SEARCH SITE

VIRGINIA LAW PORTAL

SEARCHABLE DATABASES

ACROSS SESSIONS

Developed and maintained by the Division of Legislative Automated Systems.

2019 SESSION


VIRGINIA ACTS OF ASSEMBLY -- CHAPTER
An Act to amend and reenact §§ 2.2-3803, 23.1-402, 37.2-712, and 66-25 of the Code of Virginia, relating to the Government Data Collection and Dissemination Practices Act; collection or dissemination of information concerning religious preferences and affiliations.
[H 2494]
Approved

 

Be it enacted by the General Assembly of Virginia:

1. That §§ 2.2-3803, 23.1-402, 37.2-712, and 66-25 of the Code of Virginia are amended and reenacted as follows:

§ 2.2-3803. Administration of systems including personal information; Internet privacy policy; exceptions.

A. Any agency maintaining an information system that includes personal information shall:

1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency;

2. Collect information to the greatest extent feasible from the data subject directly, or through the sharing of data with other agencies, in order to accomplish a proper purpose of the agency;

3. Establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls;

4. Maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject;

5. Make no dissemination to another system without (i) specifying requirements for security and usage including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed. This subdivision shall not apply, however, to a dissemination made by an agency to an agency in another state, district or territory of the United States where the personal information is requested by the agency of such other state, district or territory in connection with the application of the data subject therein for a service, privilege or right under the laws thereof, nor shall this apply to information transmitted to family advocacy representatives of the United States Armed Forces in accordance with subsection N of § 63.2-1503;

6. Maintain a list of all persons or organizations having regular access to personal information in the information system;

7. Maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained;

8. Take affirmative action to establish rules of conduct and inform each person involved in the design, development, operation, or maintenance of the system, or the collection or use of any personal information contained therein, about all the requirements of this chapter, the rules and procedures, including penalties for noncompliance, of the agency designed to assure compliance with such requirements;

9. Establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security; and

10. Collect no personal information concerning the political or religious beliefs, affiliations, and activities of data subjects that is maintained, used, or disseminated in or by any information system operated by any agency unless authorized explicitly by statute or ordinance. Nothing in this subdivision shall be construed to allow an agency to disseminate to federal government authorities information concerning the religious beliefs and affiliations of data subjects for the purpose of compiling a list, registry, or database of individuals based on religious affiliation, national origin, or ethnicity, unless such dissemination is specifically required by state or federal law.

B. Every public body, as defined in § 2.2-3701, that has an Internet website associated with that public body shall develop an Internet privacy policy and an Internet privacy policy statement that explains the policy to the public. The policy shall be consistent with the requirements of this chapter. The statement shall be made available on the public body's website in a conspicuous manner. The Secretary of Technology or his designee shall provide guidelines for developing the policy and the statement, and each public body shall tailor the policy and the statement to reflect the information practices of the individual public body. At minimum, the policy and the statement shall address (i) what information, including personally identifiable information, will be collected, if any; (ii) whether any information will be automatically collected simply by accessing the website and, if so, what information; (iii) whether the website automatically places a computer file, commonly referred to as a "cookie," on the Internet user's computer and, if so, for what purpose; and (iv) how the collected information is being used or will be used.

C. Notwithstanding the provisions of subsection A, the Virginia Retirement System may disseminate information as to the retirement status or benefit eligibility of any employee covered by the Virginia Retirement System, the Judicial Retirement System, the State Police Officers' Retirement System, or the Virginia Law Officers' Retirement System, to the chief executive officer or personnel officers of the state or local agency by which he is employed.

D. Notwithstanding the provisions of subsection A, the Department of Social Services may disseminate client information to the Department of Taxation for the purposes of providing specified tax information as set forth in clause (ii) of subsection C of § 58.1-3.

E. Notwithstanding the provisions of subsection A, the State Council of Higher Education for Virginia may disseminate student information to agencies acting on behalf or in place of the U.S. government to gain access to data on wages earned outside the Commonwealth or through federal employment, for the purposes of complying with § 23.1-204.1.

§ 23.1-402. Collection and dissemination of information concerning religious preferences and affiliations.

A. Notwithstanding any provision of law to the contrary, any public institution of higher education may collect and disseminate information concerning the religious preferences and affiliations of its students, provided that no such institution shall (i) require any student to indicate his religious preference or affiliation or (ii) disseminate such information without the student's consent.

B. No consent given pursuant to this section shall be construed to allow any public institution of higher education to disseminate to federal government authorities information concerning the religious preferences and affiliations of its students for the purpose of compiling a list, registry, or database of individuals based on religious affiliation, national origin, or ethnicity, unless such dissemination is specifically required by state or federal law.

§ 37.2-712. Collection and dissemination of information concerning religious preferences and affiliations.

A. Notwithstanding any provision of law to the contrary, any state facility may collect and disseminate information concerning the religious preferences and affiliations of individuals receiving services, provided that no individual may be required to indicate his religious preference or affiliation and that no dissemination of the information shall be made except to categories of persons as to whom the individual or his guardian or other legally authorized representative or other fiduciary has given his authorization that dissemination may be made.

B. No authorization given pursuant to this section shall be construed to allow any state facility to disseminate to federal government authorities information concerning the religious preferences and affiliations of individuals receiving services for the purpose of compiling a list, registry, or database of individuals based on religious affiliation, national origin, or ethnicity, unless such dissemination is specifically required by state or federal law.

§ 66-25. Collection of information concerning religious preferences by correctional facilities.

A. Notwithstanding any provision of law to the contrary, any correctional facility established pursuant to this chapter or Chapter 11 (§ 16.1-226 et seq.) of Title 16.1 may collect and disseminate information concerning the religious preferences and affiliations of persons committed to its custody. No person shall be required to indicate his religious preference or affiliation, and no dissemination of the information shall be made except to categories of persons designated by the person who has given his consent to such dissemination.

B. No consent given pursuant to this section shall be construed to allow any correctional facility established pursuant to this chapter or Chapter 11 (§ 16.1-226 et seq.) of Title 16.1 to disseminate to federal government authorities information concerning the religious preferences and affiliations of persons committed to its custody for the purpose of compiling a list, registry, or database of individuals based on religious affiliation, national origin, or ethnicity, unless such dissemination is specifically required by state or federal law.