Website Privacy Notice

 
The Maryland State Department of Education (MSDE) is committed to protecting the privacy and accuracy of personal information. As such, we embrace the Fair Information Privacy Principles (FIPPs) when it comes to you, your personal data, and how your personal data is used. These principles are as follows:

Collection Limitation:  Collection of your personal data is limited to only what is necessary.

Data Quality:  Collection of your personal data should be accurate, complete, and current.

Purpose Specification:  The purpose for collection of your personal data will be disclosed before collection and upon any change.

Use Limitation:  Your personal data will not be disclosed other than for the purpose specified.

Security Safeguard:  Your personal data is protected with reasonable safeguards.

Openness:   You will be informed of our privacy policies and practices.

Individual Participation:  You will know about your rights (access, opt-out, correction, challenge).

Accountability:  We are accountable for abiding by our own privacy policies.
Contents

About This Privacy Notice
Personal Data We Collect
Data Types We Collect
MSDE Regulatory, Statutory, or Privacy Industry Standards
Why We Collect Your Personal Data
Sharing Your Personal Data
Children’s Privacy
Retaining and Deleting Your Personal Data
Your Rights
About Cookies
Managing Cookies
Privacy Notice Updates
Our Details
Representatives
 
   

 

 

About this Privacy Notice

  This notice is required by law.  As of July 29, 2021, Executive Order, 01.01.2021.20, Maryland Data Privacy, was signed into law.  It outlines the responsibilities and collaboration between privacy, data, and security.  Privacy is the proper collection and dissemination of your personal data.  Data management refers to how your personal data is ingested, stored, organized and maintained, and security is about establishing and maintaining the security of data and systems.  
   
  With this in mind, MSDE promises transparency and openness to our website visitors, service users, and individual customers.  In general, for each type of personal data we collect we will communicate  
 
  • Purposes and legal authority for collecting
  • How the information will be shared and legal authority, if applicable
  • Recipients of the personal data
  • Any rights that you have to
    • Review the personal data shared
    • Decline the sharing of your personal data

This notice applies where we are acting as a data owner of your personal data.  A data owner is accountable for the data and responsible for ensuring its governance across systems and lines of business.   For example, we must ensure that if your personal data is shared with a third party, the third party adheres to the same level of privacy standards as we do.
 

Top
 

 

Data Types We Collect

  As the data owner, MSDE collects personal data about you, our website visitor.  This data is categorized by type and typically falls into one or more regulatory, statutory, or privacy industry standards.
 
   

Top
 

 

  Contact Data:  We may process data enabling us to get in touch with you.  The contact data may include your name, email address, telephone number, postal address and/or social media account identifiers.  The source of the contact data is you and/or your employer.  If you log into our website using a social media account, we will obtain elements of the contact data from the relevant social media account provider.  
 
Account Data:  We may process your website user account data.  The account data may include your account identifier, name, email address, business name, account creation and modification dates, website settings, and marketing preferences.  The primary source of the account data is you and/or your employer, although some elements of the account data may be generated by our website.  If you log into our website using a social media account, we will obtain elements of the account data from the relevant social media account provider.
 
 
Transaction Data:  We may process information relating to transactions, including purchases of goods and/or services, that you enter into with us and/or through our website.  The transaction data may include your name, your contact details, your payment card details (or other payment details) and the transaction details.  The source of the transaction data is you and/or our payment services provider.
 
 
Communication Data:  We may process information contained in or relating to any communication that you send to us or that we send to you.  The communication data may include the communication content and metadata associated with the communication.  Our website will generate the metadata associated with communications made using the website contact forms.
 
 
Usage Data:  We may process data about your use of our website and services.  The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths as well as information about the timing, frequency and pattern of your service use.  The source of the usage data is our analytics tracking system.
 

Top
 

 

MSDE Regulatory, Statutory, or Privacy Industry Standards

  Maryland Protection of Information by Government Agencies (MD PIGA):  MD State Govt Code §10-1301 which defines Personally Identifiable Information (PII) as information that can be used to distinguish or trace an individual’s identity, when combined with other personal or identifying information to a specific individual.  Examples of PII are name, social security number (SSN), address, phone number, email address, biometric data (e.g., fingerprints).  
 
