Can I skip obtaining consent to disclose personal information for a business purpose in Virginia? What are the requirements?

Based on the documents provided, obtaining consent is required before disclosing personal information for a business purpose in Virginia. The consent for release of client information must contain the name of the entity supplying the information and the name of the requesting party, and must be signed and dated by the client or legally responsible person. The client or legally responsible person may add other information, which may include a statement specifying the date, event, or condition upon which the consent expires ^[1.1]. If one of the conditions in 22VAC40-910-20 D 1a is met and consent is not obtained before the release of the client records, the department, agency, or provider must make reasonable efforts to provide written notification to the client or legally responsible person within five business days after disclosure ^[1.2].

Furthermore, the department, agency, or provider shall inform clients in writing that client information shall be confidential pursuant to federal and state laws ^[1.3]. It shall be unlawful for any agency to disclose personal donor information without the express, written permission of every individual who is identifiable from the potential release of such personal donor information, including individuals identifiable as members, supporters, or volunteers of, or donors to, the agency [VACV 2.2-3808].

In addition, any agency maintaining an information system that includes personal information shall collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency. They shall establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls. They shall maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject. They shall make no dissemination to another system without specifying requirements for security and usage including limitations on access thereto, and receiving reasonable assurances that those requirements and limitations will be observed ^[2.1].

In summary, obtaining consent is required before disclosing personal information for a business purpose in Virginia. The consent must contain specific information, and if consent is not obtained, written notification must be provided to the client or legally responsible person. Additionally, personal donor information cannot be disclosed without the express, written permission of every individual identifiable from the potential release of such information. Agencies maintaining an information system that includes personal information must collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency. They must establish categories for maintaining personal information to operate in conjunction with confidentiality requirements and access controls. They must maintain information in the system with accuracy, completeness, timeliness, and pertinence as necessary to ensure fairness in determinations relating to a data subject. They must make no dissemination to another system without specifying requirements for security and usage including limitations on access thereto, and receiving reasonable assurances that those requirements and limitations will be observed.

^{[1.1][2.1][1.2][1.3]}[VACV 2.2-3808]

Source(s):

• [1.1] Consent process
• [2.1] Administration of systems including personal information; Internet privacy policy; exceptions
• [1.2] Notification of release of confidential client information
• [1.3] Publicizing safeguarding requirements

Jurisdiction

Virginia

• Privacy