Be it enacted by the General Assembly of Virginia:
1. That §§2.2-3800, 2.2-3801, and 2.2-3803 of the Code of Virginia are amended and reenacted and that the Code of Virginia is amended by adding sections numbered 2.2-213.6 and 2.2-213.7 as follows:
§ 2.2-213.6. Substance Abuse Data Sharing and Analytics Clearinghouse.
A. The Secretary of Health and Human Resources, in consultation with the Substance Abuse Data Sharing and Analytics Advisory Committee established pursuant to this section §2.2-213.7, shall establish a Substance Abuse Data Sharing and Analytics Clearinghouse (the Clearinghouse).
B. Notwithstanding any other provision of state law, and to the extent authorized by federal law, all agencies set forth in subsection A of §2.2-212 and subsection A of §2.2-221, any community services board, any local law-enforcement agency, and any other health and human services-related entity of a political subdivision that receives any state funds shall provide to the Clearinghouse any data relevant to the prevention or treatment of substance abuse, with a focus on prevention and treatment of opioid addiction and abuse, that is requested by the Secretary of Health and Human Resources. The Secretary of Health and Human Resources may also request data and information from any private source deemed relevant to the analysis and shall be encouraged to (i) enter into public-private partnerships and (ii) enter into agreements with public institutions of higher education in the Commonwealth to implement or further the purposes of the Clearinghouse.
C. The purpose of the Clearinghouse shall be the sharing or dissemination among and between agencies of data related to substance abuse, with a focus on opioid addiction and abuse, in order to (i) streamline administrative processes to improve the efficiency and efficacy of services, access to services, eligibility determinations for services, and service delivery; (ii) reduce paperwork and administrative burdens on applicants for and recipients of services related to substance abuse; (iii) improve the efficiency and efficacy of the management of programs related to the identification of, treatment of, or prevention of substance abuse; (iv) prevent fraud and improve auditing capabilities; (v) conduct outcomes-related research; (vi) develop quantifiable data to aid in policy development and decision making to promote the most efficient and effective use of resources; and (vii) perform data analytics regarding any of the purposes set forth in this subsection in order to identify the most effective and efficient means to identify, treat, and prevent substance abuse, with a focus on opioid addiction and abuse.
D. The Secretary of Health and Human Resources shall ensure that data collection, integration, and sharing is performed in a manner that preserves data privacy and security in transferring, storing, and accessing data, as appropriate. Any data or information provided to the Clearinghouse shall be exempt from public disclosure in the same manner as such data or information was exempt when held by the source agency. No data or information shall be deemed subject to public disclosure simply because the source agency provides the data or information to the Clearinghouse.
E. The Secretary of Health and Human Resources, and any state, local, or private entity required to provide data or information to the Clearinghouse, or providing data and information on a voluntary basis, shall immediately seek any waivers and enter into any agreements that may be required by state or federal law to effectuate data sharing and to carry out the purposes of the Clearinghouse.
F. The Secretary of Health and Human Resources shall report on or before December 1 of each year to the Governor and the General Assembly regarding the performance of the Clearinghouse. Such report shall set forth, at a minimum, the identification of (i) the categories and sources of information provided to the Clearinghouse; (ii) areas of improved service delivery; (iii) trends or metrics relevant to the prevention and treatment of substance abuse, with a focus on opioid addiction and abuse, that have led to or have the potential to lead to improved service identification and delivery models; (iv) cost savings and efficiencies achieved through improved service identification and delivery; (v) any legal or policy hindrances preventing the optimum operation of the Clearinghouse; and (vi) any policy recommendations regarding substance abuse treatment and prevention, with a focus on opioid addiction and abuse, identified as the result of the sharing and analysis of the data provided to the Clearinghouse.
§2.2-213.7. Substance Abuse Data Sharing and Analytics Advisory Committee.
A. The Substance Abuse Data Sharing and Analytics Advisory Committee (the Advisory Committee) is established to advise the Secretary of Health and Human Resources in all matters related to the creation, administration, oversight, function, and review of the Substance Abuse Data Sharing and Analytics Clearinghouse, created pursuant to § 2.2-213.6.
