Safeguarding and respecting the sensitive information of Veterans, their dependents, and beneficiaries is an indispensable part of VA’s mission. Ensuring that their data remains safe, uncompromised, and used only for intended purposes is a top priority for every VA employee and contractor.
VA applies leading privacy practices and adheres to data stewardship and privacy principles in managing data pertaining to all individuals on whom Personally Identifiable information is collected and maintained. The VA Privacy Principles are a collection of principles that VA uses as guidance for how to handle personal information and evaluate information systems, processes, programs, and activities that affect individual privacy. These 10 principles establish an overarching privacy framework for all personnel and business partners who maintain Veteran and VA Employee data on behalf of VA.
The Principle of Openness
When VA collects personal data from an individual, VA will inform him or her of the intended uses of the data, the disclosures that will be made, the authorities for the data’s collection, and whether the collection is mandatory or voluntary. VA will collect no data subject to the Privacy Act unless a Privacy Act System of Records Notice has been published in the Federal Register and posted on the VA Systems of Records website.
The Principle of Individual Participation
Unless VA has claimed an exemption from the Privacy Act, everyone will be granted access to his or her records, upon request, provided a list of disclosures made outside VA and provided the opportunity to make corrections to his or her file if errors are identified.
The Principle of Limited Collection
VA will collect only those personal data elements required to fulfill an official function or mission. Those collections will be conducted by lawful and fair means.
The Principle of Limited Retention
VA will retain personal information only for as long as necessary to fulfill the purposes for which it is collected. Records will be destroyed in accordance with established VA records management principles.
The Principle of Data Quality
VA will make every effort to maintain accurate, relevant, timely and complete data about individuals.
The Principle of Limited Internal Use
VA will use personal data for lawful purposes only. Access to any personal data will be limited to those individuals within VA with an official need for the data.
The Principle of Disclosure
VA personnel will guard all personal data to ensure that all disclosures are made with written permission or in strict accordance with privacy laws.
The Principle of Security
All personal data shall be protected by safeguards appropriate to ensure security and confidentiality. Electronic systems will be periodically reviewed for compliance with the security principles of the Privacy Act, the Computer Security Act, Heath Insurance Portability and Accountability Act (HIPAA), and related statutes. Electronic collection of information will only be conducted in a safe and secure manner.
The Principle of Accountability
VA, its employees and contractors are subject to civil and criminal penalties for certain breaches of privacy. VA shall be diligent in sanctioning individuals who violate privacy rules.
The Principle of Challenging Compliance
An individual may challenge VA if he or she believes that VA has failed to comply with these principles, privacy laws, or the rules in a system of records notice. Challenges may be addressed to the VA Privacy Service.