Code of Virginia

Code of Virginia
7/21/2017

Government Data Collection and Dissemination Practices Act

§ 2.2-3800. Short title; findings; principles of information practice.

A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."

B. The General Assembly finds that:

1. An individual's privacy is directly affected by the extensive collection, maintenance, use and dissemination of personal information;

2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;

3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and

4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.

C. Recordkeeping agencies of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:

1. There shall be no personal information system whose existence is secret.

2. Information shall not be collected unless the need for it has been clearly established in advance.

3. Information shall be appropriate and relevant to the purpose for which it has been collected.

4. Information shall not be obtained by fraudulent or unfair means.

5. Information shall not be used unless it is accurate and current.

6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.

7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase or amend inaccurate, obsolete or irrelevant information.

8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse.

9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used for another purpose.

10. The Commonwealth or any agency or political subdivision thereof shall not collect personal information except as explicitly or implicitly authorized by law.

1976, c. 597, §§ 2.1-377, 2.1-378; 1987, c. 506; 2001, c. 844; 2003, cc. 791, 914, 918, 927; 2009, cc. 849, 867.

§ 2.2-3801. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Agency" means any agency, authority, board, department, division, commission, institution, bureau, or like governmental entity of the Commonwealth or of any unit of local government including counties, cities, towns, regional governments, and the departments thereof, and includes constitutional officers, except as otherwise expressly provided by law. "Agency" shall also include any entity, whether public or private, with which any of the foregoing has entered into a contractual relationship for the operation of a system of personal information to accomplish an agency function. Any such entity included in this definition by reason of a contractual relationship shall only be deemed an agency as relates to services performed pursuant to that contractual relationship, provided that if any such entity is a consumer reporting agency, it shall be deemed to have satisfied all of the requirements of this chapter if it fully complies with the requirements of the Federal Fair Credit Reporting Act as applicable to services performed pursuant to such contractual relationship.

"Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.

"Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.

"Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

"Personal information" means all information that (i) describes, locates or indexes anything about an individual including, but not limited to, his social security number, driver's license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record, or (ii) affords a basis for inferring personal characteristics, such as finger and voice prints, photographs, or things done by or to such individual; and the record of his presence, registration, or membership in an organization or activity, or admission to an institution. "Personal information" shall not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject nor does the term include real estate assessment information.

"Purge" means to obliterate information completely from the transient, permanent, or archival records of an agency.

1976, c. 597, § 2.1-379; 1983, c. 372; 1999, c. 41; 2001, c. 844; 2003, c. 272; 2006, c. 474; 2008, cc. 840, 843; 2009, cc. 849, 867.

§ 2.2-3802. Systems to which chapter inapplicable.

The provisions of this chapter shall not apply to personal information systems:

1. Maintained by any court of the Commonwealth;

2. Which may exist in publications of general circulation;

3. Contained in the Criminal Justice Information System as defined in §§ 9.1-126 through 9.1-137 or in the Sex Offender and Crimes Against Minors Registry maintained by the Department of State Police pursuant to Chapter 9 (§ 9.1-900 et seq.) of Title 9.1, except to the extent that information is required to be posted on the Internet pursuant to § 9.1-913;

4. Contained in the Virginia Juvenile Justice Information System as defined in §§ 16.1-222 through 16.1-225;

5. Maintained by agencies concerning persons required by law to be licensed in the Commonwealth to engage in the practice of any profession, in which case the names and addresses of persons applying for or possessing the license may be disseminated upon written request to a person engaged in the profession or business of offering professional educational materials or courses for the sole purpose of providing the licensees or applicants for licenses with informational materials relating solely to available professional educational materials or courses, provided the disseminating agency is reasonably assured that the use of the information will be so limited;

6. (Effective until January 15, 2018) Maintained by the Parole Board, the Crime Commission, the Judicial Inquiry and Review Commission, the Virginia Racing Commission, and the Department of Alcoholic Beverage Control;

6. (Effective January 15, 2018) Maintained by the Parole Board, the Crime Commission, the Judicial Inquiry and Review Commission, the Virginia Racing Commission, and the Virginia Alcoholic Beverage Control Authority;

7. Maintained by any of the following and that deal with investigations and intelligence gathering related to criminal activity:

a. The Department of State Police;

b. The police department of the Chesapeake Bay Bridge and Tunnel Commission;

c. Police departments of cities, counties, and towns;

d. Sheriff's departments of counties and cities; and

e. Campus police departments of public institutions of higher education as established by Article 3 (§ 23.1-809 et seq.) of Chapter 8 of Title 23.1;