Health Insurance Portability and Accountability Act (HIPAA): Federal law that requires the protection of sensitive patient health information (PHI) from being disclosed without the patient’s consent or knowledge.  HIPAA governs PHI created, received, stored, or transmitted by HIPAA covered entities and their business associated in relation to the provision of healthcare, healthcare operations, and payment for healthcare services.
 
 
Internal Revenue Service Publication 1075 (IRS-1075):  Federal law that requires the protection of federal tax returns and return information.  IRS-1075 governs federal tax information, e.g., tax return information, received directly from the IRS or obtained through an authorized secondary source, such as the Social Security Administration (SSA), Federal Office of Child Support Enforcement (OCSE), Bureau of the Fiscal Service (BFS), or Centers for Medicare and Medicaid Services (CMS), or other entity acting on behalf of the IRS pursuant to an IRC 6103(p)(2)(B) Agreement.
 
 
Family Educational Rights and Privacy Act (FERPA):  Federal law that protects the privacy of student education records.  FERPA applies to all schools that receive funds under an applicable program of the U.S. Department of Education. 
 
 
The Payment Card Industry Data Security Standard (PCI DSS):  Information security standard for organizations that handle branded credit cards from the major card schemes. PCI DSS governs personal data associated with an individual cardholder that uses credit, debit and/or cash cards for monetary transactions.  Any state organization that collects and/or processes credit card information must abide by PCI-PSS.
 
 
Criminal Justice Information Services (CJIS):  Division of the United States Federal Bureau of Investigation (FBI).  CJIS governs data collected and protected by the FBI but is accessible to local and state law enforcement organizations.  Local and state organizations who have access to CJIS data must comply with the CJIS security requirements to protect it.
 
 
Children's Online Privacy Protection Act (COPPA):  Federal law that imposes specific requirements on websites, apps, and other online services directed to children under 13 years of age.  Sites must provide a privacy policy that states whether the site collects personal information, how the information is used, and whether the information is shared with third parties.  COPPA requires the site to state, “ We are prohibited from conditioning a child’s participation in an activity on the child’s disclosing more personal information than is reasonably necessary for the activity” and the site must inform parents of their right to review, have deleted, and refuse the further collection and use of their children’s personal information.
 
 
General Data Protection Regulation (GDPR):  European Union (EU) regulation requiring data protection and privacy of individuals who are located in the European Economic Area (EEA).  GDPR applies to all organizations, public, and private that store or process the personal data of EU residents.
 

Top
 

 

Why We Collect Your Personal Data

  In our quest to be transparent and open, we are providing you with the various reasons why we may process your personal data and the legal basis for the processing.  
 
Operations:  We may collect your personal data for the purposes of operating our website, the processing and fulfillment of orders, providing our services, supplying our goods, generating invoices, bills and other payment-related documentation and credit control.  The legal basis for this processing is our legitimate interest, namely the proper administration of our website, services and business or the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
 
 
Publications:  We may process account data for the purposes of publishing such data on our website and elsewhere through our services in accordance with your express instructions.  The legal basis for this processing is consent or our legitimate interests, namely the publication of content in the ordinary course of our operations or the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.
 
 
Relationships and communications:  We may process contact data, account data, transaction data and/or communication data for the purposes of managing our relationships, communicating with you (excluding communicating for the purposes of direct marketing) by email, SMS post, fax and/or telephone, providing support services and complaint handling.  The legal basis for this processing is our legitimate interests, namely communications with our website visitors, service users, individual customers and customer personnel, the maintenance of relationships, and the proper administration of our website, services and business.
 
 
Direct marketing:  We may process contact data, account data and/or transaction data for the purposes of creating, targeting and sending direct marketing communications by email, SMS, post and/or fax and making contact by telephone for marketing-related purposes.  The legal basis for this processing is consent or our legitimate interests, namely promoting our business and communicating marketing messages and offers to our website visitors and service users.
 
 
Research and analysis:  We may process usage data and/or transaction data for the purposes of research and analyzing the use of our website and services as well as researching and analyzing other interactions with our business.  The legal basis for this processing is consent or our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally.
 
 
Record keeping:  We may process your personal data for the purposes of creating and maintaining our databases, back-up copies of our databases and our business records generally.  The legal basis for this processing is our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this notice.
 
