Title 2.2. Administration of Government
Chapter 38. Government Data Collection and Dissemination Practices Act
§ 2.2-3800. Short title; findings; principles of information practice.
A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."
B. The General Assembly finds that:
1. An individual's privacy is directly affected by the extensive collection, maintenance, use, and dissemination of personal information;
2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;
3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and
4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.
C. Recordkeeping agencies and political subdivisions of the Commonwealth shall adhere to the following principles of information practice to ensure safeguards for personal privacy:
1. There shall be no personal information system whose existence is secret.
2. Information shall not be collected unless the need for it has been clearly established in advance.
3. Information shall be appropriate and relevant to the purpose for which it has been collected.
4. Information shall not be obtained by fraudulent or unfair means.
5. Information shall not be used unless it is accurate and current.
6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.
7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase, or amend inaccurate, obsolete, or irrelevant information.
8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse.
9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used or disseminated for another purpose unless such use or dissemination is authorized or required by law.
10. No agency or political subdivision of the Commonwealth shall collect personal information except as explicitly or implicitly authorized by law.
11. No agency or political subdivision of the Commonwealth shall sell personal information.
12. Any agency or political subdivision of the Commonwealth shall disseminate personal information only:
a. To the extent necessary to comply with state or federal law, including the federal Health Insurance Portability and Accountability Act (42 U.S.C. § 1320d et seq.), as amended;
b. To the extent necessary to carry out the administration of a state or federal program pursuant to state or federal law;
c. To comply with a subpoena, court order, or administrative proceeding;
d. To the extent necessary to ensure fulfillment of the obligations of a purchase or contract made in accordance with the Virginia Public Procurement Act (§ 2.2-4300 et seq.) or a memorandum of understanding or management agreement made in accordance with the Restructured Higher Education Financial and Administrative Operations Act (§ 23.1-1000 et seq.);
e. When the data subject has given consent; or
f. To the extent necessary to accomplish a proper purpose of the agency.
1976, c. 597, §§ 2.1-377, 2.1-378; 1987, c. 506; 2001, c. 844; 2003, cc. 791, 914, 918, 927; 2009, cc. 849, 867; 2018, cc. 597, 679; 2026, c. 748.