By Tricia Dunlap (Esq. & CIPP/US)
Have you read Part 1?
Forty-four years ago, in an act of uncommon foresight, Virginia passed its first data privacy law, the Virginia Data Act.
The Virginia Data Act is extraordinary for its unequivocal embrace of our rights as citizens in a free society to be protected from state government misuse of our personal information (PI). However, it appears that our General Assembly did not anticipate today’s widespread collection and use of PI. The Virginia Data Act applies only to the Commonwealth and its “political subdivisions” – cities, counties, towns, and authorities. As a result, the Data Act’s omission of limits on businesses and individuals creates a gap in our laws. That gap becomes increasingly important with each documented misuse of PI by the private sector. Thanks to recent news that federal agencies are purchasing our PI from businesses that profit from collecting it and thereby skirting the Fourth Amendment’s limits on warrantless searches, the need for expanding legal protections for our PI becomes urgent. Unfortunately, two bills that would have granted Virginians more rights to their PI failed in the 2020 General Assembly session.
What the Virginia Data Act Is
First passed in 1976, the Data Act has been amended five times (in 1987, 2001, 2003, 2009 and 2018). The General Assembly included four “findings”:
- Individual privacy is directly affected by the “extensive collection, maintenance, use and dissemination” of personal information.
- The extensive use of computers and information technology has magnified the potential harm.
- Misuse of PI endangers individuals’ opportunities for employment, insurance, and credit; it imperils our rights to due process and other legal protections.
- To preserve our rights as citizens in a free society, we need legislation governing Virginia’s management of PI.
I note that these four findings apply equally to government misuse as well as private sector misuse of PI. Given these findings, why has our legislature continued its hands-off approach to limiting private sector management of Virginians’ PI? But I digress…
The Ten Principles
The Data Act articulates ten principles for information-collecting practices by the Commonwealth’s governments. Designed to “ensure safeguards for personal privacy”, they are:
- A ban on secret “personal information systems” – individuals have the right to know about the existence of any government “information system” that collects PI.
- Governments are not permitted to collect PI unless the need for PI is established in advance.
- Collected information must be appropriate for and relevant to the reason that justifies collection of it.
- Obtaining PI by fraudulent or unfair means is not permitted.
- PI shall not be used unless it is accurate and current.
- Governments must have a procedure that individuals can use to learn the purpose for which their PI was recorded and particulars about its use and dissemination.
- Governments must have a clearly prescribed and uncomplicated procedure for individuals to edit information.
- Any agency holding PI must ensure the PI is reliable and take precautions to prevent its misuse.
- Governments must prevent PI that was collected for one purpose from being used or disseminated for another purpose.
- Governments cannot collect PI except as authorized by law.
What is PI?
Surprisingly, the Data Act’s definition of “PI” is quite broad and falls into three categories. I’ve dubbed these categories “record-based PI”, “bioidentifier PI” and “conscience PI”:
- Record-based PI: “all information” that “describes, locates or indexes anything about an individual” including but not limited to social security, driver’s license or agency-issued number, student ID number, real or personal property tax records, education, financial transaction, medical history, ancestry, religion, political ideology, criminal or employment records.
- Bioidentifier PI: Any information that “affords a basis” for inferring personal characteristics – finger or voice prints, photographs, or “things done by or to” an individual.
- Conscience PI: PI related to our First Amendment freedoms of religion and association, Conscience PI reveals a person’s presence, registration, or membership in an organization, or admission to an institution.
Before you begin believing that the Data Act tightly constrains Virginia’s governments, you should know that there are sixteen exceptions in the Data Act. They relieve a long list of Virginia agencies from complying with the law. However, where the Data Act applies, it requires government agencies to collect only PI permitted by law or necessary to accomplish a “proper purpose” of the agency.
How Should We Handle PI?
As much as possible, PI should be collected directly from the individual or by sharing data with another agency. Agencies must establish categories of PI so that they can also create effective controls and limits on access to certain categories of PI. They must keep a list of people or organizations with access to various categories of PI, and protect PI confidentiality. Agencies have a duty to ensure that the PI in their systems is accurate, complete, timely, and pertinent. Individuals whose data is used by these agencies must be treated fairly by them.
For three years, or until the PI is purged, agencies must maintain a record of every person or organization who doesn’t have routine access but who accesses the PI along with the reason why they accessed it (Note: logging access is not required when the agency’s personnel are using the PI in service of the reason it was collected).
Importantly, agencies must establish appropriate cybersecurity safeguards. Personnel must train in the Data Act’s requirements, and compliant collection, use, maintenance, and dissemination of Virginian’s PI.
Protection for Political and Religious Belief PI
The Data Act gives special protections to Conscience PI. Virginia agencies may only collect Conscience PI if they are explicitly authorized by law to do so. The Data Act expressly prohibits state agencies from sharing Conscience PI with the federal government if the federal government’s purpose in seeking it is to compile a database of individuals based on their religious affiliation, national origin, or ethnicity.
However, there is a loophole in the Data Act: if state or federal law requires the Virginia agency to share Conscience PI, then the Data Act does not prevent its disclosure.
Virginians’ Rights Under the Data Act
The Data Act grants Virginians five rights over their PI. We have a right to:
- Know whether we are legally required to furnish the PI that the agency is requesting and understand any consequences of providing or refusing to provide it.
- Inform us of how their agency intends to use our PI and how they might share it with other agencies or nongovernmental organizations that don’t normally have access to it.
- Inspect all of our own PI, know the nature of the sources of our PI and the identity of recipients or others who aren’t given authority for regular access (unless the information is part of an ongoing criminal investigation and disclosure would jeopardize the investigation).
- Be accompanied by another person when we request information from an agency about our PI that it has collected, maintained, or used. Note: bring a data privacy lawyer if you think your rights are in jeopardy.
- Challenge, correct, or explain information collected by the agency.
- In response, the agency must investigate and record the current status of the disputed PI.
- If the investigation finds that the PI is incomplete, inaccurate, not pertinent, stale, or not necessary, then the agency must promptly correct it or purge it and inform past recipients of the PI of the correction or purge.
- If the investigation does not resolve the dispute, the individual may file up to a 200-word statement disputing the record. The agency must furnish this statement to anyone who previously received the disputed PI.
Virginia’s Data Act is encouraging. It provides meaningful limits on Virginia’s collection, use, storage, and sharing of our PI. As it begins crafting legislation designed to regulate the same conduct in the private sector, Virginia’s General Assembly should look to the Data Act as a strong starting template.
Find Out How Data Privacy Law Applies to Your Business
Dunlap Law can help you understand and adapt Virginia data privacy law, the CCPA, and other data privacy laws nationwide. We closely track data privacy legal developments so you don’t have to. Call for a consultation today or ask Tricia Dunlap to speak to your group.
Dunlap Law is a SWaM-certified law firm in Richmond, Virginia and the only B Corp certified law firm in Virginia or DC. Tricia Dunlap holds the Certified Information Privacy Professional (CIPP/US) credential from the International Association of Privacy Professionals. She is also 2020-2021 co-chair of the IAPP’s KnowledgeNet, Richmond Chapter.