LIS

2009 Uncodified Acts

2009 Virginia Uncodified Acts
11/21/2024

CHAPTER 867

An Act to amend and reenact §§ 2.2-3800, 2.2-3801, as it is currently effective and as it shall become effective, and 2.2-3808, as it is currently effective and as it shall become effective, of the Code of Virginia and to amend and reenact the second and fourth enactments of Chapters 840 and 843 of the Acts of Assembly of 2008, relating to the Government Data Collection and Dissemination Practices Act; collection of social security numbers.

[H 2426]

Approved May 6, 2009

 

Be it enacted by the General Assembly of Virginia:

1.  That §§ 2.2-3800, 2.2-3801, as it is currently effective and as it shall become effective, and 2.2-3808, as it is currently effective and as it shall become effective, of the Code of Virginia are amended and reenacted as follows:

§ 2.2-3800. Short title; findings; principles of information practice.

A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."

B. The General Assembly finds that:

1. An individual's privacy is directly affected by the extensive collection, maintenance, use and dissemination of personal information;

2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;

3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and

4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.

C. Recordkeeping agencies of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:

1. There shall be no personal information system whose existence is secret.

2. Information shall not be collected unless the need for it has been clearly established in advance.

3. Information shall be appropriate and relevant to the purpose for which it has been collected.

4. Information shall not be obtained by fraudulent or unfair means.

5. Information shall not be used unless it is accurate and current.

6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.

7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase or amend inaccurate, obsolete or irrelevant information.

8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse. On and after July 1, 2004, no agency shall display the social security number of a data subject on a student or employee identification card, except that for universities and colleges that have such a prevention plan for misuse of personal information in place on or before July 1, 2004, in compliance with this section, the date shall be January 1, 2005. On and after July 1, 2006, no agency shall display an individual's entire social security number on any student or employee identification card.

9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used for another purpose.

10. The Commonwealth or any agency or political subdivision thereof shall not collect personal information except as explicitly or implicitly authorized by law.

D. After July 1, 2004, no agency, as defined in § 42.1-77, shall send or deliver or cause to be sent or delivered, any letter, envelope or package that displays a social security number on the face of the mailing envelope or package or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.

§ 2.2-3801. (Effective until July 1, 2009) Definitions.

As used in this chapter, unless the context requires a different meaning:

1. "Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

2. "Personal information" means all information that describes, locates or indexes anything about an individual including his real or personal property holdings derived from tax returns, and his education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record, or that affords a basis for inferring personal characteristics, such as finger and voice prints, photographs, or things done by or to such individual; and the record of his presence, registration, or membership in an organization or activity, or admission to an institution. "Personal information" shall not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject nor does the term include real estate assessment information.

3. "Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.

4. "Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.

5. "Purge" means to obliterate information completely from the transient, permanent, or archival records of an organization agency.

6. "Agency" means any agency, authority, board, department, division, commission, institution, bureau, or like governmental entity of the Commonwealth or of any unit of local government including counties, cities, towns, regional governments, and the departments thereof, and includes constitutional officers, except as otherwise expressly provided by law. "Agency" shall also include any entity, whether public or private, with which any of the foregoing has entered into a contractual relationship for the operation of a system of personal information to accomplish an agency function. Any such entity included in this definition by reason of a contractual relationship shall only be deemed an agency as relates to services performed pursuant to that contractual relationship, provided that if any such entity is a consumer reporting agency, it shall be deemed to have satisfied all of the requirements of this chapter if it fully complies with the requirements of the Federal Fair Credit Reporting Act as applicable to services performed pursuant to such contractual relationship.

§ 2.2-3801. (Effective July 1, 2009) Definitions.

