Please document that VA PII can never be stored or processed on non-VA hardware

[JonathanKamensDVA]

Description

We keep trying to get the message about that people aren't allowed to copy VA PII outside of VA, and yet people keep doing it.

I just checked, and to my surprise, it's not clear to me that we actually have this written down anywhere in our developer documentation.

Can we please add something like this to the top of the PII guidelines page?

PII storage and processing restrictions

VA PII may never be stored on, processed on, or transmitted through non-VA assets.

This means, for example, that you may not email files containing PII to non-VA email addresses, or store or process PII on non-VA computers, or store PII within non-VA cloud services such as Google Drive, even temporarily.

This restriction is clearly enunciated in the training which all VA employees and contractors are required to take during onboarding and periodically thereafter.

PII may be stored and processed, e.g.:

• on VA government-furnished equipment;
• within VA Azure Virtual Desktop or VA Citrix Access Gateway; and
• within the production VA.gov AWS account.

Please reach out to platform support for assistance if you need to process PII and the computing resources accessible to you are insufficient to the task .

Relevant URLs

https://depo-platform-documentation.scrollhelp.site/developer-docs/personal-identifiable-information-pii-guidelines

Which type of team are you on? (Platform team, VFS team, or Leadership)

Leadership

[taylojill]

Hi @JonathanKamensDVA - thanks for your content suggestions. The Platform Content team will review your request and put it in our backlog to refine for next steps.

[jknipes]

Work will be tracked in ticket 90357

[jknipes]

Work has been completed, we are closing this ticket