistent application of sanctions for failure to comply with privacy policies. Monitor, audit, and document compliance (see Guidance Addressing Disciplinary Actions for Privacy Violations (VAIQ 7813157)08252017). |
| Challenging Compliance | An individual may challenge VA if they believe that VA has failed to comply with these principles, privacy laws, or the rules in a system of records notice. | Investigate all privacy related complaints and incidents and prepare reports and briefings for executive leadership. |
