Department of Natural Resources Policy -
Privacy Policy
Policy Number: 02:04
See signed policy - Adobe Acrobat file
I. Purpose
The purpose of this policy is to establish procedures for the collection and use of personal records in accordance with State Government Article §10-624 (2000 Supp.) A “personal record” is a public record that names or with reasonable certainty otherwise identifies an individual by an address, description, finger or voice print, number or picture.

II Scope
This policy applies to all units, programs and employees of the Maryland Department of Natural Resources (DNR) which collect any personal information from any customers past, present or future. It applies to anyone who plans to collect information about any customers or potential customers via any means, including verbal surveys, printed questionnaires and cards, kiosks, independent terminals and online.

This policy applies to all computer and network hardware (i.e. servers, desktop, notebooks, handheld and peripherals) that exceeds $500 in value and all software (i.e. off the shelf and custom) that requires a paid license

3.0 COLLECTION OF PERSONAL RECORDS

    A: POLICY

    DNR shall not collect or create personal records unless the need for the information is clearly established:

    • The personal record collected shall be relevant to the purposes for which they are collected,
    • The personal record shall be accurate and current; and
    • The personal record may not be collected or created by fraudulent or misleading means.

    B: PROCEDURES

    Questionnaires or surveys that request personal information must be submitted to the Internet and eGovernment Manager for review and approval. The request for approval should contain a justification that clearly establishes the need for the information and demonstrates that the record is relevant for the purpose for which it is to be collected.

    A DNR employee requesting personal information must notify the person providing the information of:

    • The consequence of refusing to provide the personal information, and
    • The right to inspect and correct personal records (a contact name and information will be listed for this purpose).

    The employee must also advise the person that the information will not be used except in carrying out our functions as a government agency.

    The above notification may be contained on the printed or on line questionnaire.

    C: REPORTS

    The Internet and eGovernment Manager will prepare an annual report to the Department of Budget and Management listing the databases of information being collected, the custodian’s name and contact information, and the security in place to protect such data, forms, or whatever media form in which it exists.

4.0 USE AND DISCLOSURE OF PERSONAL RECORDS

    A: POLICY

    The Department will not use or disclose a personal record except for use in carrying out its governmental functions.

    B: PROCEDURES

    The Department will adopt a regulation to give this policy the force of law. The State Government Article, §10-617(c) (2000 Supp.) allows an agency to define and deny inspection of “sociological information.” The new regulation, COMAR 08.01.06.06(G) will read as follows:

    “Except for use in carrying out its governmental functions, the custodian shall not disclose, and shall deny inspection or copying of, any part of a public record that contains sociological information relating to an individual.” For purpose of this section, sociological information means:
    1. Social security number;
    2. Personal address;
    3. Personal telephone number;
    4. Personal e-mail address;
    5. Medical history;
    6. Educational history;
    7. Work history;
    8. Military service;
    9. Financial information;
    10. Religious preference, membership, and attendance;
    11. Personal relationships; beliefs and values;
    12. Genealogical charts; and
    13. Family history.
5.0 RESPONSIBILITIES

The Chief of Information Technology Service of the Maryland Department of Natural Resources in conjunction with the Internet and eGovernment Manager shall be responsible for implementing this policy. This responsibility includes developing a guidelines and a process for developing customer satisfaction and service delivery measurement processes.

6.0 REFERENCES

  • Public Information Act Manual, Eighth Edition, December, 2000 eMaryland Technology Website http://www.techmd.state.md.us State of Maryland Data Security Policy
  • State of Maryland. Executive Order 01.01.1983.18, “Privacy and State Data System Security” http://www.usmh.usmd.edu/datasec/execord.html
  • Privacy Act of 1974, United States Code 552a. http://www.accessreports.com/statutes/PA.htm
  • State of Maryland Privacy Act of 2000. SB199/HB277 http://mlis.state.md.us/2000rs/billfile/sb0199.htm
  • Annotated Code of Maryland, State Government Article §27, Sections 45A and 146
  • Annotated Code of Maryland, State Government Article §10-611 through 10-701
  • United States Criminal Code 1030, “Fraud and Related Activity in Connection with Computers”
  • Public law 100-235, “Computer Security Act of 1987”
  • World Wide Web Consortium (W3C). “Platform for Privacy Preference Guiding Principles” http://www.w3.org/P3P
  • On-line Privacy Alliance. “Guidelines for Online Privacy Policies” http://www.privacyalliance.org/resources/ppguidelines.shtml
  • U.S. Office of Management and Budget. “Guidance and Model Language for Federal Web Site Privacy Policies” http://www.state.oh.us/das/dcs/opp/privacy.htm http://www.whitehouse.gov/omb/memoranda/m99-18attach.html
  • Washington State Model Privacy Notice. http://www.wa.gov/dis/e-gov/architecture/FinalPrivacyModel.htm
Wilson Parran Chief of Information Technology
Posted June 18, 2002