Informational privacy

Establishes the Hawaii information privacy act.

THE SENATE                              S.B. NO.           2440
TWENTIETH LEGISLATURE, 2000                                
STATE OF HAWAII                                            

                     A BILL FOR AN ACT



 1      SECTION 1.  The flow of information has become essential to
 2 the modern global economy.  The multi-billion dollar commercial
 3 trade in personal information--financial, job-related, medical,
 4 and lifestyle--is one of the fastest growing industries in the
 5 world.  In the private sector, this information is often treated
 6 as a commodity for development, purchase, and sale.  Personal
 7 information fuels an industry devoted to the thorough tracking,
 8 monitoring, and recording of specific aspects of individuals'
 9 lives and their interaction with society.
10      There has been a dramatic increase in the use of the
11 internet to disseminate and gather information, as well as to buy
12 and sell products and services.  However, major impediment to the
13 growth of the internet as a commercial market place is customer
14 confidence.  Surveys indicate that consumers will not use the
15 internet as a market place unless their privacy is protected and
16 their financial information is secure.
17      Hawaii has a unique constitutional right to privacy.
18 Article I, section 6 of the State Constitution, states that the
19 "right of the people to privacy is recognized and shall not be
20 infringed without the showing of a compelling state interest" and

Page 2                                         
                                     S.B. NO.           2440

 1 requires the legislature to "take affirmative steps to implement
 2 this right."  The standing committee report of the 1978
 3 Constitutional Convention specified three ways in which the
 4 constitutional privacy right applies:  to protect an individual
 5 from disclosure of the individual's private affairs; to allow an
 6 individual to control the privacy of information about the
 7 individual; and to maintain the individual's right to be left
 8 alone in certain highly personal areas of the individual's life.
 9 It was intended that this right apply to private, as well as
10 governmental intrusions.
11      Business recognizes that responsible handling of personal
12 information engenders consumer confidence and trust.  Therefore,
13 setting information privacy standards will be advantageous to
14 businesses.  Businesses will know what their obligations are and
15 consumers will know what to expect from businesses that collect
16 or use their information.
17      In the United States, the individual behind each piece of
18 information is largely neglected, and has few, if any, rights to
19 review the information for accuracy or to restrict the use of the
20 information.  Other countries, such New Zealand, Hong Kong, and
21 those member states in the European Union, set standards for the
22 collection and dissemination of personal information out of
23 respect for an individual's personal privacy interests.  In

Page 3                                         
                                     S.B. NO.           2440

 1 general, the United States has not developed comparable
 2 individual privacy protections.  While certain personal
 3 information needs to be collected to accommodate and further
 4 current practices in a modern age, safeguards need to be in place
 5 to ensure that privacy intrusions are both consented to and
 6 minimized to achieve only the intended purpose.  While chapter
 7 92F, Hawaii Revised Statutes, governs the public sector's
 8 information practices, including collection and dissemination of
 9 information, standards for the private sector are virtually
10 nonexistent.
11      Individual states, as well as the federal government, have
12 been trying to resolve the conflict between the use of personal
13 information and the right to privacy not only for the
14 individuals' rights but because of the European Union's recent
15 directive on the protection of personal information.  This
16 directive prohibits the transfer of personally identifiable data
17 to other countries that do not provide an adequate level of
18 privacy protection.  Failure to enact adequate protection can
19 restrict trade involving data, a situation that the federal
20 government is endeavoring to avoid in ongoing negotiations with
21 the European Union nations.  Hawaii, with its strong
22 constitutional mandate of individual privacy, can and must take
23 affirmative steps to ensure privacy even in the absence of
24 federal action.

Page 4                                         
                                     S.B. NO.           2440

 1      The purpose of this Act is to assure an individual's
 2 constitutional right to privacy, while providing for the
 3 reasonable exchange of information with adequate safeguards to
 4 protect its appropriate use.
 5      SECTION 2.  The Hawaii Revised Statutes is amended by adding
 6 a new chapter to be appropriately designated and to read as
 7 follows:
 8                             "CHAPTER
11        -1 General definitions.  As used in this chapter:
12      "Director" means the director of the office of information
13 practices.
14      "Individual" means a natural person.
15      "Office" means the office of information practices.
16      "Organization" means all nongovernmental entities,
17 associations, partnerships, and individuals using personal
18 information in a commercial context, including not-for-profit
19 entities.
20      "Personal information" means all information that is
21 identifiable to an individual.
22      "Privacy standard" or "standard" means any of the privacy
23 standards set out in part II.

