Can I use third-party collaboration tools that collect personal information in Maryland? What are the requirements?

Third-Party Collaboration Tools and Personal Information Collection Requirements in Maryland

If you are planning to use third-party collaboration tools that collect personal information in Maryland, you must comply with the state’s regulations on the disclosure of personal information. According to MDCR 13A.11.06.14, the Division may disclose personal information in connection with an audit or evaluation for purposes directly related to the administration of the Division’s programs if the person conducting the audit or evaluation assures that the information will be used only for the purposes for which it is provided and will be disclosed only to persons officially connected with the audit or evaluation. The personal information must also be managed in a manner to protect confidentiality and to prevent unauthorized disclosure.

If you plan to use personal information for research purposes, you must comply with the requirements outlined in MDCR 13A.11.06.14. The Division may disclose personal information in connection with research which would significantly improve the quality of life for persons with disabilities. The person conducting the research must submit a written request to the Division which describes the purpose of the research, whether the findings will be published, the nature of the personal information requested, and the safeguards that shall be taken to protect the confidentiality of the information. The Division shall require the person conducting the research to make an agreement to protect the confidentiality of personal information in accordance with State Government Article, §10-624(c), Annotated Code of Maryland.

If you plan to collect nonpublic personal health information, you must comply with the requirements outlined in MDCR 31.16.08.18. A valid authorization to disclose nonpublic personal health information pursuant to this regulation shall be in written or electronic form and shall contain the identity of the consumer or customer who is the subject of the nonpublic personal health information, a general description of the types of nonpublic personal health information to be disclosed, general descriptions of the parties to whom the licensee discloses nonpublic personal health information, the purpose of the disclosure, and how the information will be used. The authorization shall also specify a length of time for which the authorization shall remain valid, which may not be for more than 24 months.

If you plan to perform fingerprinting services and demographic data collection for non-criminal justice purposes, you must comply with the requirements outlined in MDCR 12.15.05.03. The Central Repository may authorize a private provider to perform fingerprinting services and demographic data collection for a request for a criminal history records check for non-criminal justice purposes. The Central Repository shall establish minimum administrative and operational requirements for private providers to perform fingerprinting services and demographic data collection for non-criminal justice purposes.

If you plan to enter into a private provider agreement with or issue an original or renewal authorization certificate to a private provider, you must comply with the requirements outlined in MDCR 12.15.05.05. Before the Central Repository enters into a private provider agreement with or issues an original or renewal authorization certificate to a private provider, the Central Repository shall review a private provider’s location plan. A private provider’s location plan, at a minimum, shall have a Livescan machine that is approved by the Central Repository, a waiting area that includes a reception desk and seating for individuals requesting a criminal history records check, a method of securing and maintaining records that meets Central Repository requirements, and electronic connections, electric power supply, and office climate control that meet manufacturer and Central Repository requirements.

In summary, if you plan to use third-party collaboration tools that collect personal information in Maryland, you must comply with the state’s regulations on the disclosure of personal information, nonpublic personal health information, and fingerprinting services and demographic data collection for non-criminal justice purposes. You must also comply with the Central Repository’s requirements for private providers.

Jurisdiction

Maryland

• Privacy