Part I
General Provisions

6VAC35-160-10. Definitions.

The following words and terms when used in this chapter shall have the following meanings unless the context clearly indicates otherwise.

"Access" means the ability directly to obtain information concerning an individual juvenile contained in manual or automated files.

 "Commonwealth of Virginia (COV) ITRM Standards" means the information technology standards applicable to all State Executive Branch agencies develop, purchase, and use information technology resources in the Commonwealth of Virginia.

"Commonwealth of Virginia (COV) Network" means the Enterprise infrastructure that provides the connectivity between participating  agencies and the applications.

"Data Owner" means a Department of Juvenile Justice employee who is responsible for the policy and practice decisions regarding data as defined by  identified by COV ITRM Standard SEC 501-.08.

"Department" means the Department of Juvenile Justice.

"Destroy" means to totally eliminate and eradicate by various methods, including, but not limited to, shredding, incinerating, or pulping.

"Dissemination" means any transfer of juvenile record information, whether orally, in writing, or by electronic means to any person other than an employee of a participating agency who has a right to the is authorized to receive the information under § 16.1-300 of the Code of Virginia and who is not barred from receiving the information by other applicable law.

"Expunge" means to destroy all records concerning an individual juvenile, or all personal identifying information related to an individual juvenile that is included in aggregated files and databases, in accordance with a court order.

"Juvenile record information" means any information in the possession of a participating agency pertaining to the case of a juvenile who is or has been the subject of an action by an intake officer as provided by § 16.1-260 of the Code of Virginia, as well as to personal identifying information concerning such a juvenile in any database or other aggregated compilation of records. The term does not apply to statistical or analytical records or reports in which individuals are not identified and from which their identities are not ascertainable.

"Need to know" means the principle that a user should access only the specific information necessary to perform a particular function in the exercise of his official duties. Once access to an application is authorized, the authorized data user is still obligated to assess the appropriateness of each specific access on a need-to-know basis.

"Participating agency" means the Department of Juvenile Justice, including state-operated court service units, or any locally operated court service unit, detention home, group home or emergency shelter; or any public agency, child welfare agency, private organization, facility or person who is treating or providing services to a child pursuant to a contract with the department or pursuant to the Virginia Juvenile Community Crime Control Act as set out in Article 12.1 (§ 16.1-309.2 et seq.) of Chapter 11 of Title 16.1 of the Code of Virginia, that is approved by the department to have direct access to juvenile record information through the Virginia Juvenile Justice Information System or any of its component or derivative information systems. The term "participating agency" does not include any court.

"Remote access" means a connection to DJJ systems from a remote location other than Department of Juvenile Justice facilities.

"Telecommunication connection" means the infrastructure used to establish a remote access to DJJ information technology systems.

"Virginia Juvenile Justice Information System (VJJIS)" means the equipment, facilities, agreements and procedures used to collect, process, preserve or disseminate juvenile record information in accordance with § 16.1-224 or § 16.1-300 of the Code of Virginia. The operations of the system may be performed manually or by using electronic computers or other automated data processing equipment.

"VJJIS functional administrator" means a Department of Juvenile Justice employee who is responsible for overseeing the operation of a specific component of the Virginia Juvenile Justice Information System. Such persons are sometimes referred to as "functional proponents" of particular information reporting systems. The functional administrator is not to be confused with the department's overall administrator of the VJJIS.

Part II
Participating Agencies in the Virginia Juvenile Justice Information System

6VAC35-160-30. Designation as a participating agency.

A. The department, including its central administration, department-operated facilities and state-operated court service units, is considered a single participating agency for purposes of this regulation.

B. Locally operated court services units, and detention homes and boot camps as defined in § 16.1-228 of the Code of Virginia shall be participating agencies in the Virginia Juvenile Justice Information System.

C. Any other agency that is eligible to receive juvenile record information under § 16.1-300 of the Code of Virginia may apply to the department for status as a participating agency.