Page 5                                         
                                     S.B. NO.           2440

 1      "Related organizations" means a group of organizations
 2 related by common ownership or control, and includes all parents,
 3 subsidiaries, branches, and divisions.
 4        -2 Application.  This chapter shall not apply to:
 5      (1)  The domestic collection, holding, use, or disclosure of
 6           personal information by individuals;
 7      (2)  The collection, holding, use, or disclosure of personal
 8           information by government agencies; or
 9      (3)  The collection, holding, use, or disclosure of personal
10           information solely for journalistic, artistic, or
11           literary purposes.
12          -3  Obligations.  All organizations shall handle or
13 process personal information pursuant either to the privacy
14 standards set forth in part II or to codes of practice adopted by
15 the director.
16          -4  Codes of practice.(a) The director may initiate
17 or receive requests for the adoption of organization codes of
18 practice after public hearing, if satisfied that the code:
19      (1)  Incorporates all the privacy standards and obligations
20           under this chapter, or sets out obligations that,
21           overall, are at least the equivalent of all the
22           obligations set out in those principles;

Page 6                                         
                                     S.B. NO.           2440

 1      (2)  Specifies or sets out a mechanism to identify all
 2           organizations bound by the code;
 3      (3)  Sets out procedures that allow an organization to be
 4           released from the code and when the release takes
 5           effect;
 6      (4)  Sets out appropriate procedures for making and dealing
 7           with complaints, including the appointment of one or
 8           more persons knowledgeable about this chapter and who
 9           have due regard for human rights and societal interests
10           that compete with privacy, including the free flow of
11           information through society;
12      (5)  Provides that decisions may be affirmed by the
13           director;
14      (6)  Provides that the organization against whom a decision
15           was rendered is bound by the requirements of the
16           decision;
17      (7)  Provides that the decisions shall be publicly available
18           through the office and that the director may segregate
19           parts of a decision that may identify a person or
20           otherwise constitute an invasion of the person's
21           privacy; and
22      (8)  Provides that a report be prepared and given to the
23           director no later than July 31st of each year to

Page 7                                         
                                     S.B. NO.           2440

 1           include the number, nature, and outcome of complaints
 2           made under the code.
 3      (b)  Codes of practice may cover either, both, or all of the
 4 following:
 5      (1)  Personal information or specified types of personal
 6           information; or
 7      (2)  Specified activity or class of activities of an
 8           organization; or
 9      (3)  A specified industry sector and professions or a
10           specified class of industry sectors and professions.
11      (c)  Once adopted, the code shall have the force and effect
12 of a rule.
13      (d)  The director may amend or revoke codes of practices on
14 the director's initiative or on request by an organization that
15 is bound by the code, after public hearing.
16                   PART II.  PRIVACY STANDARDS 
17          -11  Accountability. An organization shall be
18 responsible for personal information under its control and shall
19 appoint at least one individual responsible for ensuring
20 compliance with this chapter.  In the absence of an appointment,
21 the owners, all partners, the president, or all members of the
22 board of directors of a corporation shall be held accountable for
23 compliance with this chapter.

Page 8                                         
                                     S.B. NO.           2440

 1          -12  Purpose of collection. The purposes for which
 2 personal information is collected shall be identified by the
 3 organization at or before the time the information is collected.
 4 Every organization shall advise the individual about whom they
 5 are collecting personal information of the purposes, uses, and
 6 any anticipated disclosures of the collected information.  The
 7 advice or notice shall be given at or before the time of
 8 collection.
 9        -13  Collection, consent to collect.  Personal
10 information shall be collected by fair and lawful means.  An
11 organization shall obtain the individual's consent for the
12 collection, use, or disclosure of personal information about the
13 individual, except where such requirement is inappropriate.
14 Consent shall not be required where:
15      (1)  Collection is clearly in the interest of the individual
16           and consent cannot be obtained in a timely manner;
17      (2)  It is reasonable to believe collection with consent and
18           knowledge would compromise the accuracy of the
19           information and collection is for purposes of
20           investigating a breach of an agreement or contravention
21           of the laws of this State or the United States; or
22      (3)  The information is publicly available.
23          -14  Limitation on collection, use, and disclosure.

Page 9                                         
                                     S.B. NO.           2440

 1 (a)  Except with the consent of the individual or as required by
 2 law, personal information shall: 
 3      (1)  Not be used or disclosed for purposes other than those
 4           for which it was collected;
 5      (2)  Not be disclosed beyond this jurisdiction by an
 6           organization, whether to an agent, subcontractor, or
 7           unrelated third party, unless the transmitting
 8           organization has taken all reasonable measures to
 9           ensure that the transferee provides the same or greater
10           levels of protection of personal information as
11           required by these standards;
12      (3)  Not be compiled, used, or disclosed by the organization
13           in a discriminatory fashion on the basis of race,
14           medical condition or status, political or religious
15           association, or gender, unless there is a compelling
16           state interest; and 
17      (4)  Be retained only for so as long as is necessary for the
18           fulfillment of those purposes or as otherwise required
19           by law.
20      (b)  Consent shall not be required when the use or
21 disclosure is:
22      (1)  For the purpose of investigating an offense that has
23           been or is about to be committed under the laws of the