As used in this chapter, unless the context requires a different meaning:

"Agency" means any agency, authority, board, department, division, commission, institution, bureau, or like governmental entity of the Commonwealth or of any unit of local government including counties, cities, towns, regional governments, and the departments thereof, and includes constitutional officers, except as otherwise expressly provided by law. "Agency" shall also include any entity, whether public or private, with which any of the foregoing has entered into a contractual relationship for the operation of a system of personal information to accomplish an agency function. Any such entity included in this definition by reason of a contractual relationship shall only be deemed an agency as relates to services performed pursuant to that contractual relationship, provided that if any such entity is a consumer reporting agency, it shall be deemed to have satisfied all of the requirements of this chapter if it fully complies with the requirements of the Federal Fair Credit Reporting Act as applicable to services performed pursuant to such contractual relationship.

"Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.

"Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.

"Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

"Personal information" means all information that (i) describes, locates or indexes anything about an individual including, but not limited to, his social security number, driver's license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record, or (ii) affords a basis for inferring personal characteristics, such as finger and voice prints, photographs, or things done by or to such individual; and the record of his presence, registration, or membership in an organization or activity, or admission to an institution. "Personal information" shall not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject nor does the term include real estate assessment information.

"Purge" means to obliterate information completely from the transient, permanent, or archival records of an organization agency.

§ 2.2-3808. (Effective until July 1, 2009) Disclosure or display of social security number.

A. It shall be unlawful for any agency to require an individual to disclose or furnish his social security account number not previously disclosed or furnished, for any purpose in connection with any activity, or to refuse any service, privilege or right to an individual wholly or partly because the individual does not disclose or furnish such number, unless the disclosure or furnishing of such number is specifically required by federal or state law.

B. Agency-issued identification cards, student identification cards, or license certificates issued or replaced on or after July 1, 2003, shall not display an individual's entire social security number except as provided in § 46.2-703.

C. Any agency-issued identification card, student identification card, or license certificate that was issued prior to July 1, 2003, and that displays an individual's entire social security number shall be replaced no later than July 1, 2006, except that voter registration cards issued with a social security number and not previously replaced shall be replaced no later than the December 31st following the completion by the state and all localities of the decennial redistricting following the 2010 census. This subsection shall not apply to (i) driver's licenses and special identification cards issued by the Department of Motor Vehicles pursuant to Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 and (ii) road tax registrations issued pursuant to § 46.2-703.

D. After July 1, 2004, no agency, as defined in § 42.1-77, shall send or deliver or cause to be sent or delivered, any letter, envelope, or package that displays a social security number on the face of the mailing envelope or package or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.

D. E. The provisions of subsections A and C of this section shall not be applicable to licenses issued by the State Corporation Commission's Bureau of Insurance until such time as a national insurance producer identification number has been created and implemented in all states. Commencing with the date of such implementation, the licenses issued by the State Corporation Commission's Bureau of Insurance shall be issued in compliance with subsection A of this section. Further, all licenses issued prior to the date of such implementation shall be replaced no later than 12 months following the date of such implementation.

§ 2.2-3808. (Effective July 1, 2009) Collection, disclosure, or display of social security number.

A. No agency shall require an individual to furnish or disclose his social security number or driver's license number unless the furnishing or disclosure of It shall be unlawful for any agency to:

1. Require an individual to disclose or furnish his social security number not previously disclosed or furnished, for any purpose in connection with any activity, or to refuse any service, privilege, or right to an individual wholly or partly because the individual does not disclose or furnish such number, unless the disclosure or furnishing of such number is specifically required by federal or state law; or

2. Collect from an individual his social security number or any portion thereof unless the collection of such number is (i) authorized or required by state or federal law and (ii) essential for the performance of that agency's duties.

Nor shall any agency require an individual to disclose or furnish his social security account number not previously disclosed or furnished, for any purpose in connection with any activity, or to refuse any service, privilege or right to an individual wholly or partly because the individual does not disclose or furnish such number, unless the disclosure or furnishing of such number is specifically required by federal or state law.

B. Agency-issued identification cards, student identification cards, or license certificates issued or replaced on or after July 1, 2003, shall not display an individual's entire social security number except as provided in § 46.2-703.