6VAC35-160-40. Signed memorandum of agreement and nondisclosure agreement required.

The department shall develop a written memorandum of agreement and a nondisclosure agreement with each other participating agency delineating the participating agency's access to and responsibility for information contained in the Virginia Juvenile Justice Information System.

6VAC35-160-50. Data submissions.

A. All participating agencies shall submit data and other information as required by department policy procedures to ensure that juvenile record information is complete, accurate, current and consistent.

B. Administrators of participating agencies are responsible for ensuring that entries into the juvenile justice information system are accurate, timely, and in a form prescribed by the department.

C. All information entered into the Virginia Juvenile Justice Information System shall become part of a juvenile's record and shall be subject to the confidentiality provisions of § 16.1-300 of the Code of Virginia.

6VAC35-160-60. Access provided to participating agencies.

A. In accordance with policies procedures governing confidentiality of information and system security, the department may limit or expand the scope of access granted to participating agencies.

B. When individuals or participating agencies are providing treatment or rehabilitative services to a juvenile as part of an agreement with the department, their access to juvenile record information shall be limited to that portion of the information that is relevant to the provision of the treatment or service. Once access to an application is authorized, the authorized data user is still obligated to assess the appropriateness of each specific access on a need-to-know basis.

C. An individual's juvenile record information shall be made available only to participating agencies currently supervising or providing services to the juvenile, and only upon presentation of the unique identifying number assigned to the juvenile. Once access to an application is authorized, the authorized data user is still obligated to assess the appropriateness of each specific access on a need-to-know basis.

6VAC35-160-70. Designation of authorized individuals.

A. Each participating agency shall determine what positions in the agency require regular access to juvenile record information as part of their job responsibilities and as documented in the employee work profile.

B. In accordance with applicable law and regulations, the department may shall require a background check of any individual who will be given access to the VJJIS system through any participating agency. The department may deny access to any person based on the results of such background investigation or due to the person's violation of the provisions of these regulations or other security requirements established for the collection, storage, or dissemination of juvenile record information.

C. Only authorized employees shall have direct access to juvenile record information.

D. Use of juvenile record information by an unauthorized employee, or for a purpose or activity other than one for which the person is authorized to receive juvenile record information, will be considered an unauthorized dissemination.

E. Persons who are given access to juvenile record information shall be required to sign an agreement Information Security Agreement in accordance with department procedure stating that they will use and disseminate the information only in compliance with law and these regulations, and that they understand that there are criminal and civil penalties for unauthorized dissemination.

6VAC35-160-90. Security of physical records.

A. A participating agency that possesses physical records or files containing juvenile record information shall institute procedures to ensure the physical security of such juvenile record information from unauthorized access, disclosure, dissemination, theft, sabotage, fire, flood, wind or other natural or man-made disasters.

B. Only authorized persons who are clearly identified shall have access to areas where juvenile record information is collected, stored, processed or disseminated. Locks, guards or other appropriate means shall be used to control access.

6VAC35-160-100. Requirements when records are automated.

Participating agencies having automated juvenile record information files shall:

1. Designate a system administrator data owner to maintain and control authorized user accounts, system management, and the implementation of security measures;

2. Maintain "backup" copies of juvenile record information, preferably off-site;

3. Develop a disaster recovery plan, which shall be available for inspection and review by the department;

2. Develop and implement a Logical Access Procedure to prevent unauthorized access and dissemination

4. Carefully control system specifications and documentation to prevent unauthorized access and dissemination; and

53. Develop procedures for discarding old computers to ensure that information contained on those computers is not available to unauthorized persons. All data must be completely erased or otherwise made unreadable in accordance with COV ITRM Standard SEC514-03, Removal of Commonwealth Data from Electronic Media Standard.

6VAC35-160-110. Access controls for computer security.

A. Where juvenile record information is computerized, logical access controls shall be put in place to ensure that records can be queried, updated or destroyed only from approved system user accounts. Industry standard levels of encryption shall be required to protect all confidential juvenile record information moving through any network.