Page 10                                        
                                     S.B. NO.           2440

 1           United States or a state and the information could be
 2           reasonably believed to be useful in the investigation
 3           of the offense;
 4      (2)  For an emergency that threatens the life, health, or
 5           security of any individual;
 6      (3)  Clearly in the interest of the individual and consent
 7           cannot be obtained in a timely manner;
 8      (4)  To the organization's lawyer for purposes of
 9           representation;
10      (5)  Pursuant to a subpoena or warrant issued by a court of
11           law or other administrative body with jurisdiction to
12           compel the production of information, records, or
13           documents;
14      (6)  To a government agency, pursuant to a lawful request,
15           for purposes of conservation of records of historic or
16           archival importance;
17      (7)  Made after one hundred years after the record
18           containing the information was created or twenty years
19           after the death of the individual whom the information
20           is about; or
21      (8)  Required by or specifically authorized by law.

Page 11                                        
                                     S.B. NO.           2440

 1        -15  Quality of personal information.  An organization
 2 shall take reasonable steps to ensure that personal information
 3 that it uses is accurate, complete, and up-to-date as is
 4 necessary for the purposes for which it is to be used.
 5          -16  Safeguarding personal information.  An
 6 organization shall take reasonable steps to ensure that personal
 7 information it maintains is protected against loss or theft, as
 8 well as unauthorized access, disclosure, copying, use, or
 9 modification by security safeguards appropriate to the
10 sensitivity of the information.
11          -17  Policies and practices.  An organization shall
12 make readily available to individuals clear information about its
13 policies and practices relating to the requirements of this
14 chapter, which shall include:
15      (1)  What personal information is made available to related
16           organizations;
17      (2)  The means of gaining access to personal information
18           held by the organization; and
19      (3)  The process by which complaints or inquiries can be
20           made within the organization.
21          -18  Individual access.(a)  Upon written request, an
22 organization shall inform an individual whether it holds, uses,
23 or discloses readily retrievable personal information about that
24 individual.

Page 12                                        
                                     S.B. NO.           2440

 1      (b)  Upon request, and within a reasonable period of time,
 2 an organization shall give access to readily retrievable
 3 information about an individual and after payment of the
 4 reasonable costs of retrieval and duplication.
 5      (c)  An organization shall not give access to personal
 6 information if:
 7      (1)  Providing access would be unlawful;
 8      (2)  Denying access is required or authorized by law or
 9           rule;
10      (3)  Giving access could reasonably be expected to threaten
11           the life or security of another individual or group of
12           individuals or would have an unreasonable impact on the
13           privacy of other individuals;
14      (4)  The information is protected by a statutory privilege;
15      (5)  Giving access would prejudice the enforcement of laws,
16           protection of the public, or the legal enforcement of a
17           contract with the organization;
18      (6)  Giving access would reveal confidential business
19           information that cannot reasonably be protected by
20           other means;
21      (7)  Giving access would prejudice the organization's
22           ongoing negotiations; or

Page 13                                        
                                     S.B. NO.           2440

 1      (8)  The information was generated for purposes of
 2           litigation or within a formal dispute resolution
 3           process.
 4 These exceptions shall not apply if the individual needs the
 5 information because the individual's life, health, or security is
 6 threatened.
 7      (d)  An individual shall have the right to challenge the
 8 accuracy and completeness of the personal information held by the
 9 organization and have it amended as may be appropriate.
10      (e)  An organization shall provide an informal method of
11 reviewing a denial of access or amendment of personal
12 information.
13      (f)  An organization shall inform the individual in writing
14 of a denial, setting out the reasons and any recourse that the
15 individual may have.
16        -19  Sensitive data.  The director may adopt rules
17 pursuant to chapter 91 to protect sensitive personal information.
19          -31  Audits.  To enforce the standards or codes of
20 practice, the director may:
21      (1)  Require that organizations present to the director
22           periodic independent audits of their personal
23           information management practices and policies applying

Page 14                                        
                                     S.B. NO.           2440

 1           assurance criteria consistent with the privacy
 2           standards set out in this chapter or code of practice
 3           adopted under this chapter, whichever is applicable;
 4           and
 5      (2)  On reasonable notice and at any reasonable time, audit
 6           the personal information management practices of an
 7           organization if the director has reasonable grounds to
 8           believe that the organization is violating a provision
 9           of this chapter.  After an audit, the director shall
10           provide the audited organization with a report that
11           contains the findings of the audit and any
12           recommendations that the director considers
13           appropriate.
14      Reports of audits performed under this section shall be made
15 public; provided the director shall segregate any confidential
16 business information or other information that may identify an
17 individual or otherwise constitute an invasion of the
18 individual's privacy that are contained in the reports.
19          -32  Complaints.  (a)  An individual may file with the
20 director a written complaint against an organization for alleged
21 violations of this chapter or of a code of practice.
22      (b)  A complaint that alleges a refusal to grant access and
23 correction or other amendment shall be filed within forty-five
24 days after the alleged refusal.

