Developed and maintained by the Division of Legislative Automated Systems.


Offered January 10, 2018
Prefiled January 9, 2018
A BILL to amend and reenact 2.2-3800, 2.2-3801, and 2.2-3803 of the Code of Virginia and to amend the Code of Virginia by adding a section numbered 2.2-225.2, relating to data collection and dissemination; governance.
Patrons-- Hanger, Barker, Carrico, Dunnavant, Edwards and Ebbin
Referred to Committee on General Laws and Technology

Be it enacted by the General Assembly of Virginia:

1. That 2.2-3800, 2.2-3801, and 2.2-3803 of the Code of Virginia are amended and reenacted and that the Code of Virginia is amended by adding a section numbered 2.2-225.2 as follows:

2.2-225.2. Office of Data Governance.

A. There is hereby established the Office of Data Governance in the office of the Secretary of Technology, consisting of a Director, appointed by the Secretary, and such additional staff deemed necessary by the Secretary or the Governor. The goal of the Office of Data Governance is to oversee the effective sharing of data among public entities while maintaining data integrity and security.

B. The Director shall:

1. Develop guidelines, subject to the approval of the Secretary, establishing business rules and best practices for the use of data in the Commonwealth. Such guidelines shall address, at a minimum, (i) the sharing of data between state agencies and political subdivisions and, when appropriate, private entities; (ii) data storage; (iii) data security; (iv) privacy; (v) compliance with federal law; and (vi) the de-identification of data for research purposes. Such guidelines shall be established in consultation with representatives from state agencies, public institutions of higher education, the State Council of Higher Education for Virginia, local government, and private industry;

2. Assist state and local public bodies and employees with the application of the Government Data Collection and Dissemination Practices Act ( 2.2-3800 et. seq.) and understanding the applicability of federal laws governing privacy and access to data to the data sharing practices of the Commonwealth;

3. Assist the Chief Information Officer of the Commonwealth with matters related to the creation, storage, and dissemination of data upon request; and

4. Encourage and coordinate efforts of agencies across multiple secretariats to access data in an effort to improve the efficiency and efficacy of services, improve outcomes, and assist in policy making and decision making.

2.2-3800. Short title; findings; principles of information practice.

A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."

B. The General Assembly finds that:

1. An individual's privacy is directly affected by the extensive collection, maintenance, use and dissemination of personal information;

2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;

3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and

4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.

C. Recordkeeping agencies of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:

1. There shall be no personal information system whose existence is secret.

2. Information shall not be collected unless the need for it has been clearly established in advance.

3. Information shall be appropriate and relevant to the purpose for which it has been collected.

4. Information shall not be obtained by fraudulent or unfair means.

5. Information shall not be used unless it is accurate and current.

6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.

7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase or amend inaccurate, obsolete or irrelevant information.

8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse.

9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used or disseminated for another purpose unless such use or dissemination is authorized or required by law.

10. The Commonwealth or any agency or political subdivision thereof shall not collect personal information except as explicitly or implicitly authorized by law.

2.2-3801. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Agency" means any agency, authority, board, department, division, commission, institution, bureau, or like governmental entity of the Commonwealth or of any unit of local government including counties, cities, towns, regional governments, and the departments thereof, and includes constitutional officers, except as otherwise expressly provided by law. "Agency" shall also include any entity, whether public or private, with which any of the foregoing has entered into a contractual relationship for the operation of a system of personal information to accomplish an agency function. Any such entity included in this definition by reason of a contractual relationship shall only be deemed an agency as relates to services performed pursuant to that contractual relationship, provided that if any such entity is a consumer reporting agency, it shall be deemed to have satisfied all of the requirements of this chapter if it fully complies with the requirements of the Federal Fair Credit Reporting Act as applicable to services performed pursuant to such contractual relationship.

"Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.

"Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.

"Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

"Personal information" means all information that (i) describes, locates or indexes anything about an individual including, but not limited to, his social security number, driver's license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record, or (ii) affords a basis for inferring personal characteristics, such as finger and voice prints, photographs, or things done by or to such individual; and the record of his presence, registration, or membership in an organization or activity, or admission to an institution. "Personal information" shall not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject nor does the term include real estate assessment information.

"Proper purpose" includes the sharing or dissemination of data or information among and between agencies in order to (i) streamline administrative processes to improve the efficiency and efficacy of services, access to services, eligibility determinations for services, and service delivery; (ii) reduce paperwork and administrative burdens on applicants for and recipients of public services; (iii) improve the efficiency and efficacy of the management of public programs; (iv) prevent fraud and improve auditing capabilities; (v) conduct outcomes-related research; (vi) develop quantifiable data to aid in policy development and decision making to promote the most efficient and effective use of resources; and (vii) perform data analytics regarding any of the purposes set forth in this definition.

"Purge" means to obliterate information completely from the transient, permanent, or archival records of an agency.

2.2-3803. Administration of systems including personal information; Internet privacy policy; exceptions.

A. Any agency maintaining an information system that includes personal information shall:

1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency;

2. Collect information to the greatest extent feasible from the data subject directly, or through the sharing of data with other agencies, in order to accomplish a proper purpose of the agency;

3. Establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls;

4. Maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject;

5. Make no dissemination to another system without (i) specifying requirements for security and usage including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed. This subdivision shall not apply, however, to a dissemination made by an agency to an agency in another state, district or territory of the United States where the personal information is requested by the agency of such other state, district or territory in connection with the application of the data subject therein for a service, privilege or right under the laws thereof, nor shall this apply to information transmitted to family advocacy representatives of the United States Armed Forces in accordance with subsection N of 63.2-1503;

6. Maintain a list of all persons or organizations having regular access to personal information in the information system;

7. Maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained;

8. Take affirmative action to establish rules of conduct and inform each person involved in the design, development, operation, or maintenance of the system, or the collection or use of any personal information contained therein, about all the requirements of this chapter, the rules and procedures, including penalties for noncompliance, of the agency designed to assure compliance with such requirements;

9. Establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security; and

10. Collect no personal information concerning the political or religious beliefs, affiliations, and activities of data subjects that is maintained, used or disseminated in or by any information system operated by any agency unless authorized explicitly by statute or ordinance.

B. Every public body, as defined in 2.2-3701, that has an Internet website associated with that public body shall develop an Internet privacy policy and an Internet privacy policy statement that explains the policy to the public. The policy shall be consistent with the requirements of this chapter. The statement shall be made available on the public body's website in a conspicuous manner. The Secretary of Technology or his designee shall provide guidelines for developing the policy and the statement, and each public body shall tailor the policy and the statement to reflect the information practices of the individual public body. At minimum, the policy and the statement shall address (i) what information, including personally identifiable information, will be collected, if any; (ii) whether any information will be automatically collected simply by accessing the website and, if so, what information; (iii) whether the website automatically places a computer file, commonly referred to as a "cookie," on the Internet user's computer and, if so, for what purpose; and (iv) how the collected information is being used or will be used.

C. Notwithstanding the provisions of subsection A, the Virginia Retirement System may disseminate information as to the retirement status or benefit eligibility of any employee covered by the Virginia Retirement System, the Judicial Retirement System, the State Police Officers' Retirement System, or the Virginia Law Officers' Retirement System, to the chief executive officer or personnel officers of the state or local agency by which he is employed.

D. Notwithstanding the provisions of subsection A, the Department of Social Services may disseminate client information to the Department of Taxation for the purposes of providing specified tax information as set forth in clause (ii) of subsection C of 58.1-3.

E. Notwithstanding the provisions of subsection A, the State Council of Higher Education for Virginia may disseminate student information to agencies acting on behalf or in place of the U.S. government to gain access to data on wages earned outside the Commonwealth or through federal employment, for the purposes of complying with 23.1-204.1.