B. The logical access controls described in subsection A of this section shall be known only to the employees of the participating agency who are responsible for control of the juvenile record information system or to individuals and agencies operating under a specific agreement with the participating agency to provide such security programs. The access controls shall be kept under maximum security conditions secure.

C. Computer operations, whether dedicated or shared, that support juvenile record information shall operate in accordance with procedures developed or approved by the department.

D. Juvenile record information shall be stored by the computer in such a manner that it cannot be modified, destroyed, accessed, changed, purged or overlaid in any fashion except via an approved system user account.

6VAC35-160-130. Security of telecommunications.

A. Ordinarily, dedicated telecommunications lines shall be required for direct or remote access to computer systems containing juvenile record information. However, the The department may permit the use of a nondedicated means of data transmission to access juvenile record information when there are adequate and verifiable safeguards in place to restrict access to juvenile record information to authorized persons. Industry standard levels of encryption shall be required to protect all juvenile record information moving through any network.

B. Where remote access of juvenile record information is permitted, remote access devices must be secure. Remote access devices capable of receiving or transmitting juvenile record information shall be secured during periods of operation. When the remote access device is unattended, the device shall be made inoperable for purposes of accessing juvenile record information.,by implementing a screen saver lockout period after a maximum of 15 minutes of inactivity  for devices as required by COV ITRM Standards SEC 501-08. In addition, appropriate identification of the remote access device operator shall be required.

C. The Telecommunications telecommunications connection facilities used in connection with the remote access device shall also be secured. The telecommunications Telecommunication connections facilities shall be reasonably protected from possible tampering or tapping.

6VAC35-160-150. Correcting errors.

Participating agencies shall immediately notify the appropriate VJJIS functional administrator data owner when it is found that incorrect information has been entered into the juvenile justice information system. The VJJIS functional administrator data owner will make arrangements to correct the information as soon as practicable in accordance with department procedures.

6VAC35-160-170. Information to be disseminated only in accordance with law and regulation.

A. In accordance with § 16.1-223 of the Code of Virginia, data stored in the Virginia Juvenile Justice Information System shall be confidential. Information from such data that identifies an individual juvenile may be released only in accordance with § 16.1-300 of the Code of Virginia, applicable federal law, and this regulation.

B. Unauthorized dissemination of juvenile record information will result in the disseminator's being subject to the administrative sanctions described in 6VAC35-160-380. Unlawful dissemination also may be prosecuted as a Class 3 misdemeanor under § 16.1-309 of the Code of Virginia or as a Class 2 misdemeanor under § 16.1-225 of the Code of Virginia.

C. Additional disclosure limitations are provided in the Health Insurance Portability and Accountability Act (42 USC §§ 1320d-5 and 1320d-6) and the federal substance abuse law (42 USC § 290dd2(f)).

6VAC35-160-180. Fees.

Participating agencies may charge a reasonable fee for search and copying time expended when an individual or a nonparticipating agency requests juvenile record information. The participating agency shall inform the requester of the fees to be charged, and shall obtain written agreement from the requester to pay such costs prior to initiating the search for requested information.

6VAC35-160-210. Determining requestor's eligibility to receive the information.

A. Upon receipt of a request for juvenile record information, an appropriately designated person shall determine whether the requesting agency or individual is eligible to receive juvenile record information as provided in § 16.1-300 of the Code of Virginia and this regulation.

B. The determination as to whether a person, agency or institution has a "legitimate interest" in a juvenile's case shall be based on the criteria specified in § 16.1-300 A (7) of the Code of Virginia.

C. When there is a request to disseminate health records or substance abuse treatment records, the person responding to the request shall determine whether the requested information is protected by the Health Insurance Portability and Accountability Act of 1996 or by the federal law on substance abuse treatment records (42 USC § 290dd-2 and 42 CFR Part 2), and may consult with designated department personnel in making this determination. Health records and substance abuse treatment records shall be disseminated only in strict compliance with the applicable federal statutory requirements.

