Staging Review finding: Include guidance on privacy masking for sensitive prefilled content.

[shiragoodman]

Need help? Please review how to read a Staging Review ticket. Tag @platform-governance-team-members on Slack if you need further assistance.

Design System Staging Information

Component: Help users to... Know when their information is prefilled
Staging Review ticket: AEDP, Design Patterns, Help users to... Know when their information is prefilled

Findings details

VA.gov Experience Standard - issue: User doesn't have enough information to complete a task.
VA.gov Experience Standard - category: Comprehension
This is an issue with the: guidance
High-priority: No
Collab Cycle Reviewer: @briandeconinck (Accessibility)

Description

In the Personal information page anatomy section, the Veteran's Social Security number is displayed with the first five digits masked. I don't think we have anywhere in the design system that currently tells VFS teams how to mask digits like this in an accessible way, and this feels to me like an appropriate place to do it.

Recommended action

Up to you to decide where this should be inserted --- I'm thinking possibly in the still pending Code Usage section or in a standalone Accessibility Considerations section (example of an Accessibility Considerations section), but you obviously know where it should go.

When masking characters, what we definitely don't want is screen reader software reading "Social Security Number: star star star dash star star dash 1234." The visible text with masked values should be wrapped in a <span aria-hidden="true"> (this tells screen readers to ignore it), and then followed immediately by something like <span class="sr-only">Number ending in 1234</span> (this tells screen readers what to announce instead).

I would also encourage you to work with CAIA to establish guidance on what kinds of data should/shouldn't be masked for privacy, and include that here as well. But at a minimum I think the code guidance would be a huge benefit.

References

• Accessibility Defect Severity: 3: Medium. Should be fixed in 1-3 sprints post-launch.
• WCAG Success Criteria: N/A
• Modality: Screen reader
• Design System Pattern or Template: N/A
• Design System Foundation: N/A
• Content Style Guide: N/A
• Context: N/A

---

Next Steps for DST

• Close the ticket when the issue has been resolved or validated by your Product Owner
• If your team has additional questions or needs Governance help validating the issue, please comment on the ticket
• If this ticket has a high-priority label, please address as soon as possible so VFS teams are not impacted
• If this ticket has a consider label, please consider for future implementation

[msbtterswrth]

We are tracking this update in this task in our team repo.

[msbtterswrth]

I chatted with Matt Dingee about this a bit, and we think that putting this guidance in the prefill pattern page doesn't make sense. We'll instead make a recommendation and open a PR to update the existing Social Security number pattern.

[shiragoodman]

@briandeconinck FYI