Privacy can mean many things, but as it relates to VA Privacy Service, it means the right to have some control over how your personally identifiable information (PII) is properly collected, stored, used or released. The legislation under which VA operates authorizes the collection of PII in order to provide you (and, where relevant, third parties) with services and to ensure that you are paid correctly and receive the services to which you are entitled. You have a right to have your PII kept private. VA is bound by strict confidentiality and privacy provisions laws and regulations related to social security, families, health, child support and disability services. These provisions limit how VA collects, maintains, uses, and disposes of your information and when and to whom it may be disclosed.
2. How does Privacy relate to Veterans?
Privacy is your right, as a Veteran and as a citizen. The Privacy Act 1974 governs the way VA collects, stores, provides access to, uses and discloses PII. The Privacy Act provides you with a number of rights, including:
1. To access, review, and obtain copies the information Federal government maintains on you.
2. To request corrections to records that are incorrect.
3. To obtain an accounting or list of disclosures of information maintained on you.
3. What is personally identifiable information (PII)?
Personally identifiable information (PII) is considered to be the same as VA sensitive personal information/data. PII is any information about an individual that can be used to distinguish or trace an individual’s identity, alone, or when combined with other information which is linked or linkable to a specific individual, such as: name, social security number, date and place of birth, mother’s maiden name, telephone number, driver’s license number, credit card number, photograph, finger prints, biometric records, education, financial transactions, medical history, and criminal or employment history, etc.
4. What are the risks if personally identifiable information (PII) is misused?
The individual whose PII was misused may experience some degree of adverse effects. Depending on the type of information involved, an individual may suffer social, economic, or physical harm resulting in potential loss of life, loss of livelihood, or inappropriate physical detention. Information lost may be exploited by an identity thief, and the individual may suffer from a loss of money, damage to credit, a compromise of medical records, threats, and/or harassment. The individual may also suffer tremendous losses of time and money to address the damage, embarrassment, improper denial of government benefits, blackmail, and discrimination.
Likewise, organizations may experience harm as a result of a loss of PII maintained by the organization. Harm may include administrative burden, remediation costs, financial losses, loss of public reputation and public trust, and legal liability.
5. Why should I be interested in the Privacy Act?
The Privacy Act of 1974 as amended at 5 U.S.C. 552a, is a code of fair information practices which mandates how federal agencies, like VA, maintain PII. The basic provisions of the Act require government agencies to:
1. Collect only information that is relevant and necessary to carry out VA’s function;
2. Maintain no secret records on you;
3. Explain, at the time the information is being collected, why it is needed and how it will be used;
4. Ensure that the records are used only for the reasons given, or seek your permission when another purpose for their use is considered necessary or desirable;
5. Provide adequate safeguards to protect the records from unauthorized access and disclosure;
6. Allow you to see the records kept about you and provide you with the opportunity to correct inaccuracies in your records; and
7. Allow you to find out about disclosures of your records to other agencies and persons.
The Privacy Act prohibits disclosure of these records without the written consent of the individual(s) to whom the records pertain unless one of the twelve disclosure exceptions enumerated in the Act applies. These records are held in Privacy Act ‘systems of records’ (SOR). A notice for each system of records is published in the Federal Register. These notices identify the legal authority for collecting and storing the records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used.
The Privacy Act binds only federal agencies and covers only records in the possession and control of federal agencies.
6. What information is covered under the Privacy Act?
Only information held within a federal agency's systems of records is protected under the Privacy Act.
7. What is a System of Records?
A system of records (SOR) is a group of records under the control of a federal government agency from which personal information about an individual is retrieved by the name of the individual, or by some other identifying number, symbol, or other unique identifier.
8. What is a System of Records Notice (SORN)?
A system of records notice (SORN) is a description of any Privacy Act system of records. SORNs generally describe the 'who, what, where, and why' of a system and describe the processes for individuals to access or contest the information being held on them in that system. SORNs are required to be published in the Federal Register for a period of public comment before the system data collection (paper based or electronic) is started.
How does the government inform the public about personally identifiable information (PII) being held in its records systems that are covered by the Privacy Act?
The government informs the public about record systems covered by the Privacy Act by publishing notices in the Federal Register. These are called system of records notices (SORNs).
9. What does it mean when a system of record notice refers to a routine use?
A routine use is an agency-approved circumstance in which a record may be shared outside of VA in accordance with the purpose for which the information was collected and maintained by VA. The routine use must be included in the published notice for the system of records involved.
10. How will I know if an incident has possibly occurred that resulted in a significant compromise of my personally identifiable information (PII)?
If VA suspects your personally identifiable information (PII) has been significantly compromised, you will be notified in writing. The notification will describe the specific data involved, the facts and circumstances surrounding the incident, the protective actions VA is taking or you can take to mitigate against potential future harm, as well as a point of contact for additional information.
11. What do I do if I receive a letter from VA that my personally identifiable information (PII) has been or may have been compromised?
If you receive a notification from VA that there has been an actual or suspected compromise of your personal information, directly contact the office sending the letter. Note that you should never give out your personal information, such as a Social Security Number or financial account number over the phone unless you are certain that you are speaking with an official VA representative. If you have any concerns over the authenticity of such a notice, contact the specific privacy office to verify.
12. What should I do if I suspect my identity has been stolen?
Mitigating the harms of identity theft can be a complicated process, and time can be of the essence. For information on specific steps to be taken in response to identity theft, see the Federal Trade Commission's website, and our guide for responding to identity theft. Contact the VA Identity Theft Help Line (1-855-578-5492) for additional assistance.
13. Where can I read more about federal information privacy requirements?
Read more in our Privacy Service Resources page.
14. What is a Privacy Act Statement (PAS)?
When a federal agency requests that you provide personally identifiable information (name, date of birth, social security number, etc.) for a system of records, regardless of the method used to collect the information (i.e., forms, personal or telephonic interview, etc.), a Privacy Act Statement (PAS) is required. If the information requested will not be included in a system of records, a PAS is not required.
15. What does a Privacy Act Statement tell me?
In general, the Privacy Act Statement describes:
Authority: The federal law or Executive Order that allows the collection.
Purpose: How the collected information will be used.
Routine Uses: VA approved circumstances in which a record may be shared outside of the agency in accordance with the purpose for which the information was collected and maintained by VA.
Disclosure: Whether or not the disclosure of information is "Voluntary" or "Mandatory". It is only appropriate to cite "Mandatory" when a federal law or Executive Order of the President specifically imposes a requirement to furnish the information and provides a penalty for failure to do so. If furnishing information is a condition for granting a benefit or privilege voluntarily sought by the individual, it is voluntary for the individual to give the information.
16. How does the government inform the public about personally identifiable information (PII) being held in its records systems that are covered by the Privacy Act?
The government informs the public about record systems covered by the Privacy Act by publishing notices called system of records notices (SORNs) in the Federal Register. A listing of VA’s SORNs is available (https://www.oprm.va.gov/privacy/systems_of_records.aspx).