As others have so eloquently pointed out, you have not declared the variable so that it is visible. I'd like to take this opportunity to address another couple of potential problems with your code though.
First of all, you are relying on the querystring to pass in information; this means that you need to be aware that this code is open to a query string injection attack on an unpatched internet server.
Secondly, you are missing the equals sign between &department and the variable, and &location and the variable.
Third, you need to ensure that you have UrlEncoded the parameters so that they are actually valid.
So, how to get round the querystring issues. Well, here's a quick sample I've knocked together in the answer editor here (it may need some tweaking, but you should get the idea).
public static class Utility
{
public static string CreateSecuredParameters(Dictionary<string, string> parameters)
{
StringBuilder queryString = new StringBuilder();
string keyValue = string.Empty;
foreach (KeyValuePair<string, string> parameter in parameters)
{
queryString.AppendFormat("{0}{1}={2}", keyValue, parameter.Key, HttpUtility.UrlEncode(parameter.Value));
keyValue = "&";
}
queryString.AppendFormat("{0}d={1}", keyValue, ComputeHash(queryString.ToString());
}
private static string ComputeHash(string queryString)
{
string salt = "C0d39r0j3ct1sF4bul0us";
queryString = string.Format("{0}{1}{0}", salt, queryString);
MD5CryptoServiceProvider md5 = new MD5CryptoServiceProvider();
byte[] hashed = md5.ComputeHash(new UTF8Encoding.GetBytes(input));
return Convert.ToBase64String(hash).TrimEnd('=');
}
}
This code isn't perfect because it doesn't prevent replay attacks; you can add an expiration time to the salt to accomplish this, but that would affect how spiders index your site. It's up to you how far you want to take this.