(a) In this section, “personal record” means a public record that names or, with reasonable certainty, otherwise identifies an individual by an identifying factor such as:
(1) an address;
(2) a description;
(3) a fingerprint or voice print;
(4) a number; or
(5) a picture.
(b) (1) Personal records may not be created unless the need for the information has been clearly established by the unit collecting the records.
(2) Personal information collected for personal records:
(i) shall be appropriate and relevant to the purposes for which it is collected;
(ii) shall be accurate and current to the greatest extent practicable; and
(iii) may not be obtained by fraudulent means.
(c) (1) This subsection applies only to units of the State.
(2) Except as otherwise provided by law, an official custodian who keeps personal records shall collect, to the greatest extent practicable, personal information from the person in interest.
(3) An official custodian who requests personal information for personal records shall provide the following information to each person in interest from whom personal information is collected:
(i) the purpose for which the personal information is collected;
(ii) any specific consequences to the person for refusal to provide the personal information;
(iii) the person’s right to inspect, amend, or correct personal records, if any;
(iv) whether the personal information is generally available for public inspection; and
(v) whether the personal information is made available or transferred to or shared with any entity other than the official custodian.
(4) Each unit of the State shall post its privacy policies on the collection of personal information, including the policies specified in this subsection, on its Internet website.
(5) The following personal records are exempt from the requirements of this subsection:
(i) information concerning the enforcement of criminal laws or the administration of the penal system;
(ii) information contained in investigative materials kept for the purpose of investigating a specific violation of State law and maintained by a State agency whose principal function may be other than law enforcement;
(iii) information contained in public records that are accepted by the State Archivist for deposit in the Maryland Hall of Records;
(iv) information gathered as part of formal research projects previously reviewed and approved by federally mandated institutional review boards; and
(v) any other personal records exempted by regulations adopted by the Secretary of Budget and Management, based on the recommendation of the Secretary of Information Technology.
(d) (1) This subsection does not apply to:
(i) a unit in the Legislative Branch of the State government;
(ii) a unit in the Judicial Branch of the State government; or
(iii) a board of license commissioners.
(2) If a unit or an instrumentality of the State keeps personal records, the unit or instrumentality shall submit an annual report to the Secretary of General Services.
(3) An annual report shall state:
(i) the name of the unit or instrumentality;
(ii) for each set of personal records:
1. the name of the set;
2. the location of the set; and
3. if a subunit keeps the set, the name of the subunit;
(iii) for each set of personal records that has not been previously reported:
1. the category of individuals to whom the set applies;
2. a brief description of the types of information that the set contains;
3. the major uses and purposes of the information;
4. by category, the source of information for the set; and
5. the policies and procedures of the unit or instrumentality as to:
A. access and challenges to the personal record by the person in interest; and
B. storage, retrieval, retention, disposal, and security, including controls on access; and
(iv) for each set of personal records that has been disposed of or changed significantly since the unit or instrumentality last submitted a report, the information required under item (iii) of this paragraph.
(4) A unit or an instrumentality that has two or more sets of personal records may combine the personal records in the report only if the character of the personal records is highly similar.
(5) The Secretary of General Services shall adopt regulations that govern the form and method of reporting under this subsection.
(6) The annual report shall be available for public inspection.
(e) The official custodian may allow inspection of personal records for which inspection otherwise is not authorized by a person who is engaged in a research project if:
(1) the researcher submits to the official custodian a written request that:
(i) describes the purpose of the research project;
(ii) describes the intent, if any, to publish the findings;
(iii) describes the nature of the requested personal records;
(iv) describes the safeguards that the researcher would take to protect the identity of the persons in interest; and
(v) states that persons in interest will not be contacted unless the official custodian approves and monitors the contact;
(2) the official custodian is satisfied that the proposed safeguards will prevent the disclosure of the identity of persons in interest; and
(3) the researcher makes an agreement with the unit or instrumentality that:
(i) defines the scope of the research project;
(ii) sets out the safeguards for protecting the identity of the persons in interest; and
(iii) states that a breach of any condition of the agreement is a breach of contract.