8. Maintained by local departments of social services regarding alleged cases of child abuse or neglect while such cases are also subject to an ongoing criminal prosecution;

9. Maintained by the Virginia Port Authority as provided in § 62.1-132.4 or 62.1-134.1;

10. Maintained by the Virginia Tourism Authority in connection with or as a result of the promotion of travel or tourism in the Commonwealth, in which case names and addresses of persons requesting information on those subjects may be disseminated upon written request to a person engaged in the business of providing travel services or distributing travel information, provided the Virginia Tourism Authority is reasonably assured that the use of the information will be so limited;

11. Maintained by the Division of Consolidated Laboratory Services of the Department of General Services and the Department of Forensic Science, which deal with scientific investigations relating to criminal activity or suspected criminal activity, except to the extent that § 9.1-1104 may apply;

12. Maintained by the Department of Corrections or the Office of the State Inspector General that deal with investigations and intelligence gathering by persons acting under the provisions of Chapter 3.2 (§ 2.2-307 et seq.);

13. Maintained by (i) the Office of the State Inspector General or internal audit departments of state agencies or institutions that deal with communications and investigations relating to the Fraud, Waste and Abuse Hotline or (ii) an auditor appointed by the local governing body of any county, city, or town or a school board that deals with local investigations required by § 15.2-2511.2;

14. Maintained by the Department of Social Services or any local department of social services relating to public assistance fraud investigations; and

15. Maintained by the Department of Social Services related to child welfare, adult services or adult protective services, or public assistance programs when requests for personal information are made to the Department of Social Services. Requests for information from these systems shall be made to the appropriate local department of social services, which is the custodian of that record. Notwithstanding the language in this section, an individual shall not be prohibited from obtaining information from the central registry in accordance with the provisions of § 63.2-1515.

1976, c. 597, § 2.1-384; 1979, c. 685; 1980, c. 752; 1981, cc. 461, 464, 504, 589; 1982, c. 225; 1983, c. 289; 1984, c. 750; 1986, c. 62; 1990, c. 825; 1992, c. 620; 1993, cc. 205, 963; 1996, cc. 154, 590, 598, 952; 2001, c. 844; 2003, c. 406; 2005, cc. 868, 881; 2006, cc. 196, 857, 914; 2009, c. 573; 2011, cc. 798, 871; 2012, cc. 229, 268; 2013, cc. 572, 690, 717, 723; 2015, cc. 38, 730; 2017, c. 702.

§ 2.2-3803. Administration of systems including personal information; Internet privacy policy; exceptions.

A. Any agency maintaining an information system that includes personal information shall:

1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency;

2. Collect information to the greatest extent feasible from the data subject directly;

3. Establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls;

4. Maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject;

5. Make no dissemination to another system without (i) specifying requirements for security and usage including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed. This subdivision shall not apply, however, to a dissemination made by an agency to an agency in another state, district or territory of the United States where the personal information is requested by the agency of such other state, district or territory in connection with the application of the data subject therein for a service, privilege or right under the laws thereof, nor shall this apply to information transmitted to family advocacy representatives of the United States Armed Forces in accordance with subsection N of § 63.2-1503;

6. Maintain a list of all persons or organizations having regular access to personal information in the information system;

7. Maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained;

8. Take affirmative action to establish rules of conduct and inform each person involved in the design, development, operation, or maintenance of the system, or the collection or use of any personal information contained therein, about all the requirements of this chapter, the rules and procedures, including penalties for noncompliance, of the agency designed to assure compliance with such requirements;

9. Establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security; and

10. Collect no personal information concerning the political or religious beliefs, affiliations, and activities of data subjects that is maintained, used or disseminated in or by any information system operated by any agency unless authorized explicitly by statute or ordinance.

B. Every public body, as defined in § 2.2-3701, that has an Internet website associated with that public body shall develop an Internet privacy policy and an Internet privacy policy statement that explains the policy to the public. The policy shall be consistent with the requirements of this chapter. The statement shall be made available on the public body's website in a conspicuous manner. The Secretary of Technology or his designee shall provide guidelines for developing the policy and the statement, and each public body shall tailor the policy and the statement to reflect the information practices of the individual public body. At minimum, the policy and the statement shall address (i) what information, including personally identifiable information, will be collected, if any; (ii) whether any information will be automatically collected simply by accessing the website and, if so, what information; (iii) whether the website automatically places a computer file, commonly referred to as a "cookie," on the Internet user's computer and, if so, for what purpose; and (iv) how the collected information is being used or will be used.

