Developed and maintained by the Division of Legislative Automated Systems.


(Proposed by the Senate Committee on General Laws
on February 5, 2018)
(Patrons Prior to Substitute--Senators Hanger, Edwards [SB 459], Dunnavant [SB 719], and Barker [SB 830])
A BILL to amend and reenact 2.2-3800, 2.2-3801, and 2.2-3803 of the Code of Virginia and to amend the Code of Virginia by adding in Article 2 of Chapter 2 of Title 2.2 as section numbered 2.2-203.2:4, relating to data collection and dissemination; governance.

Be it enacted by the General Assembly of Virginia:

1. That 2.2-3800, 2.2-3801, and 2.2-3803 of the Code of Virginia are amended and reenacted and that the Code of Virginia is amended by adding in Article 2 of Chapter 2 of Title 2.2 a section numbered 2.2-203.2:4 as follows:

2.2-203.2:4. Chief Data Officer; position created.

A. As used in this section, "open data" means data that is collected by an agency that is not prohibited from being made available to the public by applicable laws or regulations or other restrictions, requirements, or rights associated with such data.

B. There is created in the Office of the Governor the position of Chief Data Officer of the Commonwealth to coordinate and oversee the effective sharing of data among state, regional, and local public entities and public institutions of higher education and to implement effective data governance strategies to maintain data integrity and security and promote access to open data.

C. The Chief Data Officer shall:

1. Establish business rules, guidelines, and best practices for the use of data, including open data, in the Commonwealth. Such rules, guidelines, and best practices shall address, at a minimum, (i) the sharing of data between state, regional, and local public entities and public institutions of higher education, and, when appropriate, private entities; (ii) data storage; (iii) data security; (iv) privacy; (v) compliance with federal law; (vi) the de-identification of data for research purposes; and (vii) the appropriate access to and presentation of open data and datasets to the public;

2. Assist state, regional, and local public entities, public institutions of higher education, and employees thereof, with the application of the Government Data Collection and Dissemination Practices Act ( 2.2-3800 et. seq.) and understanding the applicability of federal laws governing privacy and access to data to the data sharing practices of the Commonwealth;

3. Assist the Chief Information Officer of the Commonwealth with matters related to the creation, storage, and dissemination of data upon request;

4. Encourage and coordinate efforts of state, regional, and local public entities and public institutions of higher education to access and share data, including open data, across all levels of government in an effort to improve the efficiency and efficacy of services, improve outcomes, and promote data-driven policy making, decision making, research, and analysis; and

5. Oversee the implementation of a website dedicated to (i) hosting open data from state, regional, and local public entities and public institutions of higher education and (ii) providing links to any other additional open data websites in the Commonwealth.

2.2-3800. Short title; findings; principles of information practice.

A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."

B. The General Assembly finds that:

1. An individual's privacy is directly affected by the extensive collection, maintenance, use and dissemination of personal information;

2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;

3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and

4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.

C. Recordkeeping agencies of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:

1. There shall be no personal information system whose existence is secret.

2. Information shall not be collected unless the need for it has been clearly established in advance.

3. Information shall be appropriate and relevant to the purpose for which it has been collected.

4. Information shall not be obtained by fraudulent or unfair means.

5. Information shall not be used unless it is accurate and current.

6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.

7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase or amend inaccurate, obsolete or irrelevant information.

8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse.

9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used or disseminated for another purpose unless such use or dissemination is authorized or required by law.

10. The Commonwealth or any agency or political subdivision thereof shall not collect personal information except as explicitly or implicitly authorized by law.

