Coding best practices for PII
Last Updated: February 14, 2025
This document covers coding best practices related to Personal Identifiable Information (PII) that are intended to protect the privacy and security of VA.gov users and comply with federal privacy regulations.
Detailed information on PII, including examples, can be found at Personally Identifiable Information (PII) and Protected Heath Information (PHI) and PII guidelines.
Don’t put PII into URLs or query strings
Putting PII (such as user-provided addresses or postal codes) in a URL or query string is problematic because it's logged as query strings into Splunk and other platforms, including Google Analytics and other platforms. Because of how the logging works, it’s possible to link log entries back to individual users.
A user-friendly and secure approach is to use POST, rather than GET, and put a "Share" button on the page, which will copy the URL with the encrypted address/token onto the clipboard for the user to share. Using this approach, the PII won’t show up in the URL or query string, and therefore doesn't get logged to Splunk, etc.
More information on URLs can be found on VA.gov Design System URL standards.
PII’s Impact on the Design System
The following Design System content and components are at a higher risk of containing PII. Take special care when working with these items.
Components:
Selection form fields
Open text fields
Content style guide items:
Help and feedback
Get help from the Platform Support Team in Slack.
Submit a feature idea to the Platform.