C. Notwithstanding the provisions of subsection A, the Virginia Retirement System may disseminate information as to the retirement status or benefit eligibility of any employee covered by the Virginia Retirement System, the Judicial Retirement System, the State Police Officers' Retirement System, or the Virginia Law Officers' Retirement System, to the chief executive officer or personnel officers of the state or local agency by which he is employed.

D. Notwithstanding the provisions of subsection A, the Department of Social Services may disseminate client information to the Department of Taxation for the purposes of providing specified tax information as set forth in clause (ii) of subsection C of § 58.1-3.

E. Notwithstanding the provisions of subsection A, the State Council of Higher Education for Virginia may disseminate student information to agencies acting on behalf or in place of the U.S. government to gain access to data on wages earned outside the Commonwealth or through federal employment, for the purposes of complying with § 23.1-204.1.

1976, c. 597, § 2.1-380; 1978, c. 409, § 2.1-384.1; 1989, c. 547; 2000, cc. 405, 500; 911; 2001, c. 844; 2002, c. 747; 2006, cc. 159, 590; 2017, c. 376.

§ 2.2-3804. Military recruiters to have access to student information, school buildings, etc.

If a public school board or public institution of higher education provides access to its buildings and grounds and the student information directory to persons or groups that make students aware of occupational or educational options, the board or institution shall provide access on the same basis to official recruiting representatives of the armed forces of the Commonwealth and the United States for the purpose of informing students of educational and career opportunities available in the armed forces.

1981, c. 377, § 2.1-380.1; 2001, c. 844.

§ 2.2-3805. Dissemination of reports.

Any agency maintaining an information system that disseminates statistical reports or research findings based on personal information drawn from its system, or from other systems shall:

1. Make available to any data subject or group, without revealing trade secrets, methodology and materials necessary to validate statistical analysis, and

2. Make no materials available for independent analysis without guarantees that no personal information will be used in any way that might prejudice judgments about any data subject.

1976, c. 597, § 2.1-381; 2001, c. 844.

§ 2.2-3806. Rights of data subjects.

A. Any agency maintaining personal information shall:

1. Inform an individual who is asked to supply personal information about himself whether he is legally required, or may refuse, to supply the information requested, and also of any specific consequences that are known to the agency of providing or not providing the information.

2. Give notice to a data subject of the possible dissemination of part or all of this information to another agency, nongovernmental organization or system not having regular access authority, and indicate the use for which it is intended, and the specific consequences for the individual, which are known to the agency, of providing or not providing the information. However documented permission for dissemination in the hands of the other agency or organization shall satisfy the requirement of this subdivision. The notice may be given on applications or other data collection forms prepared by data subjects.

3. Upon request and proper identification of any data subject, or of his authorized agent, grant the data subject or agent the right to inspect, in a form comprehensible to him:

a. All personal information about that data subject except as provided in subdivision 1 of § 2.2-3705.1, subdivision 1 of § 2.2-3705.4, and subdivision 1 of § 2.2-3705.5.

b. The nature of the sources of the information.

c. The names of recipients, other than those with regular access authority, of personal information about the data subject including the identity of all persons and organizations involved and their relationship to the system when not having regular access authority, except that if the recipient has obtained the information as part of an ongoing criminal investigation such that disclosure of the investigation would jeopardize law-enforcement action, then no disclosure of such access shall be made to the data subject.

4. Comply with the following minimum conditions of disclosure to data subjects:

a. An agency shall make disclosures to data subjects required under this chapter, during normal business hours, in accordance with the procedures set forth in subsections B and C of § 2.2-3704 for responding to requests under the Virginia Freedom of Information Act (§ 2.2-3700 et seq.) or within a time period as may be mutually agreed upon by the agency and the data subject.

b. The disclosures to data subjects required under this chapter shall be made (i) in person, if he appears in person and furnishes proper identification, or (ii) by mail, if he has made a written request, with proper identification. Copies of the documents containing the personal information sought by a data subject shall be furnished to him or his representative at reasonable charges for document search and duplication in accordance with subsection F of § 2.2-3704.

c. The data subject shall be permitted to be accompanied by a person of his choosing, who shall furnish reasonable identification. An agency may require the data subject to furnish a written statement granting the agency permission to discuss the individual's file in such person's presence.