 
Security:  We may process your personal data for the purposes of security and the prevention of fraud and other criminal activity.  The legal basis of this processing is our legitimate interests, namely the protection of our website, services and business, and the protection of others.
 
 
Insurance and risk management:  We may process your personal data where necessary for the purposes of obtaining or maintaining insurance coverage, managing risks and/or obtaining professional advice.  The legal basis for this processing is our legitimate interests, namely the proper protection of our business against risks.
 
 
Legal compliance and vital interests: We may also process your personal data where such processing is necessary for compliance with a legal obligation to which we are subject or in order to protect your vital interests or the vital interests of another natural person.
 

Top
 

 

Sharing Your Personal Data

  In our quest to be transparent and open, we are providing you with the various reasons why we may share your personal data and how your personal data may be shared.  
 
Insurance providers:  We may disclose your personal data to our insurers and/or professional advisors when necessary for the purpose of obtaining or maintaining insurance coverage, managing risks, obtaining professional advice.
 
 
Hosting service providers:  Your personal data, held in our website database, will be stored on the servers of our hosting services providers.
 
 
Suppliers and subcontractors:  We may disclose your personal data to our supplier and subcontractors insofar as reasonably necessary for the purposes of providing agreed upon services.
 
 
Payment service providers:  Financial transactions relating to our website and services are or may be handled by our payment services providers. We will share transaction data with our payment services providers only to the extent necessary for the purposes of processing your payments, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
 
 
Legal authorities:  We may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject or in order to protect your vital interests or the vital interests of another natural person.  We may also disclose your personal data where such disclosure is necessary or the establishment, exercise, or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
 

Top
 

 

Children’s Privacy

  Children's Online Privacy Protection Act (COPPA) imposes specific requirements on websites, apps, and other online services directed to children under 13 years of age.  As it relates to COPPA, MSDE is prohibited from conditioning a child’s participation in an activity on the child’s disclosing more personal information than is reasonably necessary for the activity.  Parents have the right to review, have deleted, and refuse the further collection and use of their children’s personal data.  
   
 
MSDE’s website and associated services may contain content appropriate for children under the age of 13.  As a parent, you should know that children under the age of 13 may participate in activities that involve the collection or use of personal information.  We use reasonable efforts to ensure that before we collect any personal information from a child, the child’s parent receives notice of and consents to our personal information collection practices. 
 
 
We limit the collection, use, and storage of personal data of users between 13 and 18 years old.  In some cases, this means MSDE will be unable to provide certain functionality or service to these users unless parents grant consent beforehand.
 
 
In order to identify children under age 13 and users between 13 and 18 years old, MSDE may ask a user to verify their birth date before collecting personal information.  If the user is under the age of 13 the service will be either blocked or redirected to a parental consent process.
 
 
Before parental consent, MSDE may collect and store persistent identifiers such as cookies or IP addresses from children for the purpose of supporting the internal operation of the services.
 
 
After parental consent is granted, MSDE may collect and store other personal information about children if this information is submitted by a child or by the parent or guardian of the child.  MSDE may collect and store the following types of personal data about a child:
 
 
  • First and last name
  • Date of birth
  • Gender
  • Grade level
  • Email address
  • Telephone number
  • Parent’s or guardian’s name
  • Parent’s or guardian’s email address
 
 
A parent who has already given MSDE permission to collect and use their child’s personal data can at any time
 
 
  • Review, correct or delete the child's personal information, and or
  • Discontinue further collection or use of the child’s personal information.
 
 
Parents and guardians of children may exercise rights in relation to your child’s personal data by written notice to us using the contact details set out below.
 
 
Mail:  Nancy S. Grasmick State Education Building; 200 W. Baltimore St.; Baltimore, MD  21201
Attn: Data Governance and Privacy Officer
 
 
Website contact form
 
 
Email: privacy.msde@maryland.gov
 

Top
 

 

Retaining and Deleting Your Personal Data

  In our quest to be transparent and open, we are providing you with our data retention policies and procedures which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of your personal data. Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. We will retain your personal data as follows:  
 
General Files:  Will be retained for three years and until all audit requirements are met, and then destroyed.
 
