Can I use third-party collaboration tools that collect personal information in Virginia? What are the requirements?

Using Third-Party Collaboration Tools that Collect Personal Information in Virginia

If you are using third-party collaboration tools that collect personal information in Virginia, you must ensure that the collection, maintenance, use, and dissemination of personal information is permitted or required by law, or necessary to accomplish a proper purpose of the agency ^[1.1]. Additionally, you must establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security ^[1.1].

Publicizing Safeguarding Requirements

The department, agency, or provider must inform clients in writing that client information shall be confidential pursuant to federal and state laws ^[2.1].

Confidentiality of Client Information Pertaining to Public Assistance

Confidentiality of client information of public assistance programs is assured by §§ 63.2-102 and 63.2-805 G of the Code of Virginia. Information may be released only for a purpose directly connected with the administration of a public assistance program, except as herein provided or pursuant to §§ 63.2-102 and 63.2-805 G of the Code of Virginia ^[2.2].

Requirements When Records are Automated

Participating agencies having automated juvenile record information files shall:

1. Designate a data owner to maintain and control authorized user accounts, system management, and the implementation of security measures;
2. Develop and implement a logical access procedure to prevent unauthorized access and dissemination; and
3. Develop procedures for discarding old computers to ensure that information contained on those computers is not available to unauthorized persons. All data must be completely erased or otherwise made unreadable in accordance with COV ITRM Standard SEC 514–04, Removal of Commonwealth Data from Electronic Media Standard ^[3.1].

Designation of Authorized Individuals

Each participating agency shall determine what positions in the agency require regular access to juvenile record information as part of their job responsibilities and as documented in the employee work profile. The department shall require a background check of any individual who will be given access to the VJJIS system through any participating agency. The department may deny access to any person based on the results of such background investigation or due to the person’s violation of the provisions of this chapter or other security requirements established for the collection, storage, or dissemination of juvenile record information. Only authorized individuals shall have direct access to juvenile record information. Use of juvenile record information by an unauthorized individual, or for a purpose or activity other than one for which the person is authorized to receive juvenile record information, shall be considered an unauthorized dissemination. Persons who are given access to juvenile record information shall be required to sign an information security agreement in accordance with department procedure stating that they will use and disseminate the information only in compliance with law and this chapter and that they understand that there are criminal and civil penalties for unauthorized dissemination ^[3.3].

In summary, if you are using third-party collaboration tools that collect personal information in Virginia, you must ensure that the collection, maintenance, use, and dissemination of personal information is permitted or required by law, or necessary to accomplish a proper purpose of the agency, and establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security. You must also inform clients in writing that client information shall be confidential pursuant to federal and state laws, and ensure that confidentiality of client information pertaining to public assistance is maintained. If you are a participating agency having automated juvenile record information files, you must designate a data owner, develop and implement a logical access procedure, and develop procedures for discarding old computers. Finally, you must designate authorized individuals, require background checks, and ensure that only authorized individuals have direct access to juvenile record information.

Source(s):

• [1.1] Administration of systems including personal information; Internet privacy policy; exceptions
• [2.1] Publicizing safeguarding requirements
• [3.1] Requirements when records are automated
• [2.2] Confidential client information pertaining to public assistance
• [3.3] Designation of authorized individuals

Jurisdiction

Virginia

• Privacy