5. If the data subject gives notice that he wishes to challenge, correct, or explain information about him in the information system, the following minimum procedures shall be followed:

a. The agency maintaining the information system shall investigate, and record the current status of that personal information.

b. If, after such investigation, the information is found to be incomplete, inaccurate, not pertinent, not timely, or not necessary to be retained, it shall be promptly corrected or purged.

c. If the investigation does not resolve the dispute, the data subject may file a statement of not more than 200 words setting forth his position.

d. Whenever a statement of dispute is filed, the agency maintaining the information system shall supply any previous recipient with a copy of the statement and, in any subsequent dissemination or use of the information in question, clearly note that it is disputed and supply the statement of the data subject along with the information.

e. The agency maintaining the information system shall clearly and conspicuously disclose to the data subject his rights to make such a request.

f. Following any correction or purging of personal information the agency shall furnish to past recipients notification that the item has been purged or corrected whose receipt shall be acknowledged.

B. Nothing in this chapter shall be construed to require an agency to disseminate any recommendation or letter of reference from or to a third party that is a part of the personnel file of any data subject nor to disseminate any test or examination used, administered or prepared by any public body for purposes of evaluation of (i) any student or any student's performance, (ii) any seeker's qualifications or aptitude for employment, retention, or promotion, or (iii) qualifications for any license or certificate issued by any public body.

As used in this subsection, "test or examination" includes (i) any scoring key for any such test or examination and (ii) any other document that would jeopardize the security of the test or examination. Nothing contained in this subsection shall prohibit the release of test scores or results as provided by law, or to limit access to individual records as provided by law; however, the subject of the employment tests shall be entitled to review and inspect all documents relative to his performance on those employment tests.

When, in the reasonable opinion of the public body, any such test or examination no longer has any potential for future use, and the security of future tests or examinations will not be jeopardized, the test or examination shall be made available to the public. Minimum competency tests administered to public school children shall be made available to the public contemporaneously with statewide release of the scores of those taking such tests, but in no event shall such tests be made available to the public later than six months after the administration of such tests.

C. Neither any provision of this chapter nor any provision of the Freedom of Information Act (§ 2.2-3700 et seq.) shall be construed to deny public access to records of the position, job classification, official salary or rate of pay of, and to records of the allowances or reimbursements for expenses paid to any public officer, official or employee at any level of state, local or regional government in the Commonwealth. The provisions of this subsection shall not apply to records of the official salaries or rates of pay of public employees whose annual rate of pay is $10,000 or less.

D. Nothing in this section or in this chapter shall be construed to require an agency to disseminate information derived from tax returns prohibited from release pursuant to § 58.1-3.

1976, c. 597, § 2.1-382; 1978, c. 810; 1979, cc. 683, 688, 689; 1983, c. 372; 1995, c. 400; 2001, c. 844; 2004, c. 690; 2007, c. 232; 2017, c. 778.

§ 2.2-3807. Agencies to report concerning systems operated or developed; publication of information.

Every agency shall make report of the existence of any information system that it operates or develops that shall include a description of the nature of the data in the system and purpose for which it is used. An inventory listing or similar display of the information shall be made available for inspection by the general public in the office of the head of each agency. Copies of the information shall be provided upon request and a fee shall be charged for them sufficient to cover the reasonable costs of reproduction.

1976, c. 597, § 2.1-383; 1977, c. 279; 1979, c. 683; 2001, c. 844.

§ 2.2-3808. Collection, disclosure, or display of social security number.

A. It shall be unlawful for any agency to:

1. Require an individual to disclose or furnish his social security number not previously disclosed or furnished, for any purpose in connection with any activity, or to refuse any service, privilege, or right to an individual wholly or partly because the individual does not disclose or furnish such number, unless the disclosure or furnishing of such number is specifically required by state law in effect prior to January 1, 1975, or is specifically authorized or required by federal law; or

2. Collect from an individual his social security number or any portion thereof unless the collection of such number is (i) authorized or required by state or federal law and (ii) essential for the performance of that agency's duties. Nothing in this subdivision shall be construed to prohibit the collection of a social security number for the sole purpose of complying with the Virginia Debt Collection Act (§ 2.2-4800 et seq.) or the Setoff Debt Collection Act (§ 58.1-520 et seq.).

