Version Date: October 1, 2022
Page 10 of 24
Yes, the retention schedule for the Salesforce Development Platform (SFDP) also applies to VA Help
Desk. SFDP complies with all VA retention and disposal procedures specified in VA Handbook 6300
and VA Directive 6500. Records contained in the Salesforce FedRAMP cloud will be retained as
long as the information is needed in accordance with a NARA-approved retention period. VA
manages Federal records in accordance with NARA statues including the Federal Records Act (44
U.S.C. Chapters 21, 29, 31, 33) and NARA regulations (36 CFR Chapter XII Subchapter B). SFDP
records are retained according to Record Control Schedule 10-1 Section 4. (Disposition of Records)
The appropriate NARA records retention schedule is as follows: Skill set records, GRS 2.0 item 120.
Disposition instructions: Destroy when business use ceases. DAA-GRS-2017-0007-0018.
3.3b Please indicate each records retention schedule, series, and disposition authority.
SFDP records are retained according to Record Control Schedule 10-1 Section 4. (Disposition of
Records) The appropriate NARA records retention schedule is as follows: Skill set records, GRS 2.0
item 120. Disposition instructions: Destroy when business use ceases. DAA-GRS-2017-0007-001
3.4 What are the procedures for the elimination or transfer of SPI?
Explain how records are destroyed, eliminated or transferred to NARA at the end of their mandatory
retention period. Please give the details of the process. For example, are paper records shredded
on site, or by a shredding company and accompanied by a certificate of destruction, etc.? This
question is related to privacy control DM-2, Data Retention and Disposal.
No physical (paper) records exist.
3.5 Does the system, where feasible, use techniques to minimize the risk to privacy by using PII
for research, testing, or training?
Organizations often use PII for testing new applications or information systems prior to deployment.
Organizations also use PII for research purposes and for training. These uses of PII increase the
risks associated with the unauthorized disclosure or misuse of the information. Please explain what
controls have been implemented to protect PII used for testing, training and research. This question
is related to privacy control DM-3, Minimization of PII Used in Testing, Training and Research.
Yes, this system only uses information that is already stored within VA. No research or testing will
be done using the VA Help Desk database. Only employees within the office will receive training on
the system. The system, nor its data, will not be utilized for training for any unauthorized employees.
3.6 PRIVACY IMPACT ASSESSMENT: Retention of information
Discuss the risks associated with the length of time data is retained and what steps, if any, are
currently being taken to mitigate those identified risks. (Work with your System ISSO to complete all
Privacy Risk questions inside the document this section).
While we understand that establishing retention periods for records is a formal process, there are
policy considerations behind how long a project keeps information. The longer a project retains