Final Text
Part I
General Provisions
6VAC35-160-10. Definitions.
The following words and terms when used in this chapter shall have the following meanings unless the context clearly indicates otherwise.
"Access" means the ability directly to obtain information concerning an individual juvenile contained in manual or automated files.
"Commonwealth of Virginia Information Technology Resource Management Standards" or "COV ITRM Standards" means the information technology standards applicable to all [ Commonwealth ] executive branch agencies that manage, develop, purchase, and use information technology resources in the Commonwealth of Virginia.
"Data owner" means a Department of Juvenile
Justice employee who is responsible for the policy and practice decisions
regarding data as identified by COV ITRM Standard Security (SEC) [ 501-08
50109.1 ].
"Department" means the Department of Juvenile Justice.
"Destroy" means to totally eliminate and eradicate
by various methods, including, but not limited to, shredding, incinerating,
or pulping.
"Dissemination" means any transfer of juvenile
record information, whether orally, in writing, or by electronic means to any
person other than an employee of a participating agency who has a right to
the is authorized to receive the information under § 16.1-300
of the Code of Virginia and who is not barred from receiving the information by
other applicable law.
"Expunge" means to destroy all records concerning an individual juvenile, or all personal identifying information related to an individual juvenile that is included in aggregated files and databases, in accordance with a court order or the Code of Virginia.
"Juvenile record information" means any information in the possession of a participating agency pertaining to the case of a juvenile who is or has been the subject of an action by an intake officer as provided by § 16.1-260 of the Code of Virginia, as well as to personal identifying information concerning such a juvenile in any database or other aggregated compilation of records. The term does not apply to statistical or analytical records or reports in which individuals are not identified and from which their identities are not ascertainable.
"Need to know" means the principle that a user
should access only the specific information necessary to perform a particular
function in the exercise of his official duties. [ Once access to an
application is authorized, the authorized data user is still obligated to
assess the appropriateness of each specific access ] on a
need-to-know basis [ only necessary to perform official job
duties and responsibilities. ]
"Participating agency" means the Department of
Juvenile Justice department, including state-operated court service
units, or; any locally operated court service unit, secure
juvenile detention home, center, or juvenile group home or
emergency shelter; or any public agency, child welfare agency, private
organization, facility, or person who is treating or providing services
to a child pursuant to a contract with the department or pursuant to the
Virginia Juvenile Community Crime Control Act as set out in Article 12.1 (§
16.1-309.2 et seq.) of Chapter 11 of Title 16.1 of the Code of Virginia, that
is approved by the department to have direct access to juvenile record
information through the Virginia Juvenile Justice Information System VJJIS
or any of its component or derivative information systems. The term
"participating agency" does not include any court.
"Remote access" means a connection to the department's systems from a remote location other than a department facility.
"Telecommunication connection" means the infrastructure used to establish a remote access to department information technology systems.
"Virginia Juvenile Justice Information System (VJJIS)"
or "VJJIS" means the equipment, facilities, agreements and
procedures used to collect, process, preserve or disseminate juvenile record
information in accordance with § 16.1-224 or § 16.1-300 of the Code of
Virginia. The operations of the system may be performed manually or by using
electronic computers or other automated data processing equipment.
"VJJIS functional administrator" means a
Department of Juvenile Justice employee who is responsible for overseeing the
operation of a specific component of the Virginia Juvenile Justice Information
System. Such persons are sometimes referred to as "functional
proponents" of particular information reporting systems. The functional
administrator is not to be confused with the department's overall administrator
of the VJJIS.
Part II
Participating Agencies in the Virginia Juvenile Justice Information System
VJJIS
6VAC35-160-30. Designation as a participating agency.
A. The department, including its central administration, department-operated facilities, and state-operated court service units, is considered a single participating agency for purposes of this regulation.
B. Locally operated court services units, and secure
juvenile detention homes and boot camps as defined in § 16.1-228 of the
Code of Virginia centers shall be participating agencies in the Virginia
Juvenile Justice Information System VJJIS.
C. Any other agency that is eligible to receive juvenile record information under § 16.1-300 of the Code of Virginia may apply to the department for status as a participating agency.
6VAC35-160-40. Signed memorandum of agreement and nondisclosure agreement required.
