This document covers the rules, processes, and requirements for dealing with any personally identifiable information (PII) collected or stored by the VSP platform. These guidelines are intended to protect the privacy and security of VA.gov users and comply with federal privacy regulations.
OMB memorandum M-07-16 includes extensive details about securing PII, including this brief definition:
The term "personally identifiable information" refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
We expect developers to use the minimum amount of PII required by their application and be aware of where and how that data is stored throughout the web request lifecycle.
There are several points in the web request lifecycle where PII can be filtered or sanitized in the
log filtering using the capabilities built into Rails
error report filtering in Sentry using a custom list of sanitized fields
This should ensure most PII is filtered automatically. If your application interacts with any new PII, especially from a new data source, you should ensure that the PII is filtered in both the Rails log and in any errors thrown by the application. You may need to add new PII fields to the Sentry PII sanitizer.
PII with the
If you must log PII to implement a specific solution, the VSP application does have a
PersonalInformationLog which is designed to store PII. This can be useful for tracking the data relating to specific errors involving PII, logging PII during the rollout of new features, or running scheduled tasks that require access to PII.
Any use of the
PersonalInformationLog will require additional review from the platform engineering team and you are advised to discuss the need for storing PII early in the development process.
An open source reminder
Much of the Platform code, including
vets-website is open source and available to anyone through GitHub. This means that you should be particularly careful about embedding anything that could be PII in your code, especially in tests.
Common PII that you should avoid:
Any data that uniquely identifies an individual such as SSN, ICN, EDIPI numbers
Any private settings configuration, in
If you have any questions about PII and protecting it, you should discuss it with your project lead or request help from the Platform in Slack.