B. Agency-issued identification cards, student identification cards, or license certificates issued or replaced on or after July 1, 2003, shall not display an individual's entire social security number except as provided in § 46.2-703.

C. Any agency-issued identification card, student identification card, or license certificate that was issued prior to July 1, 2003, and that displays an individual's entire social security number shall be replaced no later than July 1, 2006, except that voter registration cards issued with a social security number and not previously replaced shall be replaced no later than the December 31st following the completion by the state and all localities of the decennial redistricting following the 2010 census. This subsection shall not apply to (i) driver's licenses and special identification cards issued by the Department of Motor Vehicles pursuant to Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 and (ii) road tax registrations issued pursuant to § 46.2-703.

D. No agency, as defined in § 42.1-77, shall send or deliver or cause to be sent or delivered, any letter, envelope, or package that displays a social security number on the face of the mailing envelope or package or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.

E. The provisions of subsections A and C shall not be applicable to licenses issued by the State Corporation Commission's Bureau of Insurance until such time as a national insurance producer identification number has been created and implemented in all states. Commencing with the date of such implementation, the licenses issued by the State Corporation Commission's Bureau of Insurance shall be issued in compliance with subsection A of this section. Further, all licenses issued prior to the date of such implementation shall be replaced no later than 12 months following the date of such implementation.

1976, c. 597, § 2.1-385; 2001, c. 844; 2003, c. 974; 2008, cc. 840, 843; 2009, cc. 849, 867; 2010, c. 749.

§ 2.2-3808.1. Agencies' disclosure of certain account information prohibited.

Notwithstanding Chapter 37 (§ 2.2-3700 et seq.) of this title, it shall be unlawful for any agency to disclose the social security number or other identification numbers appearing on driver's licenses or information on credit cards, debit cards, bank accounts, or other electronic billing and payment systems that was supplied to an agency for the purpose of paying fees, fines, taxes, or other charges collected by such agency. The prohibition shall not apply where disclosure of such information is required (i) to conduct or complete the transaction for which such information was submitted or (ii) by other law or court order.

2001, c. 415, § 2.1-385.1; 2007, cc. 548, 626.

§ 2.2-3808.2. Repealed.

Repealed by Acts 2007, cc. 548 and 626, cl. 5.

§ 2.2-3809. Injunctive relief; civil penalty; attorneys' fees.

Any aggrieved person may institute a proceeding for injunction or mandamus against any person or agency that has engaged, is engaged, or is about to engage in any acts or practices in violation of the provisions of this chapter. The proceeding shall be brought in the district or circuit court of any county or city where the aggrieved person resides or where the agency made defendant has a place of business.

In the case of any successful proceeding by an aggrieved party, the agency enjoined or made subject to a writ of mandamus by the court shall be liable for the costs of the action together with reasonable attorneys' fees as determined by the court.

In addition, if the court finds that a violation of subsection A of § 2.2-3808 was willfully and knowingly made by a specific public officer, appointee, or employee of any agency, the court may impose upon such individual a civil penalty of not less than $250 nor more than $1,000, which amount shall be paid into the State Literary Fund. For a second or subsequent violation, such civil penalty shall be not less than $1,000 nor more than $2,500. For a violation of subsection A of § 2.2-3808 by any agency, the court may impose a civil penalty of not less than $250 nor more than $1,000, which amount shall be paid into the State Literary Fund. For a second or subsequent violation, such civil penalty shall be not less than $1,000 nor more than $2,500.

1976, c. 597, § 2.1-386; 2001, c. 844; 2008, cc. 840, 843.

The chapters of the acts of assembly referenced in the historical citation at the end of these sections may not constitute a comprehensive list of such chapters and may exclude chapters whose provisions have expired.

The Virginia General Assembly is offering access to the Code of Virginia on the Internet as a service to the public. We are unable to assist users of this service with legal questions nor respond to requests for legal advice or the application of the law to specific facts. Therefore, to understand and protect your legal rights, you should consult an attorney.

The Code of Virginia online database excludes material copyrighted by the publisher, Michie, a division of Matthew Bender. Copyrighted material includes annotations and revisors' notes, which may be found in the print version of the Code of Virginia. Annotated print copies of the Code of Virginia are available in most Virginia public library systems, from LexisNexis (1-800-446-3410), and from West, a Thomson-Reuters business (1-800-344-5008).