Coding best practices for PII

Last Updated: February 14, 2025

This document covers coding best practices related to Personal Identifiable Information (PII) that are intended to protect the privacy and security of VA.gov users and comply with federal privacy regulations.

Detailed information on PII, including examples, can be found at Personally Identifiable Information (PII) and Protected Heath Information (PHI) and PII guidelines.

Don’t put PII into URLs or query strings

Putting PII (such as user-provided addresses or postal codes) in a URL or query string is problematic because it's logged as query strings into Splunk and other platforms, including Google Analytics and other platforms. Because of how the logging works, it’s possible to link log entries back to individual users.

A user-friendly and secure approach is to use POST, rather than GET, and put a "Share" button on the page, which will copy the URL with the encrypted address/token onto the clipboard for the user to share. Using this approach, the PII won’t show up in the URL or query string, and therefore doesn't get logged to Splunk, etc.

More information on URLs can be found on VA.gov Design System URL standards.

PII’s Impact on the Design System

The following Design System content and components are at a higher risk of containing PII. Take special care when working with these items.

Components:

• URLs

• Breadcrumbs

• Links

• Buttons

• Selection form fields

  • Checkboxes

  • Radio buttons

  • Select component

• Open text fields

  • Text input

  • Textarea

• Search input

Content style guide items:

• Title tags

• Alternative text for images

• Error messages

Help and feedback

• Suggest content changes to this page.

• Submit new Platform Website content.

• Get help from the Platform Support Team in Slack.

• Submit a feature idea to the Platform.