6VAC35-160-220. Responding to requests.

A. Once it is determined that a requestor is entitled to juvenile record information, a designated individual shall inform the requestor of the procedures for reviewing the juvenile record information, including the general restrictions on the use of the data, when the record will be available, and any costs that may be involved.

B. When the request for juvenile record information is made by an individual's parent, guardian, legal custodian or other person standing in loco parentis, the request shall be referred to designated personnel of the department. (See 6VAC35-160-230.)

C. Before beginning the search for the requested juvenile record information, a designated individual shall inform the requester of any fees that will be charged pursuant to 6VAC35-160-180 and shall obtain the consent of the requester to pay any charges associated with providing the requested information.

DC. All records containing sensitive data (e.g. name, date of birth, social security number, address) shall be encrypted prior to electronic dissemination.  Except as provided in subsection B of this section, requested records shall be provided as soon as practicable, but in any case within seven ten business days unless compliance with other applicable regulations requires a longer response time.

ED. If the request for information is made to a participating agency and the participating agency does not have access to the particular information requested, the requestor shall be so notified and shall be told how to request the information from the appropriate source.

FE. Personnel of the participating agency shall provide reasonable assistance to the individual or his attorney to help understand the record.

GF. The person releasing the record shall also inform the individual of his right to challenge the record.

HG. If no record can be found, a statement shall be furnished to this effect.

6VAC35-160-260. Reporting unauthorized disseminations.

A. Participating agencies shall notify the department when they observe any violations of the above dissemination regulations. The department will investigate and respond to the violation as provided in law and this chapter.

B. A participating agency that knowingly fails to report a violation may be subject to an immediate audit of its entire dissemination log and procedures to ensure that disseminations are being appropriately managed.

Part IV
Challenge To and Correction of Juvenile Record Information

6VAC35-160-280. Challenge.

A. Individuals, or persons acting on an individual's behalf as provided for by law, may challenge their own juvenile record information by completing documentation provided by the department and forwarding it to the functional proponent data owner who is responsible for the applicable component of the the Virginia Juvenile Justice Information System as prescribed in department procedures.

B. When a record that is maintained by the VJJIS is challenged, both the manual and the automated record shall be flagged with the message "CHALLENGED RECORD." The individual shall be given an opportunity to make provide a brief written statement describing how the information contained in the record is alleged to be inaccurate. When a challenged record is disseminated while under challenge, the record shall carry both the flagged message and the individual's statement, if one has been provided.

C. The VJJIS functional administrator data owner or designee shall examine the individual's record to determine if a data entry error was made. If a data entry error is not obvious, the VJJIS functional administrator data owner shall send a copy of the challenge form and any relevant information to all agencies that could have originated the information under challenge, and shall ask them to examine their files to determine the validity of the challenge.

D. The participating agencies shall examine their source data, the contents of the challenge, and information supplied by the VJJIS for any discrepancies or errors, and shall advise the VJJIS functional administrator data owner of the results of the examination.

E. If a modification of a VJJIS record is required, the VJJIS functional administrator data owner shall ensure that the required change is made and shall notify all participating agencies that were asked to examine their records in connection with the challenge.

F. Participating agencies that, pursuant to 6VAC35-160-220, have disseminated an erroneous or incomplete record shall in turn notify all entities that have received the erroneous juvenile record information as recorded on the agency's dissemination log.

G. The participating agency that received the challenge shall notify the individual or person acting on the individual's behalf of the results of the challenge and the right to request an administrative review and appeal those results.

6VAC35-160-290. Administrative review of challenge results.

A. If not satisfied with the results of the challenge, the individual or those acting on his behalf may, within 30 calendar days, request in writing an administrative review of the challenge by the Director of the Department of Juvenile Justice department.

