VAWA to Place Privacy Requirements on Providers Treating Domestic Abuse Victims
In 1994, the Violence Against Women Act (the “VAWA”) became the first federal law to focus specifically on domestic abuse. Over the past 25 years, the VAWA has evolved with new amendments reflecting our evolving society. Beginning in 2005, the amendments began to place specific privacy obligations on the providers receiving VAWA grant funding. Compliance with these provisions is crucial, as the penalties for non-compliance could lead to a loss of funding that consequently could cripple the operations of providers subject to the law. The key privacy provisions of the VAWA concerning which providers should be aware are the following:
- Scope of VAWA
- Confidentiality of Personal Information
- Intersections with Local and State Laws
Scope of VAWA
Under the VAWA, grantees and subgrantees of funding are subject to the law’s confidentiality provisions. In addition, partners of grantees or subgrantees may be subject to the law if they are receiving funds under the same grant. To be clear though, partners who do not receive VAWA funding are not subject to the law. However, it is in the best interests of these partners to consider opting-in to the requirements of the law since the provisions are guidelines for the best practices in handling victims’ data. Additionally, it generally would be wise for grantees and subgrantees under the VAWA to place a duty to opt-in to the requirements of the VAWA in their agreements with any vendors or other partners.
Confidentiality of Personal Information
Those subject to the VAWA are charged with maintaining the privacy of the data of each victim that they collect. Personal information under the VAWA is described as follows:
information about an individual that may directly or indirectly identify that individual. In the case of a victim of domestic violence, dating violence, sexual assault, or stalking, it also means information that would disclose the location of that individual. Personally identifying information includes information such as an individual’s name, address, other contact information, and social security number, but it also can include information such as an individual’s race, birth date, or number of children if, in the particular circumstances, that information would identify the individual. Personally identifying information also may include information that is encoded, encrypted, hashed, or otherwise protected.
To ensure confidentiality of the personal information mentioned above, those subject to the VAWA must follow several guidelines. The most pertinent of those guidelines is that the provider may not disclose, reveal, or release personally identifying information collected in connection with their services. This holds true even when the victim was denied services. To disclose that information, the provider must receive the written, informed, and reasonably time-limited consent of the individual.
Intersections with Local and State Laws
Providers must meet multiple requirements for compliance under the VAWA to qualify for and receive grant funding. However, these requirements may interfere with the reporting laws of both state and local governments. For this reason, the VAWA has two exceptions to its confidentiality requirements:
- when a statute compels information to be released; or
- when a court compels information to be released.
Even when these confidentiality exceptions do apply, the VAWA requires that the grantee or subgrantee make an attempt to provide notice to the affected individuals as well as to take measures to protect the privacy and safety of persons affected by the release of that information.
Currently, the VAWA is being held in abeyance, waiting to be passed back into law after lapsing this past February. In the meantime, it would behoove providers to assess their compliance under the VAWA privacy standards. Our experienced attorneys at Dickie, McCamey & Chilcote, P.C. will continue to monitor the evolving landscape of compliance under the VAWA. Our Tech & Data Group has advised clients on consumer privacy regulation compliance for years. If you have any questions or concerns, please contact us. We will be happy to work with you and to help equip your company for compliance in this evolving area.
Jason L. Ott, Esq.
Derrick L. Maultsby, Jr.
The material on this site is for general informational purposes only and is not intended to be, and should not be construed to be, legal advice. There shall be no liability accepted as a result of any improper reliance on the material on this site. A qualified lawyer should always be consulted with regard to any specific legal issue or problem.