2.2-3801. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Agency" means any agency, authority, board, department, division, commission, institution, bureau, or like governmental entity of the Commonwealth or of any unit of local government including counties, cities, towns, regional governments, and the departments thereof, and includes constitutional officers, except as otherwise expressly provided by law. "Agency" shall also include any entity, whether public or private, with which any of the foregoing has entered into a contractual relationship for the operation of a system of personal information to accomplish an agency function. Any such entity included in this definition by reason of a contractual relationship shall only be deemed an agency as relates to services performed pursuant to that contractual relationship, provided that if any such entity is a consumer reporting agency, it shall be deemed to have satisfied all of the requirements of this chapter if it fully complies with the requirements of the Federal Fair Credit Reporting Act as applicable to services performed pursuant to such contractual relationship.

"Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.

"Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.

"Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

"Personal information" means all information that (i) describes, locates or indexes anything about an individual including, but not limited to, his social security number, driver's license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record, or (ii) affords a basis for inferring personal characteristics, such as finger and voice prints, photographs, or things done by or to such individual; and the record of his presence, registration, or membership in an organization or activity, or admission to an institution. "Personal information" shall not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject nor does the term include real estate assessment information.

"Proper purpose" includes the sharing or dissemination of data or information among and between agencies in order to (i) streamline administrative processes to improve the efficiency and efficacy of services, access to services, eligibility determinations for services, and service delivery; (ii) reduce paperwork and administrative burdens on applicants for and recipients of public services; (iii) improve the efficiency and efficacy of the management of public programs; (iv) prevent fraud and improve auditing capabilities; (v) conduct outcomes-related research; (vi) develop quantifiable data to aid in policy development and decision making to promote the most efficient and effective use of resources; and (vii) perform data analytics regarding any of the purposes set forth in this definition.

"Purge" means to obliterate information completely from the transient, permanent, or archival records of an agency.

2.2-3803. Administration of systems including personal information; Internet privacy policy; exceptions.

A. Any agency maintaining an information system that includes personal information shall:

1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency;

2. Collect information to the greatest extent feasible from the data subject directly, or through the sharing of data with other agencies, in order to accomplish a proper purpose of the agency;

3. Establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls;

4. Maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject;

5. Make no dissemination to another system without (i) specifying requirements for security and usage including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed. This subdivision shall not apply, however, to a dissemination made by an agency to an agency in another state, district or territory of the United States where the personal information is requested by the agency of such other state, district or territory in connection with the application of the data subject therein for a service, privilege or right under the laws thereof, nor shall this apply to information transmitted to family advocacy representatives of the United States Armed Forces in accordance with subsection N of 63.2-1503;

6. Maintain a list of all persons or organizations having regular access to personal information in the information system;

7. Maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained;

8. Take affirmative action to establish rules of conduct and inform each person involved in the design, development, operation, or maintenance of the system, or the collection or use of any personal information contained therein, about all the requirements of this chapter, the rules and procedures, including penalties for noncompliance, of the agency designed to assure compliance with such requirements;

9. Establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security; and

10. Collect no personal information concerning the political or religious beliefs, affiliations, and activities of data subjects that is maintained, used or disseminated in or by any information system operated by any agency unless authorized explicitly by statute or ordinance.

B. Every public body, as defined in 2.2-3701, that has an Internet website associated with that public body shall develop an Internet privacy policy and an Internet privacy policy statement that explains the policy to the public. The policy shall be consistent with the requirements of this chapter. The statement shall be made available on the public body's website in a conspicuous manner. The Secretary of Technology or his designee shall provide guidelines for developing the policy and the statement, and each public body shall tailor the policy and the statement to reflect the information practices of the individual public body. At minimum, the policy and the statement shall address (i) what information, including personally identifiable information, will be collected, if any; (ii) whether any information will be automatically collected simply by accessing the website and, if so, what information; (iii) whether the website automatically places a computer file, commonly referred to as a "cookie," on the Internet user's computer and, if so, for what purpose; and (iv) how the collected information is being used or will be used.

C. Notwithstanding the provisions of subsection A, the Virginia Retirement System may disseminate information as to the retirement status or benefit eligibility of any employee covered by the Virginia Retirement System, the Judicial Retirement System, the State Police Officers' Retirement System, or the Virginia Law Officers' Retirement System, to the chief executive officer or personnel officers of the state or local agency by which he is employed.

