Can I use third-party project management tools that collect personal information in Virginia? What are the requirements?

Using Third-Party Project Management Tools that Collect Personal Information in Virginia

If you are using third-party project management tools that collect personal information in Virginia, you must comply with the requirements outlined in the Virginia Code § 2.2-3803 ^[2.1].

According to the Virginia Code, any agency maintaining an information system that includes personal information shall collect, maintain, use, and disseminate only that personal information permitted or required by law to be so collected, maintained, used, or disseminated, or necessary to accomplish a proper purpose of the agency ^[2.1].

Additionally, the agency must establish appropriate safeguards to secure the system from any reasonably foreseeable threat to its security ^[2.1].

It is important to note that the context documents do not provide specific requirements for third-party project management tools that collect personal information. Therefore, it is recommended that you consult with legal counsel to ensure compliance with all relevant laws and regulations.

Requirements for Using Third-Party Project Management Tools in Virginia

In addition to complying with the Virginia Code § 2.2-3803, if the third-party project management tool collects personal information, the agency must ensure that the collection of personal information is authorized or required by state or federal law and essential for the performance of the agency’s duties ^[2.2][1.2].

The agency must also establish appropriate oversight for information technology projects, including the establishment of Internal Agency Oversight Committees and Secretariat Oversight Committees ^[1.1][1.2].

Furthermore, the agency must establish a Commonwealth Project Management Standard for information technology projects that establishes a methodology for the initiation, planning, execution, and closeout of information technology projects and related procurements ^[1.1].

The agency must establish minimum qualifications and training standards for project managers ^[1.1].

The agency must review and approve or disapprove the selection or termination of any Commonwealth information technology project ^[1.1].

The agency must establish policies, standards, and guidelines that require the Division to review and recommend to the CIO Commonwealth information technology projects proposed by executive branch agencies ^[1.1].

The agency must ensure that all such projects conform to the Commonwealth strategic plan for information technology developed and approved pursuant to subdivision A 3 of § 2.2-2007.1 and the strategic plans of agencies developed and approved pursuant to § 2.2-2014 ^[1.1].

The agency must conduct a risk assessment prior to the issuance of a Request for Proposal if the CIO believes that a major information technology project presents an exceptional risk to the Commonwealth ^[3.1].

The agency must comply with the Collection, disclosure, or display of social security number; personal identifying information of donors; penalty ^[2.2].

Therefore, if you are using third-party project management tools that collect personal information in Virginia, you must comply with the Virginia Code § 2.2-3803 and the requirements outlined above. It is recommended that you consult with legal counsel to ensure compliance with all relevant laws and regulations.

Source(s):

• [1.1] Additional powers and duties of the CIO relating to project management
• [2.1] Administration of systems including personal information; Internet privacy policy; exceptions
• [1.2] Project oversight committees
• [3.1] Major information technology project procurement; terms and conditions
• [2.2] (Effective until date pursuant to Va. Const., Art. IV, § 13) Collection, disclosure, or display of social security number; personal identifying information of donors; penalty

Jurisdiction

Virginia

• Privacy