SB670: Government Data Collection and Dissemination Practices Act; limitation on personal information.

SENATE BILL NO. 670

Offered January 20, 2014
A BILL to amend and reenact §§ 2.2-3800, 2.2-3801, 2.2-3802, and 52-48 of the Code of Virginia, relating to the Government Data Collection and Dissemination Practices Act; passive collection and use of personal information by law enforcement agencies.
Patrons-- Petersen and Garrett

Unanimous consent to introduce

Referred to Committee on General Laws and Technology

Be it enacted by the General Assembly of Virginia:

1. That §§ 2.2-3800, 2.2-3801, 2.2-3802, and 52-48 of the Code of Virginia is amended and reenacted as follows:

§ 2.2-3800. Short title; findings; principles of information practice.

A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."

B. The General Assembly finds that:

1. An individual's privacy is directly affected by the extensive collection, maintenance, use and dissemination of personal information;

2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;

3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and

4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.

C. Recordkeeping agencies of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:

1. There shall be no personal information system whose existence is secret.

2. Information shall not be collected unless the need for it has been clearly established in advance.

3. Information shall be appropriate and relevant to the purpose for which it has been collected.

4. Information shall not be obtained by fraudulent or unfair means.

5. Information shall not be used unless it is accurate and current.

6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.

7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase or amend inaccurate, obsolete or irrelevant information.

8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse.

9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used for another purpose.

10. The Commonwealth or any agency or political subdivision thereof shall not collect personal information except as explicitly or implicitly authorized by law.

11. Unless a criminal or administrative warrant has been issued, law-enforcement and regulatory agencies shall not use any technology to collect or maintain personal information in a passive manner where such data is of unknown relevance and is not intended for prompt evaluation and potential use respecting suspected criminal activity or terrorism by any individual or organization.

§ 2.2-3801. Definitions.

As used in this chapter, unless the context requires a different meaning:

"Agency" means any agency, authority, board, department, division, commission, institution, bureau, or like governmental entity of the Commonwealth or of any unit of local government including counties, cities, towns, regional governments, and the departments thereof, and includes constitutional officers, except as otherwise expressly provided by law. "Agency" shall also include any entity, whether public or private, with which any of the foregoing has entered into a contractual relationship for the operation of a system of personal information to accomplish an agency function. Any such entity included in this definition by reason of a contractual relationship shall only be deemed an agency as relates to services performed pursuant to that contractual relationship, provided that if any such entity is a consumer reporting agency, it shall be deemed to have satisfied all of the requirements of this chapter if it fully complies with the requirements of the Federal Fair Credit Reporting Act as applicable to services performed pursuant to such contractual relationship.

"Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.

"Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.

"Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.

"Personal information" means all information that (i) describes, locates or indexes anything about an individual, including, but not limited to, his social security number, driver's license number, vehicle license plate number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record, or (ii) affords a basis for inferring personal characteristics, such as finger and voice prints, photographs, or things done by or to such individual;, and the record of his presence, registration, or membership in an organization or activity, presence at any place, or admission to an institution. "Personal information" shall does not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject, nor does the term include real estate assessment information.

"Purge" means to obliterate information completely from the transient, permanent, or archival records of an agency.

§ 2.2-3802. Systems to which chapter inapplicable.

The provisions of this chapter shall not apply to personal information systems:

1. Maintained by any court of the Commonwealth;

2. Which may exist in publications of general circulation;

3. Contained in the Criminal Justice Information System as defined in §§ 9.1-126 through 9.1-137 or in the Sex Offender and Crimes Against Minors Registry maintained by the Department of State Police pursuant to Chapter 9 (§ 9.1-900 et seq.) of Title 9.1, except to the extent that information is required to be posted on the Internet pursuant to § 9.1-913;

4. Contained in the Virginia Juvenile Justice Information System as defined in §§ 16.1-222 through 16.1-225;

5. Maintained by agencies concerning persons required by law to be licensed in the Commonwealth to engage in the practice of any profession, in which case the names and addresses of persons applying for or possessing the license may be disseminated upon written request to a person engaged in the profession or business of offering professional educational materials or courses for the sole purpose of providing the licensees or applicants for licenses with informational materials relating solely to available professional educational materials or courses, provided the disseminating agency is reasonably assured that the use of the information will be so limited;