The department shall develop a written memorandum of
agreement and a nondisclosure agreement with each other
participating agency delineating the participating agency's access to and
responsibility for information contained in the Virginia Juvenile Justice
Information System VJJIS.
6VAC35-160-50. Data submissions.
A. All participating agencies shall submit data and other
information as required by department policy procedures to ensure
that juvenile record information is complete, accurate, current, and
consistent.
B. Administrators of participating agencies are responsible
for ensuring that entries into the juvenile justice information system VJJIS
are accurate, timely, and in a form prescribed by the department.
C. All information entered into the Virginia Juvenile
Justice Information System VJJIS shall become part of a juvenile's
record and shall be subject to the confidentiality provisions of § 16.1-300 of
the Code of Virginia.
6VAC35-160-60. Access provided to participating agencies.
A. In accordance with policies statutes,
regulations, and procedures governing confidentiality of information and
system security, the department may limit or expand the scope of access granted
to participating agencies.
B. When individuals or participating agencies are providing treatment or rehabilitative services to a juvenile as part of an agreement with the department, their access to juvenile record information shall be limited to that portion of the information that is relevant to the provision of the treatment or service. Once access to an application is authorized, the authorized data user is still obligated to assess the appropriateness of each specific access on a need-to-know basis.
C. An individual's juvenile record information shall be made
available only to participating agencies currently supervising or providing
services to the juvenile, and only upon presentation of the unique
identifying number assigned to the juvenile. Once access to an application is
authorized, the authorized data user [ is still remains ]
obligated to assess the appropriateness of each specific access on a
need-to-know basis.
6VAC35-160-70. Designation of authorized individuals.
A. Each participating agency shall determine what positions in the agency require regular access to juvenile record information as part of their job responsibilities and as documented in the employee work profile.
B. In accordance with applicable law and regulations, the
The department may shall require a background check of any
individual who will be given access to the VJJIS system through any
participating agency. The department may deny access to any person based on the
results of such background investigation or due to the person's violation of
the provisions of these regulations this chapter or other
security requirements established for the collection, storage, or dissemination
of juvenile record information.
C. Only authorized employees individuals shall
have direct access to juvenile record information.
D. Use of juvenile record information by an unauthorized employee
individual, or for a purpose or activity other than one for which the
person is authorized to receive juvenile record information, will shall
be considered an unauthorized dissemination.
E. Persons who are given access to juvenile record information
shall be required to sign an agreement information security agreement
in accordance with department procedure stating that they will use and
disseminate the information only in compliance with law and these
regulations, this chapter and that they understand that there are
criminal and civil penalties for unauthorized dissemination.
6VAC35-160-90. Security of physical records.
A. A participating agency that possesses physical records or files containing juvenile record information shall institute procedures to ensure the physical security of such juvenile record information from unauthorized access, disclosure, dissemination, theft, sabotage, fire, flood, wind, or other natural or man-made disasters.
B. Only authorized persons who are clearly identified shall
have access to areas where juvenile record information is collected, stored,
processed, or disseminated. Locks, guards, or other appropriate
means shall be used to control access.
6VAC35-160-100. Requirements when records are automated.
Participating agencies having automated juvenile record information files shall:
1. Designate a system administrator data owner to
maintain and control authorized user accounts, system management, and the
implementation of security measures;
2. Maintain "backup" copies of juvenile record
information, preferably off-site;
3. Develop a disaster recovery plan, which shall be
available for inspection and review by the department;
4. Carefully control system specifications and documentation
to prevent unauthorized access and dissemination 2. Develop and
implement a logical access procedure to prevent unauthorized access and
dissemination; and
5. 3. Develop procedures for discarding old
computers to ensure that information contained on those computers is not
available to unauthorized persons. All data must be completely erased or
otherwise made unreadable in accordance with COV ITRM Standard SEC 51404,
Removal of Commonwealth Data from Electronic Media Standard [ or
any successor COV ITRM standard that addresses the removal of Commonwealth data
from electronic media ].
6VAC35-160-110. Access controls for computer security.
A. Where juvenile record information is computerized, logical
access controls shall be [ put in place implemented ]
to ensure that records can be queried, updated, or destroyed only from approved
system user accounts. Industry standard levels of encryption shall be required
to protect all confidential juvenile record information moving
through any network.
B. The logical access controls described in
subsection A of this section shall be known only to the employees of the
participating agency who are responsible for control of the juvenile record
information system or to individuals and agencies operating under a specific
agreement with the participating agency to provide such security programs. The
access controls shall be kept under maximum security conditions secure.