D. Notwithstanding the provisions of subsection A, the Department of Social Services may disseminate client information to the Department of Taxation for the purposes of providing specified tax information as set forth in clause (ii) of subsection C of 58.1-3.

E. Notwithstanding the provisions of subsection A, the State Council of Higher Education for Virginia may disseminate student information to agencies acting on behalf or in place of the U.S. government to gain access to data on wages earned outside the Commonwealth or through federal employment, for the purposes of complying with 23.1-204.1.

2. That a Data Sharing and Analytics Advisory Committee (the Advisory Committee) is hereby created to advise the Chief Data Officer of the Commonwealth in the establishment of the initial business rules, guidelines, and best practices required pursuant to 2.2-203.2:4 of the Code of Virginia, as created by this act. The Advisory Committee shall have a total membership of 15 that shall consist of five legislative members, seven nonlegislative citizen members, and three ex officio members. Members shall be appointed as follows: three members of the House of Delegates, to be appointed by the Speaker of the House of Delegates in accordance with the principles of proportional representation contained in the Rules of the House of Delegates; two members of the Senate, to be appointed by the Senate Committee on Rules; one representative of a public institution of higher education in the Commonwealth with expertise in data analytics and governance, to be appointed by the Governor; one nonlegislative citizen member with an expertise in data security, to be appointed by the Governor; the Attorney General of the Commonwealth or his designee; the director of the Virginia Municipal League or his designee; the director of the Virginia Association of Counties or his designee; the director of the Joint Legislative Audit and Review Commission or his designee; and an employee of the State Council of Higher Education for Virginia (SCHEV) with expertise in data sharing, to be appointed by the director of SCHEV. The Secretaries of Health and Human Resources, Public Safety and Homeland Security, and Administration shall serve ex officio with voting privileges. Nonlegislative citizen members of the Advisory Committee shall be citizens of the Commonwealth. Members shall serve without compensation. The Advisory Committee shall recommend to the Governor and the General Assembly, no later than October 1, 2018, a permanent governance structure for data sharing and analytics in the Commonwealth.

3. That the provisions of the second enactment of this act shall expire on June 30, 2019.

4. That the Chief Data Officer of the Commonwealth, in cooperation with the Data Sharing and Analytics Advisory Committee, shall focus his initial efforts on developing a project for the sharing, analysis, and dissemination among and between state, regional, and local agencies of data related to substance abuse, with a focus on opioid addiction and abuse. To the fullest extent allowed by federal law, and notwithstanding any state law to the contrary, all agencies set forth in subsection A of 2.2-212 and subsection A of 2.2-221 of the Code of Virginia, any community services board, any local law-enforcement agency, and any other health and human services-related entity of a political subdivision that receives any state funds shall share data relevant to the prevention or treatment of substance abuse, with a focus on prevention and treatment of opioid addiction and abuse. Such entities shall share data with the Chief Data Officer and directly with other entities listed herein when appropriate. The Chief Data Officer may also request data and information from any private source deemed relevant to the analysis and shall be encouraged to enter into public-private partnerships and enter into agreements with public institutions of higher education in the Commonwealth to conduct data analytics related to the project. The Chief Data Officer shall report to the Governor and the General Assembly no later than October 1, 2019, regarding the project. Such report shall include, at a minimum, the identification of the categories and sources of information provided for the project; areas of improved service delivery resulting from the sharing of data; trends or metrics relevant to the prevention and treatment of substance abuse, with a focus on opioid addiction and abuse, that have emerged from the sharing and analysis of the data; cost savings and efficiencies that have been identified or achieved through improved service identification and delivery; any legal or policy hindrances preventing the sharing of data; and any policy recommendations regarding substance abuse treatment and prevention, with a focus on opioid addiction and abuse, or regarding data sharing generally identified as the result of the project.