B. Within 30 days of receiving the written request for the administrative review, the Director of the Department of Juvenile Justice department, or a designee who is not the VJJIS functional administrator data owner who responded to the challenge, shall review the challenge, the findings of the review and the action taken by the VJJIS functional administrator data owner. If the administrative review supports correction of the juvenile record information, the correction shall be made as prescribed above.

6VAC35-160-300. Removal of a challenge designation.

When the challenge to the juvenile's record information has been resolved is determined to be correct, either as a result of a challenge or an administrative review of the challenge, the VJJIS functional administrator data owner shall notify the affected participating agencies to remove the challenge designation from their files.

Part V
Expungement

6VAC35-160-310. Expungement requirements.

When a court orders the expungement of an individual's juvenile records, all records and personal identifying information associated with the expungement order shall be destroyed in accordance with the court order. Nonidentifying information may be kept in databases or other aggregated files for statistical purposes.

6VAC35-160-320. Notification to participating agencies.

The VJJIS functional administrator data owner shall notify all participating agencies to purge their records of any reference to the person whose record has been ordered expunged. The notification shall include a copy of the applicable court order, along with notice of the penalties imposed by law for disclosure of such personal identifying information (see § 16.1-309 of the Code of Virginia).

6VAC35-160-330. Procedures for expunging juvenile record information.

A. Paper versions of records that have been ordered expunged shall be destroyed by shredding, incinerating, pulping or otherwise totally eradicating the record.

B. Computerized versions of records that have been ordered expunged shall be deleted from all databases and electronic files in such a way that the records cannot be accessed or recreated through ordinary use of any equipment or software that is part of the Virginia Juvenile Justice Information System and in accordance with the ITRM SEC 514-03
Removal of Electronic Data from Electronic Media standard.

C. If personal identifying information concerning the subject individual is included in records that are not ordered expunged, the personal identifying information relating to the individual whose records have been ordered expunged shall be obliterated on the original or a new document shall be created eliminating the personal identifying references to the individual whose record has been ordered expunged.

6VAC35-160-340. Confirmation notice required to VJJIS functional administrator data owner.

Within 30 calendar days of receiving expungement instructions from the VJJIS functional administrator data owner, the participating agency shall expunge the juvenile record information in accordance with 6VAC35-160-330 and shall notify the VJJIS functional administrator data owner when the records have been expunged. The notification to the VJJIS functional administrator data owner shall indicate that juvenile records were expunged in accordance with court order and shall not identify the juvenile whose records where expunged.

6VAC35-160-350. Expungement order received directly by participating agency.

When a participating agency receives an expungement order directly from a court, the participating agency shall promptly comply with the expungement order in accordance with 6VAC35-160-330 and shall notify the VJJIS functional administrator data owner of the court-ordered expungement. The VJJIS functional administrator shall data owner, upon receipt of such notification, shall contact the appropriate court and determine the validity of the notification. obtain a copy of the order from the appropriate court.

Part VI
Disposition of Records in the Juvenile Justice Information System

6VAC35-160-355. Record retention.

All records in the Virginia Juvenile Justice Information System shall be retained and disposed of in accordance with the applicable records retention schedules approved by the Library of Virginia. When a participating agency or a unit of a participating agency disposes of records in the physical possession of the participating agency or the unit of a participating agency, the person who disposes of such records shall notify the VJJIS functional administrator data owner to remove that same information from VJJIS.

Part VII
Enforcement

6VAC35-160-360. Oversight by the Department of Juvenile Justice.

A. The Department of Juvenile Justice department shall have the responsibility for monitoring compliance with this chapter and for taking enforcement action as provided in this chapter or by law.

B. The department shall have the right to audit, monitor, and inspect any facilities, equipment, software, systems or procedures established pursuant to this chapter.

6VAC35-160-390. Annual report to the board.

The department shall annually report to the board on the status of the Juvenile Justice Information System, including a summary of (i) any known security breaches and corrective actions taken; (ii) any audits conducted, whether random or for cause; and (iii) any challenges received alleging erroneous information and the outcome of any investigation in response to such a challenge.