C. Computer operations, whether dedicated or shared, that support juvenile record information shall operate in accordance with procedures developed or approved by the department.
D. Juvenile record information shall be stored by the
computer in such a manner that it cannot be modified, destroyed, accessed,
changed, purged, or overlaid in any fashion except via an approved
system user account.
6VAC35-160-130. Security of telecommunications.
A. Ordinarily, dedicated telecommunications lines shall be
required for direct or remote access to computer systems containing juvenile
record information. However, the The department may permit the use of
a nondedicated means of data transmission to access juvenile record information
when there are adequate and verifiable safeguards in place to restrict access
to juvenile record information to authorized persons. Industry standard levels
of encryption shall be required to protect all juvenile record information
moving through any network.
B. Where remote access of juvenile record information is
permitted, remote access devices must be secure. Remote access devices capable
of receiving or transmitting juvenile record information shall be secured
during periods of operation. When the remote access device is unattended, the
device shall be made inoperable for purposes of accessing juvenile record
information by implementing a screen saver lockout period after a maximum of
15 minutes of inactivity for devices as required by COV ITRM Standards SEC
[ 501-09 or any successor COV ITRM Standard that addresses
information security 50109.1 ]. In addition, appropriate
identification of the remote access device operator shall be required.
C. Telecommunications facilities The
telecommunications connection used in connection with the remote
access device shall also be secured. The telecommunications facilities Telecommunication
connections shall be reasonably protected from possible tampering or
tapping.
6VAC35-160-150. Correcting errors.
Participating agencies shall immediately notify the
appropriate VJJIS functional administrator data owner [ when
it is found upon discovering ] that incorrect information has
been entered into the juvenile justice information system VJJIS.
The VJJIS functional administrator data owner [ will shall ]
make arrangements to correct the information as soon as practicable in
accordance with department procedures.
6VAC35-160-170. Information to be disseminated only in
accordance with law applicable statutes and regulation regulations.
A. In accordance with § 16.1-223 of the Code of Virginia, data
stored in the Virginia Juvenile Justice Information System VJJIS shall
be confidential. Information from such data that identifies an individual
juvenile may be released only in accordance with § 16.1-300 of the Code of
Virginia, applicable federal law, and this regulation chapter.
B. Unauthorized dissemination of juvenile record information
will result in subject the disseminator's being subject disseminator
to the administrative sanctions described in 6VAC35-160-380. Unlawful
dissemination also may be prosecuted as a Class 3 misdemeanor under § 16.1-309
of the Code of Virginia or as a Class 2 misdemeanor under § 16.1-225 of the
Code of Virginia.
C. Additional disclosure limitations are provided in the
Health Insurance Portability and Accountability Act (42 USC §§ 1320d-5 and
1320d-6) and the federal substance abuse law (42 USC § 290dd2(f)).
6VAC35-160-180. Fees.
Participating agencies may charge a reasonable fee for search
and copying time expended when an individual or a nonparticipating agency
requests juvenile record information. The participating agency shall inform the
requester of the fees to be charged, and shall obtain written
agreement from the requester to pay such costs prior to initiating the search
for requested information. Any release shall be in accordance with
applicable statutes and regulations.
6VAC35-160-210. Determining requestor's eligibility to receive the information.
A. Upon receipt of a request for juvenile record information,
an appropriately designated person shall determine whether the requesting agency
or individual is eligible to receive juvenile record information as provided in
§ 16.1-300 of the Code of Virginia, federal law, and this regulation
chapter.
B. The determination as to whether a person, agency or
institution has a "legitimate interest" in a juvenile's
case shall be based on the criteria specified in subdivision A 7 of §
16.1-300 A 7 of the Code of Virginia.
C. When there is a request to disseminate health records or
substance abuse treatment records, the person responding to the request shall
determine whether the requested information is protected by the Health
Insurance Portability and Accountability Act of 1996 or by the federal law
on substance abuse treatment records (42 USC § 290dd-2 and 42 CFR Part 2),
and may consult with designated department personnel in making this
determination. Health records and substance abuse treatment records shall be
disseminated only in strict compliance with the applicable federal statutory
requirements, the Code of Virginia, and this chapter.
6VAC35-160-220. Responding to requests.
