The VA Privacy Principles are a collection of principles that VA uses as guidance for how to handle personal information and evaluate information systems, processes, programs, and activities that affect individual privacy. These 10 principles establish an overarching privacy framework for all personnel and business partners who maintain Veteran and VA Employee data on behalf of VA.

  1. The Principle of Openness

    When VA collects personal data from an individual, VA will inform him or her of the intended uses of the data, the disclosures that will be made, the authorities for the data’s collection, and whether the collection is mandatory or voluntary. VA will collect no data subject to the Privacy Act unless a Privacy Act System of Records Notice has been published in the Federal Register and posted on the VA Systems of Records website.

  2. The Principle of Individual Participation

    Unless VA has claimed an exemption from the Privacy Act, everyone will be granted access to his or her records, upon request, provided a list of disclosures made outside VA and provided the opportunity to make corrections to his or her file if errors are identified.

  3. The Principle of Limited Collection

    VA will collect only those personal data elements required to fulfill an official function or mission. Those collections will be conducted by lawful and fair means.

  4. The Principle of Limited Retention

    VA will retain personal information only for as long as necessary to fulfill the purposes for which it is collected. Records will be destroyed in accordance with established VA records management principles.

  5. The Principle of Data Quality

    VA will make every effort to maintain accurate, relevant, timely and complete data about individuals.

  1. The Principle of Limited Internal Use

    VA will use personal data for lawful purposes only. Access to any personal data will be limited to those individuals within VA with an official need for the data.

  2. The Principle of Disclosure

    VA personnel will guard all personal data to ensure that all disclosures are made with written permission or in strict accordance with privacy laws.

  3. The Principle of Security

    All personal data shall be protected by safeguards appropriate to ensure security and confidentiality. Electronic systems will be periodically reviewed for compliance with the security principles of the Privacy Act, the Computer Security Act, Heath Insurance Portability and Accountability Act (HIPAA), and related statutes. Electronic collection of information will only be conducted in a safe and secure manner.

  4. The Principle of Accountability

    VA, its employees, and contractors are subject to civil and criminal penalties for certain breaches of privacy. VA shall be diligent in sanctioning individuals who violate privacy rules.

  5. The Principle of Challenging Compliance

    An individual may challenge VA if he or she believes that VA has failed to comply with these principles, privacy laws, or the rules in a system of records notice. Challenges may be addressed to the VA Privacy Service.