B. The Advisory Committee shall have a total membership of 14 that shall consist of five legislative members, six nonlegislative citizen members, and three ex officio members. Members shall be appointed as follows: three members of the House of Delegates, to be appointed by the Speaker of the House of Delegates in accordance with the principles of proportional representation contained in the Rules of the House of Delegates; two members of the Senate, to be appointed by the Senate Committee on Rules; one representative of the Virginia Association of Community Services Boards, to be appointed by the Governor; one medical professional with expertise in the field of substance abuse treatment, to be appointed by the Governor; the director of the Virginia Municipal League or his designee; the director of the Virginia Association of Counties or his designee; the director of the Joint Legislative Audit and Review Commission or his designee; and an employee of the State Council of Higher Education for Virginia (SCHEV) with expertise in data sharing, to be appointed by the director of SCHEV. The Secretaries of Health and Human Resources, Public Safety and Homeland Security, and Technology shall serve ex officio with voting privileges. Nonlegislative citizen members of the Advisory Committee shall be citizens of the Commonwealth.
C. Legislative members and ex officio members of the Advisory Committee shall serve terms coincident with their terms of office. Nonlegislative citizen members shall be appointed for terms of four years. Members may be reappointed.
D. Members shall serve
without compensation but shall be reimbursed for all reasonable and necessary
expenses incurred in the performance of their duties as provided in §
2.2-2825.
E. Staff to the Advisory Council shall be provided by the Office of the Secretary of Health and Human Resources.
§2.2-3800. Short title; findings; principles of information practice.
A. This chapter may be cited as the "Government Data Collection and Dissemination Practices Act."
B. The General Assembly finds that:
1. An individual's privacy is directly affected by the extensive collection, maintenance, use and dissemination of personal information;
2. The increasing use of computers and sophisticated information technology has greatly magnified the harm that can occur from these practices;
3. An individual's opportunities to secure employment, insurance, credit, and his right to due process, and other legal protections are endangered by the misuse of certain of these personal information systems; and
4. In order to preserve the rights guaranteed a citizen in a free society, legislation is necessary to establish procedures to govern information systems containing records on individuals.
C. Recordkeeping agencies of the Commonwealth and political subdivisions shall adhere to the following principles of information practice to ensure safeguards for personal privacy:
1. There shall be no personal information system whose existence is secret.
2. Information shall not be collected unless the need for it has been clearly established in advance.
3. Information shall be appropriate and relevant to the purpose for which it has been collected.
4. Information shall not be obtained by fraudulent or unfair means.
5. Information shall not be used unless it is accurate and current.
6. There shall be a prescribed procedure for an individual to learn the purpose for which information has been recorded and particulars about its use and dissemination.
7. There shall be a clearly prescribed and uncomplicated procedure for an individual to correct, erase or amend inaccurate, obsolete or irrelevant information.
8. Any agency holding personal information shall assure its reliability and take precautions to prevent its misuse.
9. There shall be a clearly prescribed procedure to prevent personal information collected for one purpose from being used or disseminated for another purpose unless such use or dissemination is authorized or required by law.
10. The Commonwealth or any agency or political subdivision thereof shall not collect personal information except as explicitly or implicitly authorized by law.
§2.2-3801. Definitions.
As used in this chapter, unless the context requires a different meaning:
"Agency" means any agency, authority, board,
department, division, commission, institution, bureau, or like governmental
entity of the Commonwealth or of any unit of local government including
counties, cities, towns, regional governments, and the departments thereof, and
includes constitutional officers, except as otherwise expressly provided by
law. "Agency" shall
also include
includes any entity, whether public or private, with which
any of the foregoing has entered into a contractual relationship for the
operation of a system of personal information to accomplish an agency function.
Any such entity included in this definition by reason of a contractual
relationship shall only be deemed an agency as relates to services performed
pursuant to that contractual relationship, provided that if any such entity is
a consumer reporting agency, it shall be deemed to have satisfied all of the
requirements of this chapter if it fully complies with the requirements of the
Federal Fair Credit Reporting Act as applicable to services performed pursuant
to such contractual relationship.
"Data subject" means an individual about whom personal information is indexed or may be located under his name, personal number, or other identifiable particulars, in an information system.
"Disseminate" means to release, transfer, or otherwise communicate information orally, in writing, or by electronic means.
"Information system" means the total components and operations of a record-keeping process, including information collected or managed by means of computer networks and the Internet, whether automated or manual, containing personal information and the name, personal number, or other identifying particulars of a data subject.