A. Once it is determined that a requestor is entitled to juvenile record information, a designated individual shall inform the requestor of the procedures for reviewing the juvenile record information, including the general restrictions on the use of the data, when the record will be available, and any costs that may be involved.
B. When the request for juvenile record information is made by an individual's parent, guardian, legal custodian or other person standing in loco parentis, the request shall be referred to designated personnel of the department. (See 6VAC35-160-230.)
C. Before beginning the search for the requested juvenile
record information, a designated individual shall inform the requester of any
fees that will be charged pursuant to 6VAC35-160-180 and shall obtain the
consent of the requester to pay any charges associated with providing the
requested information.
D. C. All records containing sensitive data (e.g.,
name, date of birth, social security number, or address) shall be encrypted
prior to electronic dissemination. Except as provided in subsection B of
this section, requested records shall be provided as soon as practicable, but
in any case within seven 10 business days unless compliance with
other applicable regulations requires a longer response time.
E. D. If the request for information is made to
a participating agency and the participating agency does not have access to the
particular information requested, the requestor shall be so notified and
shall be told how to request the information from the appropriate source, if
known.
F. E. Personnel of the participating agency
shall provide reasonable assistance to the individual or his attorney to help
understand the record.
G. F. The person releasing the record shall also
inform the individual of his right to challenge the record as provided in
6VAC35-160-280.
H. G. If no record can be found, a statement
shall be furnished to this effect.
6VAC35-160-260. Reporting unauthorized disseminations.
A. Participating agencies shall notify the department when
they observe any violations of the above dissemination regulations contained
in this part. The department will shall investigate and respond
to the violation as provided in law and this chapter.
B. A participating agency that knowingly fails to report a violation may be subject to an immediate audit of its entire dissemination log and procedures to ensure that disseminations are being appropriately managed.
Part IV
Challenge To to and Correction of Juvenile Record Information
6VAC35-160-280. Challenge.
A. Individuals, or persons acting on an individual's behalf as
provided for by law, may challenge their own juvenile record information by completing
documentation provided by the department and forwarding it to the functional
proponent data owner who is responsible for the applicable component
of the the Virginia Juvenile Justice Information System VJJIS as
prescribed in department procedures.
B. When a record that is maintained by the VJJIS is
challenged, both the manual and the automated record shall be flagged with the
message "CHALLENGED RECORD." The individual shall be given an
opportunity to make provide a brief written statement
describing how the information contained in the record is alleged to be
inaccurate. When a challenged record is disseminated while under challenge, the
record shall carry both the flagged message and the individual's statement, if
one has been provided.
C. The VJJIS functional administrator data owner
or designee shall examine the individual's record to determine if a data entry
error was made. If a data entry error is not obvious, the VJJIS functional
administrator data owner shall send a copy of the challenge form and
any relevant information to all agencies that could have originated the
information under challenge, and shall ask them to examine their files to
determine the validity of the challenge.
D. The participating agencies shall examine their source data,
the contents of the challenge, and information supplied by the VJJIS for any
discrepancies or errors, and shall advise the VJJIS functional
administrator data owner of the results of the examination.
E. If a modification of a VJJIS record is required, the VJJIS
functional administrator data owner shall ensure that the required
change is made and shall notify all participating agencies that were asked to
examine their records in connection with the challenge.
F. Participating agencies that, pursuant to 6VAC35-160-220, have disseminated an erroneous or incomplete record shall in turn notify all entities that have received the erroneous juvenile record information as recorded on the agency's dissemination log.
G. The participating agency that received the challenge shall notify the individual or person acting on the individual's behalf of the results of the challenge and the right to request an administrative review and appeal those results.
6VAC35-160-290. Administrative review of challenge results.
A. If not satisfied with the results of the challenge, the
individual or those acting on his behalf may, within 30 calendar days,
request in writing an administrative review of the challenge by the Director
director of the Department of Juvenile Justice department.
B. Within 30 days of receiving the written request for the
administrative review, the Director director of the Department
of Juvenile Justice department, or a designee who is not the VJJIS
functional administrator data owner who responded to the challenge,
shall review the challenge, the findings of the review, and the action
taken by the VJJIS functional administrator data owner. If the
administrative review supports correction of the juvenile record information,
the correction shall be made as prescribed above in [ this
section 6VAC35-160-280 ].
