Tag Archives: information technology

Maryland will soon deal with privacy stakeholders (and they CAN’T care about the GYRO method)

Just last week, I mentioned that the state of Utah appointed the Department of Government Operations’ first privacy officer. Now Maryland is getting into the act, and it’s worth taking a semi-deep dive into what Maryland is doing, and how it affects (or doesn’t affect) public safety.

By François Jouffroy – Christophe MOUSTIER (1994), Attribution, https://commons.wikimedia.org/w/index.php?curid=727606

According to Government Technology, the state of Maryland has created two new state information technology positions, one of which is the State Chief Privacy Officer. Because government, I will refer to this as the SCPO throughout the remainder of this post. If you are referring to this new position in verbal conversation, you can refer to the “Maryland skip-oh.” Or the “crab skip-oh.”

From https://teeherivar.com/product/maryland-is-for-crabs/. Fair use. Buy it if you like it. Virginians understand the origins of the phrase.

Governor Hogan announced the creation of the SCPO position via an Executive Order, a PDF of which can be found here.

Let me call out a few provisions in this executive order.

  • A.2. defines “personally identifiable information,” consisting of a person’s name in conjunction with other information, including but not limited to “[b]iometric information including an individual’s physiological or biological characteristics, including an individual’s deoxyribonucleic acid.” (Yes, that’s DNA.) Oh, and driver’s license numbers also.
  • At the same time, A.2 excludes “information collected, processed, or shared for the purposes of…public safety.”
  • But on the other hand, A.5 lists specific “state units” covered by certain provisions of the law, including both The Department of Public Safety and Correctional Services and the Department of State Police.
  • The reason for the listing of the state units is because every one of them will need to appoint “an agency privacy official” (C.2) who works with the SCPO.

There are other provisions, including the need for agency justification for the collection of personally identifiable information (PII), and the need to provide individuals with access to their collected PII along with the ability to correct or amend it.

But for law enforcement agencies in Maryland, the “public safety” exemption pretty much limits the applicability of THIS executive order (although other laws to correct public safety data would still apply).

Therefore, if some Maryland sheriff’s department releases an automated fingerprint identification system Request for Proposal (RFP) next month, you probably WON’T see a privacy advocate on the evaluation committee.

But what about an RFP released in 2022? Or an RFP released in a different state?

Be sure to keep up with relevant privacy legislation BEFORE it affects you.