 
Permanent Records:  Will be permanent and transferred to State Archives.
 
 
Miscellaneous Records:  Will be retained until no longer needed by the office and then destroyed.
 

Top
 

 

Your Rights

  Fair Information Privacy Principles (FIPPS) are built into many privacy laws and regulatory frameworks, including MSDE’s .  Your principal rights under data protections laws (subject to certain limitations and exceptions) are:  
 
bluecheck.png
Right to access:  you can ask for copies of your personal data.
bluecheck.png
Right to recertification:  you can ask us to recertify inaccurate personal data and to complete incomplete personal data.
bluecheck.png
Right to erasure:  you can ask us to erase your personal data.
bluecheck.png
Right to restrict processing:  you can object to the processing of your personal data.
bluecheck.png
Right to object to processing:  you can object to the processing of your personal data.
bluecheck.png
Right to data portability:  you can ask that we transfer your personal data to another organization or to you.
bluecheck.png
Right to complain to a supervisory authority:  you can complain about our processing of your personal data.
bluecheck.png
Right to withdraw consent:  to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.

 
  You may exercise any of your rights in relation to your personal data by written notice to us using the contact details set out below.  
 
Mail:  Nancy S. Grasmick State Education Building; 200 W. Baltimore St.; Baltimore, MD  21201
Attn: Data Governance and Privacy Officer
 
 
Website contact form
 
 
Email:   privacy.msde@maryland.gov
 

Top
 

 

About Cookies

  A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.  Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.  Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.  We use cookies for the following purposes:  
 
Authentication and status:  We use cookies to identify you when you visit our website and as you navigate our website, and to help us determine if you are logged into our website.
 
 
Shopping cart:  We use cookies to maintain the state of your shopping cart as you navigate our website.
 
 
Personalization: We use cookies to store information about your preferences and to personalize our website for you.
 
 
Security:  We use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials and to protect our website and services generally.
 
 
Advertising: We use cookies to help us to display advertisements that will be relevant to you.
 
 
Analysis:  We use cookies to help us to analyze the use and performance of our website and services.
 
 
Cookie consent: We use cookies to store your preferences in relation to the use of cookies more generally.
 
 
Service provider cookies: Our service providers use cookies, and those cookies may be stored on your computer when you visit our website.
 
 
Google Analytics: We use Google Analytics to gather information about the use of our website by means of cookies. The information gathered is used to create reports about the use of our website.
 

Top
 

 

Managing Cookies

  Most browsers allow you to refuse to accept cookies and to delete cookies.  The methods for doing so vary from browser to browser and from version to version.  You can however obtain up-to-date information about blocking and deleting cookies via these links:  
 
Chrome:  https://support.google.com/chrome/answer/95647
 
 
Firefox:  https://support.mozilla.org/en-US/kb/enhanced-tracking-protection-firefox-desktop
 
 
Microsoft Edge:  https://support.microsoft.com/en-gb/windows/microsoft-edge-browsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd
 
 
Safari:  https://support.apple.com/en-gb/guide/safari/sfri11471/mac
 
 
Note that blocking all cookies will have a negative impact upon the usability of many websites.  If you block cookies, you will not be able to use all the features on our website.
 

Top
 

 

Privacy Notice Updates

  We may update this notice from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this notice. We may notify you of significant changes to this notice.  

Top
 

 

Our Details

  This website is owned and operated by The Maryland State Department of Education (MSDE).  Our principal place of business is at 200 W. Baltimore St.; Baltimore, MD  21201.  
 
Mail:  Nancy S. Grasmick State Education Building; 200 W. Baltimore St.; Baltimore, MD  21201
Attn: Data Governance and Privacy Officer
 
 
Website contact form
 
 
Telephone:  (410) 767-0049
 
 
Email:  privacy.msde@maryland.gov
 

Top
 

 

Representatives

  Our representative within the Maryland State Department of Education with respect to our obligations under data privacy law is Kimberly June, Data Governance and Privacy Officer and you can contact our representative by  privacy.msde@maryland.gov.  
 
(last updated 8/18/2022)
 

Top
 

 

Sources

  Note: Parts of this website privacy notice was created using a template from Docular (https://seqlegal.com/free-legal-documents/privacy-policy).