(a) (1) The manager shall promptly review any query requested by a provider. (2) The manager may run queries for individuals or entities that are not providers. (b) Before approving a query, the manager, with assistance from technical experts identified by the executive committee, shall conduct an in-depth review of the proposed query for consistency with authorized purposes, alignment with evidence-based standards for equitable, ethical, and methodologically appropriate inquiries, and assessment of the benefits for and impact on the greater Baltimore City community. (c) Before providing any data in response to a query, the manager shall obtain written approval from any provider of data to confirm that there is no reasonable basis to believe that de-identified data provided in response to a query could be used by a data recipient to successfully link de-identified data to a particular individual, based on the size or uniqueness of the population under consideration in the query, or otherwise. (d) The manager shall ensure that the data management system and provided data are secure using security standards and protocols that address, at a minimum, data security and access, security incident and disaster recovery procedures, and recording and monitoring of system activity. (e) The manager shall maintain appropriate administrative, physical, and technical safeguards that protect privacy, confidentiality, integrity, and availability of any data in compliance with the federal Family Educational Rights and Privacy Act and other relevant privacy laws and policies, including: (1) the required use of de-identified data in data research and reporting; (2) the required disposition of data that is no longer needed; (3) providing data security, including the capacity for audit trails; (4) providing for the performance of regular audits for compliance with data privacy and security standards; and (5) implementing guidelines and policies that prevent the reporting of other potentially personally identifiable information. (f) The manager shall ensure that a query of the data management system: (1) results in disclosure of only aggregated de-identified data or aggregated de-identified data reports to a data recipient; and (2) does not reveal personally identifiable information to a data recipient. (g) On request, the manager may provide technical assistance to data recipients regarding data received from the Baltimore City Youth Data Hub. (h) (1) The manager and any data recipients may not: (i) attempt to re-identify de-identified data; or (ii) disclose, release, or report data in any form that may result in the re-identification of de-identified data. (2) This subsection may not be construed to interfere with a data recipient's continued use of or reliance on personally identifiable information provided to the Baltimore City Youth Data Hub.
‹ Prev All Maryland sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.