6. Maintained by the Parole Board, the Crime Commission, the Judicial Inquiry and Review Commission, the Virginia Racing Commission, and the Department of Alcoholic Beverage Control;

7. Maintained by the Department of State Police; the police department of the Chesapeake Bay Bridge and Tunnel Commission; police departments of cities, counties, and towns; and the campus police departments of public institutions of higher education as established by Chapter 17 (§ 23-232 et seq.) of Title 23, and that deal with investigations and intelligence gathering relating to criminal activity; and maintained, provided, however, that this exception shall not apply to personal information collected by any such law-enforcement agency in a passive manner through use of any technology where such personal information is of unknown relevance and not intended for prompt evaluation and potential use respecting suspected criminal activity or terrorism by any individual or organization;

8. Maintained by local departments of social services regarding alleged cases of child abuse or neglect while such cases are also subject to an ongoing criminal prosecution;

8 9. Maintained by the Virginia Port Authority as provided in § 62.1-132.4 or 62.1-134.1;

9 10. Maintained by the Virginia Tourism Authority in connection with or as a result of the promotion of travel or tourism in the Commonwealth, in which case names and addresses of persons requesting information on those subjects may be disseminated upon written request to a person engaged in the business of providing travel services or distributing travel information, provided the Virginia Tourism Authority is reasonably assured that the use of the information will be so limited;

10 11. Maintained by the Division of Consolidated Laboratory Services of the Department of General Services and the Department of Forensic Science, which deal with scientific investigations relating to criminal activity or suspected criminal activity, except to the extent that § 9.1-1104 may apply;

11 12. Maintained by the Department of Corrections or the Office of the State Inspector General that deal with investigations and intelligence gathering by persons acting under the provisions of Chapter 3.2 (§ 2.2-307 et seq.);

12 13. Maintained by (i) the Office of the State Inspector General or internal audit departments of state agencies or institutions that deal with communications and investigations relating to the Fraud, Waste and Abuse Hotline or (ii) an auditor appointed by the local governing body of any county, city, or town or a school board that deals with local investigations required by § 15.2-2511.2;

13 14. Maintained by the Department of Social Services or any local department of social services relating to public assistance fraud investigations; and

14 15. Maintained by the Department of Social Services related to child welfare, adult services or adult protective services, or public assistance programs when requests for personal information are made to the Department of Social Services. Requests for information from these systems shall be made to the appropriate local department of social services, which is the custodian of that record. Notwithstanding the language in this section, an individual shall not be prohibited from obtaining information from the central registry in accordance with the provisions of § 63.2-1515.

§ 52-48. Confidentiality and immunity from service of process; penalties.

A. Papers, records, documents, reports, materials, databases, or other evidence or information relative to criminal intelligence or any terrorism investigation in the possession of the Virginia Fusion Intelligence Center shall be confidential and shall not be subject to the Virginia Freedom of Information Act (§ 2.2-3700 et seq.) or the Government Data Collection and Dissemination Practices Act (§ 2.2-3800 et seq.). Every three years, the Department shall conduct a review of information contained in any database maintained by the Virginia Fusion Intelligence Center. Data that has been determined to not have a nexus to terrorist activity shall be removed from such database. A reasonable suspicion standard shall be applied when determining whether or not information has a nexus to terrorist activity.

B. No person, having access to information maintained by the Virginia Fusion Intelligence Center, shall be subject to subpoena in a civil action in any court of the Commonwealth to testify concerning a matter of which he has knowledge pursuant to his access to criminal intelligence information maintained by the Virginia Fusion Intelligence Center.

C. No person or agency receiving information from the Virginia Fusion Intelligence Center shall release or disseminate that information without prior authorization from the Virginia Fusion Intelligence Center.

D. Any person who knowingly disseminates information in violation of this section is guilty of a Class 1 misdemeanor. If such unauthorized dissemination results in death or serious bodily injury to another person, such person is guilty of a Class 4 felony.

E. For purposes of this chapter:

"Criminal intelligence information" means data that has been evaluated and determined to be relevant to the identification and criminal activity of individuals or organizations that are reasonably suspected of involvement in criminal activity or terrorism. "Criminal intelligence information" shall not include criminal investigative files or personal information collected without a warrant by any law-enforcement or regulatory agency in a passive manner through use of any technology where such personal information is of unknown relevance and not intended for prompt evaluation and potential use respecting suspected criminal activity or terrorism by any individual or organization.