C. Any agency-issued identification card, student identification card, or license certificate that was issued prior to July 1, 2003, and that displays an individual's entire social security number shall be replaced no later than July 1, 2006, except that voter registration cards issued with a social security number and not previously replaced shall be replaced no later than the December 31st following the completion by the state and all localities of the decennial redistricting following the 2010 census. This subsection shall not apply to (i) driver's licenses and special identification cards issued by the Department of Motor Vehicles pursuant to Chapter 3 (§ 46.2-300 et seq.) of Title 46.2 and (ii) road tax registrations issued pursuant to § 46.2-703.

D. After July 1, 2004, no agency, as defined in § 42.1-77, shall send or deliver or cause to be sent or delivered, any letter, envelope, or package that displays a social security number on the face of the mailing envelope or package or from which a social security number is visible, whether on the outside or inside of the mailing envelope or package.

D. E. The provisions of subsections A and C shall not be applicable to licenses issued by the State Corporation Commission's Bureau of Insurance until such time as a national insurance producer identification number has been created and implemented in all states. Commencing with the date of such implementation, the licenses issued by the State Corporation Commission's Bureau of Insurance shall be issued in compliance with subsection A of this section. Further, all licenses issued prior to the date of such implementation shall be replaced no later than 12 months following the date of such implementation.

2. That the second and fourth enactments of Chapter 840 of the Acts of Assembly of 2008 are amended and reenacted as follows:

2. That the provisions of this act shall become effective on July 1, 2009 July 1, 2010, except that the third and fourth enactments of this act shall become effective on July 1, 2008.

4. That every county and city, and any town with a population in excess of 15,000 shall, no later than September 10, 2008, provide the Virginia Municipal League or the Virginia Association of Counties, as appropriate, information on a form agreed upon by the Virginia Municipal League, the Virginia Association of Counties and staff of the Freedom of Information Advisory Council and the Joint Commission on Technology and Science identifying (i) all state or federal statutes authorizing or requiring the collection of social security numbers by such county, city or town and (ii) instances where social security numbers are voluntarily collected or (iii) in the absence of statutory authority to collect social security numbers, written justification explaining why continued collection is essential to its transaction of public business.  In conducting such a review, each such county, city or town shall be encouraged to consider whether such collection and use is essential for its transaction of public business and to find alternative means of identifying individuals.  The information required by this enactment shall be submitted no later than October 1, 2008 to the chairmen of the Freedom of Information Advisory Council and the Joint Commission on Technology and Science, on forms developed by the Council and the Commission. The chairmen of the Council and the Commission may withhold from public disclosure any such lists or portions of lists as legislative working papers, if it is deemed that the public dissemination of such lists or portions of lists would cause a potential invasion of privacy.

3. That the second and fourth enactments of Chapter 843 of the Acts of Assembly of 2008 are amended and reenacted as follows:

2. That the provisions of this act shall become effective on July 1, 2009 July 1, 2010, except that the third and fourth enactments of this act shall become effective on July 1, 2008.

4.  That every county and city, and any town with a population in excess of 15,000 shall, no later than September 10, 2008, provide the Virginia Municipal League or the Virginia Association of Counties, as appropriate, information on a form agreed upon by the Virginia Municipal League, the Virginia Association of Counties and staff of the Freedom of Information Advisory Council and the Joint Commission on Technology and Science identifying (i) all state or federal statutes authorizing or requiring the collection of social security numbers by such county, city or town and (ii) instances where social security numbers are voluntarily collected or (iii) in the absence of statutory authority to collect social security numbers, written justification explaining why continued collection is essential to its transaction of public business. In conducting such a review, each such county, city or town shall be encouraged to consider whether such collection and use is essential for its transaction of public business and to find alternative means of identifying individuals. The information required by this enactment shall be submitted no later than October 1, 2008 to the chairmen of the Freedom of Information Advisory Council and the Joint Commission on Technology and Science, on forms developed by the Council and the Commission. The chairmen of the Council and the Commission may withhold from public disclosure any such lists or portions of lists as legislative working papers, if it is deemed that the public dissemination of such lists or portions of lists would cause a potential invasion of privacy.

4. That the provisions of the first enactment of this act shall become effective on July 1, 2010.

5. That an emergency exists and the second and third enactments of this act are in force from their passage.