2.2-3803 - Administration of systems including personal information; Internet privacy policy; exceptions.
§ 2.2-3803. Administration of systems including personal information;Internet privacy policy; exceptions.
A. Any agency maintaining an information system that includes personalinformation shall:
1. Collect, maintain, use, and disseminate only that personal informationpermitted or required by law to be so collected, maintained, used, ordisseminated, or necessary to accomplish a proper purpose of the agency;
2. Collect information to the greatest extent feasible from the data subjectdirectly;
3. Establish categories for maintaining personal information to operate inconjunction with confidentiality requirements and access controls;
4. Maintain information in the system with accuracy, completeness,timeliness, and pertinence as necessary to ensure fairness in determinationsrelating to a data subject;
5. Make no dissemination to another system without (i) specifyingrequirements for security and usage including limitations on access thereto,and (ii) receiving reasonable assurances that those requirements andlimitations will be observed. This subdivision shall not apply, however, to adissemination made by an agency to an agency in another state, district orterritory of the United States where the personal information is requested bythe agency of such other state, district or territory in connection with theapplication of the data subject therein for a service, privilege or rightunder the laws thereof, nor shall this apply to information transmitted tofamily advocacy representatives of the United States Armed Forces inaccordance with subsection N of § 63.2-1503;
6. Maintain a list of all persons or organizations having regular access topersonal information in the information system;
7. Maintain for a period of three years or until such time as the personalinformation is purged, whichever is shorter, a complete and accurate record,including identity and purpose, of every access to any personal informationin a system, including the identity of any persons or organizations nothaving regular access authority but excluding access by the personnel of theagency wherein data is put to service for the purpose for which it isobtained;
8. Take affirmative action to establish rules of conduct and inform eachperson involved in the design, development, operation, or maintenance of thesystem, or the collection or use of any personal information containedtherein, about all the requirements of this chapter, the rules andprocedures, including penalties for noncompliance, of the agency designed toassure compliance with such requirements;
9. Establish appropriate safeguards to secure the system from any reasonablyforeseeable threat to its security; and
10. Collect no personal information concerning the political or religiousbeliefs, affiliations, and activities of data subjects that is maintained,used or disseminated in or by any information system operated by any agencyunless authorized explicitly by statute or ordinance.
B. Every public body, as defined in § 2.2-3701, that has an Internet websiteassociated with that public body shall develop an Internet privacy policy andan Internet privacy policy statement that explains the policy to the public.The policy shall be consistent with the requirements of this chapter. Thestatement shall be made available on the public body's website in aconspicuous manner. The Secretary of Technology or his designee shall provideguidelines for developing the policy and the statement, and each public bodyshall tailor the policy and the statement to reflect the informationpractices of the individual public body. At minimum, the policy and thestatement shall address (i) what information, including personallyidentifiable information, will be collected, if any; (ii) whether anyinformation will be automatically collected simply by accessing the websiteand, if so, what information; (iii) whether the website automatically placesa computer file, commonly referred to as a "cookie," on the Internet user'scomputer and, if so, for what purpose; and (iv) how the collected informationis being used or will be used.
C. Notwithstanding the provisions of subsection A, the Virginia RetirementSystem may disseminate information as to the retirement status or benefiteligibility of any employee covered by the Virginia Retirement System, theJudicial Retirement System, the State Police Officers' Retirement System, orthe Virginia Law Officers' Retirement System, to the chief executive officeror personnel officers of the state or local agency by which he is employed.
D. Notwithstanding the provisions of subsection A, the Department of SocialServices may disseminate client information to the Department of Taxation forthe purposes of providing specified tax information as set forth in clause(ii) of subsection C of § 58.1-3.
(1976, c. 597, § 2.1-380; 1978, c. 409, § 2.1-384.1; 1989, c. 547; 2000, cc.405, 500; 911; 2001, c. 844; 2002, c. 747; 2006, cc. 159, 590.)