6VAC35-160-300. Removal of a challenge designation.
When juvenile the challenge to the juvenile's
record information is determined to be correct has been resolved,
either as a result of a challenge or an administrative review of the challenge,
the VJJIS functional administrator data owner shall notify the
affected participating agencies to remove the challenge designation from their
files.
Part V
Expungement
6VAC35-160-310. Expungement requirements.
When a court orders or law requires the expungement of an individual's juvenile records, all records and personal identifying information associated with the expungement order shall be destroyed in accordance with the court order or statutory requirement. Nonidentifying information may be kept in databases or other aggregated files for statistical purposes.
6VAC35-160-320. Notification to participating agencies.
The VJJIS functional administrator data owner
shall notify all participating agencies to purge their records of any reference
to the person whose record has been ordered expunged. The notification shall
include a copy of the applicable court order, along with notice of the
penalties imposed by law for disclosure of such personal identifying
information (see § 16.1-309 of the Code of Virginia).
6VAC35-160-330. Procedures for expunging juvenile record information.
A. Paper versions of records that have been ordered expunged
shall be destroyed by shredding, incinerating, pulping, or otherwise totally
eradicating the record.
B. Computerized versions of records that have been ordered
expunged shall be deleted from all databases and electronic files in such a way
that the records cannot be accessed or recreated through ordinary use of any
equipment or software that is part of the Virginia Juvenile Justice
Information System VJJIS and in accordance with the ITRM SEC [ 514-03
51404 ] Removal of [ Electronic
Commonwealth ] Data from Electronic Media [ standard
Standard ].
C. If personal identifying information concerning the subject individual is included in records that are not ordered expunged, the personal identifying information relating to the individual whose records have been ordered expunged shall be obliterated on the original, or a new document shall be created eliminating the personal identifying references to the individual whose record has been ordered expunged.
6VAC35-160-340. Confirmation notice required to VJJIS
functional administrator data owner.
Within 30 calendar days of receiving expungement
instructions from the VJJIS functional administrator data owner, the
participating agency shall expunge the juvenile record information in
accordance with 6VAC35-160-330 and shall notify the VJJIS functional
administrator data owner when the records have been expunged. The
notification to the VJJIS functional administrator data owner
shall indicate that juvenile records were expunged in accordance with court
order and shall not identify the juvenile whose records where were expunged.
6VAC35-160-350. Expungement order received directly by participating agency.
When a participating agency receives an expungement order
directly from a court, the participating agency shall promptly comply with the
expungement order in accordance with 6VAC35-160-330 and shall notify the VJJIS
functional administrator data owner of the court-ordered
expungement. The VJJIS functional administrator shall data owner,
upon receipt of such notification, obtain a copy of the order from the
appropriate court shall contact the appropriate court and determine the
validity of the notification, as applicable.
Part VI
Disposition of Records in the [ Virginia Juvenile Justice
Information System VJJIS ]
6VAC35-160-355. Record retention.
All records in the Virginia Juvenile Justice Information
System VJJIS shall be retained and disposed of in accordance with the
applicable records retention schedules approved by the Library of Virginia.
When a participating agency or a unit of a participating agency disposes of
records in the physical possession of the participating agency or the unit of a
participating agency, the person who disposes of such records shall notify the VJJIS
functional administrator data owner to remove that same information
from VJJIS.
Part VII
Enforcement
6VAC35-160-360. Oversight by the Department of Juvenile
Justice department.
A. The Department of Juvenile Justice department
shall have the responsibility for monitoring compliance with this chapter and for
taking enforcement action as provided in this chapter or by law applicable
state and federal statutes and regulations.
B. The department shall have the right to audit, monitor, and
inspect any facilities, equipment, software, systems, or procedures established
pursuant to required by this chapter.
6VAC35-160-390. Annual report to the board. (Repealed.)
The department shall annually report to the board on the
status of the Juvenile Justice Information System, including a summary of (i) any
known security breaches and corrective actions taken; (ii) any audits
conducted, whether random or for cause; and (iii) any challenges received
alleging erroneous information and the outcome of any investigation in response
to such a challenge.
[ DOCUMENTS INCORPORATED BY REFERENCE (6VAC35-160)
Information Technology Resource Management Standard - Information Security Standard, 50109.1, Virginia Information Technologies Agency (rev. 12/2016)