search

department-of-veterans-affairs / va.gov-team

Public resources for building on and in support of VA.gov. Visit complete Knowledge Hub:
https://depo-platform-documentation.scrollhelp.site/index.html
280 stars 195 forks source link

Add info about ICNs and uniquely identifying users in logs to the PII guidelines page #87709

Open JonathanKamensDVA opened 1 week ago

JonathanKamensDVA commented 1 week ago

Description

Suggested new content:

Notes and policies regarding ICNs

Veterans with whom VA interacts, as well as beneficiaries, employees, IT users, healthcare providers, and others whom the VA interacts with, are assigned unique Integration Control Numbers (ICNs). The VA's authoritative identity service, which both stores identity information and assigns ICNs, is the Master Person Index (MPI).

Contrary to what you may have heard, ICNs are PII and should be treated as such. This means, among other things:

  • no storing them in systems not authorized to store PII, such as Datadog, Sentry, Google Analytics, and Domo;

  • no storing them in unencrypted database fields unless necessary to solve a technical problem for which no other solution is feasible;

  • no storing datasets containing them on non-GFE; and

  • no viewing or accessing them without a legitimate business purpose.

In addition, apps built on VA.gov should avoid using ICNs to link stored data to specific VA.gov users; the user_account_uuid value should be used instead. More generally, ICNs should be stored in as few locations as possible.

Uniquely identifying users in logs

As noted above, a user's user_account_uuid can be used to link stored data to specific VA.gov users. This includes in logs sent to Datadog, Sentry, etc., i.e., it is permissible to include the user_account_uuid in log messages so that those logs can be linked back to the VA.gov user they're associated with.

From the fact that they are allowed to log user_account_uuid values, developers sometimes erroneously conclude, "That must mean that user_account_uuid values are not PII!" This is a common enough misconception that clarification is in order.

Any identifier which can be used to uniquely identify an individual is considered PII. There are two reasons why, despite this, we allow user_account_uuid to be logged:

  • We are required by law and VA policy to limit our storage and use of PII to what is necessary to provide services. It would sipmly be too hard for us to operate VA.gov if it were impossible for us to ever associate log entries with specific users. That is, we need to be able to log some unique identifier, and this requirement is one of the reasons why user_account_uuid exists.

  • Because user_account_uuid is randomly generated, i.e., there is no objective meaning about specific individuals that can be derived from it, and it is only used within VA.gov and its supporting systems such as Datadog, by design its Confidentiality Impact Level is low, giving us more leeway in how it can be used.

Also, I noticed while preparing this content that https://depo-platform-documentation.scrollhelp.site/developer-docs/mvi says "Master Persons Index" when it should say "Master Person Index", so perhaps we could fix this?

Relevant URLs

https://depo-platform-documentation.scrollhelp.site/developer-docs/personal-identifiable-information-pii-guidelines

Which type of team are you on? (Platform team, VFS team, or Leadership)

I'm the Information Security Lead.

jknipes commented 1 week ago

Hi @JonathanKamensDVA, thanks for your content suggestions. The Platform Content team will review your request and put it in our backlog to refine for next steps.

laucon commented 5 days ago

@JonathanKamensDVA First, thank you for writing this so clearly. It makes my job so easy. lol

I added the paragraphs to Personal Identifiable Information (PII) guidelines and they should be deployed today at some point between 3:30 and 5pm ET today. I wasn't sure where on the page to put the new paragraphs, so I took a guess and I put them both below the section, "PII with the PersonalInformationLog" and above the section, "An open source reminder." If you would prefer that the new paragraphs are located on a different part of the page, just let me know and I can move them.

Also, the errors you mentioned on Master Persons Index (MPI)/Master Person Index (MPI) have now been fixed. That will also be deployed at at some point between 3:30 and 5pm ET today.

laucon commented 5 days ago

@JonathanKamensDVA While editing Personal Identifiable Information (PII) guidelines, I found a broken link that must have recently become broken. On Personal Identifiable Information (PII) guidelines, under the section, "Existing capabilities" it says:

"error report filtering in Sentry using a custom list of sanitized fields"

This link is broken. When you open the link, it shows "File not found" in github. Do you know how to correct this link so it no longer goes to a "File not found" page?

laucon commented 5 days ago

This is now done and I think we can close it.