"Personal information" means all information that (i) describes, locates or indexes anything about an individual including, but not limited to, his social security number, driver's license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his education, financial transactions, medical history, ancestry, religion, political ideology, criminal or employment record, or (ii) affords a basis for inferring personal characteristics, such as finger and voice prints, photographs, or things done by or to such individual; and the record of his presence, registration, or membership in an organization or activity, or admission to an institution. "Personal information" shall not include routine information maintained for the purpose of internal office administration whose use could not be such as to affect adversely any data subject nor does the term include real estate assessment information.
"Proper purpose" includes the sharing or dissemination of data or information among and between agencies in order to (i) streamline administrative processes to improve the efficiency and efficacy of services, access to services, eligibility determinations for services, and service delivery; (ii) reduce paperwork and administrative burdens on applicants for and recipients of public services; (iii) improve the efficiency and efficacy of the management of public programs; (iv) prevent fraud and improve auditing capabilities; (v) conduct outcomes-related research; (vi) develop quantifiable data to aid in policy development and decision making to promote the most efficient and effective use of resources; and (vii) perform data analytics regarding any of the purposes set forth in this definition.
"Purge" means to obliterate information completely from the transient, permanent, or archival records of an agency.
§2.2-3803. Administration of systems including personal information; Internet privacy policy; exceptions.
A. Any agency maintaining an information system that includes personal information shall:
1. Collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency;
2. Collect information to the greatest extent feasible from the data subject directly, or through the sharing of data with other agencies in order to accomplish a proper purpose of the agency;
3. Establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls;
4. Maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject;
5. Make no dissemination to another system without (i) specifying requirements for security and usage, including limitations on access thereto, and (ii) receiving reasonable assurances that those requirements and limitations will be observed. This subdivision shall not apply, however, to a dissemination made by an agency to an agency in another state, district or territory of the United States where the personal information is requested by the agency of such other state, district or territory in connection with the application of the data subject therein for a service, privilege or right under the laws thereof, nor shall this apply to information transmitted to family advocacy representatives of the United States Armed Forces in accordance with subsection N of §63.2-1503;
6. Maintain a list of all persons or organizations having regular access to personal information in the information system;
7. Maintain for a period of three years or until such time as the personal information is purged, whichever is shorter, a complete and accurate record, including identity and purpose, of every access to any personal information in a system, including the identity of any persons or organizations not having regular access authority but excluding access by the personnel of the agency wherein data is put to service for the purpose for which it is obtained;
8. Take affirmative action to establish rules of conduct and inform each person involved in the design, development, operation, or maintenance of the system, or the collection or use of any personal information contained therein, about all the requirements of this chapter, the rules and procedures, including penalties for noncompliance, of the agency designed to assure compliance with such requirements;
9. Establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security; and
10. Collect no personal information concerning the political or religious beliefs, affiliations, and activities of data subjects that is maintained, used or disseminated in or by any information system operated by any agency unless authorized explicitly by statute or ordinance.
B. Every public body, as defined in §2.2-3701, that has an Internet website associated with that public body shall develop an Internet privacy policy and an Internet privacy policy statement that explains the policy to the public. The policy shall be consistent with the requirements of this chapter. The statement shall be made available on the public body's website in a conspicuous manner. The Secretary of Technology or his designee shall provide guidelines for developing the policy and the statement, and each public body shall tailor the policy and the statement to reflect the information practices of the individual public body. At minimum, the policy and the statement shall address (i) what information, including personally identifiable information, will be collected, if any; (ii) whether any information will be automatically collected simply by accessing the website and, if so, what information; (iii) whether the website automatically places a computer file, commonly referred to as a "cookie," on the Internet user's computer and, if so, for what purpose; and (iv) how the collected information is being used or will be used.
C. Notwithstanding the provisions of subsection A, the Virginia Retirement System may disseminate information as to the retirement status or benefit eligibility of any employee covered by the Virginia Retirement System, the Judicial Retirement System, the State Police Officers' Retirement System, or the Virginia Law Officers' Retirement System, to the chief executive officer or personnel officers of the state or local agency by which he is employed.
D. Notwithstanding the provisions of subsection A, the Department of Social Services may disseminate client information to the Department of Taxation for the purposes of providing specified tax information as set forth in clause (ii) of subsection C of §58.1-3.
E. Notwithstanding the provisions of subsection A, the State Council of Higher Education for Virginia may disseminate student information to agencies acting on behalf or in place of the U.S. government to gain access to data on wages earned outside the Commonwealth or through federal employment, for the purposes of complying with §23.1-204.1.