Page 15                                        
                                     S.B. NO.           2440

 1      (c)  The director may:
 2      (1)  Dismiss the complaint if the director determines that:
 3           (A)  The complaint is not timely, trivial, frivolous,
 4                vexatious, or made in bad faith;
 5           (B)  The complainant should exhaust other grievance or
 6                review procedures; or
 7           (C)  The complaint could more appropriately be dealt
 8                with either initially or in its totality by means
 9                of another procedure or body;
10      (2)  If appropriate, refer the complainant to other
11           procedures or bodies for review; or
12      (3)  If the director believes there are reasonable grounds
13           to believe there has been a violation of this chapter,
14           conduct an investigation under section  -33.
15        -33  Investigations.(a)  Pursuant to complaint under
16 section  -32 or by the director's initiative, the director may
17 conduct an investigation to determine whether there has been a
18 violation of this chapter or of a code of practice adopted under
19 this chapter.
20      (b)  The director shall prepare a report of the findings and
21 shall issue the report to the organization investigated.  In
22 addition to the findings, the director may include in the report:

Page 16                                        
                                     S.B. NO.           2440

 1      (1)  Recommendations relating to the promotion of compliance
 2           with this chapter;
 3      (2)  Any actions the director may take, pursuant to
 4           subsection (c), as a result of the investigation; and
 5      (3)  Any other comments arising from the investigation as
 6           the director thinks fit to make.
 7 A summary of the report may be included in the director's
 8 published annual report.
 9      (c)  If the findings of an investigation give the director
10 reason to believe that an organization has violated the privacy
11 standards or codes of practice, the director may:
12      (1)  Arbitrate any dispute;
13      (2)  Hold a hearing for issuance of a cease and desist order
14           pursuant to section  -34;
15      (3)  Employ any other of the powers given to the director
16           under section  -51 as necessary to enforce the
17           obligations imposed by this chapter; and
18      (4)  If appropriate:
19           (A)  Recommend to appropriate bodies that the
20                organization's license to do business within the
21                State of Hawaii be removed;
22           (B)  Refer for or coordinate prosecution before other
23                regulatory bodies; and

Page 17                                        
                                     S.B. NO.           2440

 1           (C)  Prosecute the organization through the judicial
 2                system on behalf of the State, or through other
 3                state, national, or international adjudicatory
 4                bodies.
 5          -34  Cease and desist orders.(a)  If the director has
 6 reason to believe that an organization has violated any of the
 7 privacy standards or codes of practice, and that a proceeding by
 8 the director in respect to that would be in the interest of the
 9 public, the director shall issue and serve upon the organization
10 and the complainant, if any:
11      (1)  A statement of the charges in that respect; and
12      (2)  A notice of a hearing, to be held at a time and place
13           fixed in the notice, which shall not be fewer than
14           fifteen days after the date of service.
15      (b)  At the time and place fixed for the hearing, the
16 organization and the complainant, if any, shall have an
17 opportunity to be heard and to show cause why an order should or
18 should not be made by the director requiring the organization to
19 cease and desist from the acts, methods, practices, or otherwise
20 to comply with this chapter.
21      (c)  The hearing shall be deemed a contested case hearing
22 pursuant to chapter 91.

Page 18                                        
                                     S.B. NO.           2440

 1      (d)  All remedies, penalties, and proceedings set forth in
 2 this section are to be invoked solely and exclusively by the
 3 director.
 4      (e)  If after the hearing the director determines that the
 5 organization charged has violated any provision of this chapter,
 6 the director shall reduce the findings to writing and shall issue
 7 and cause to be served on the organization charged with the
 8 violation a copy of the findings and an order requiring the
 9 organization to cease and desist from violating this chapter or
10 otherwise to comply with the requirements of this chapter.  At
11 the director's discretion, the director may also employ any other
12 of the powers given to the director under section  -51 as
13 necessary to enforce the obligations imposed by this chapter.
14      (f)  Any organization that violates a cease and desist order
15 or a compliance order of the director under this section may be
16 subject, at the discretion of the director, after notice and
17 hearing and upon order of the director, to a civil penalty of not
18 more than $10,000 for each and every act in violation of the
19 cease and desist order.
20      (g)  No order of the director pursuant to this section or
21 order of court to enforce it shall in any way relieve or absolve
22 any person affected by the order from any other liability,
23 penalty, or forfeiture required by law.

Page 19                                        
                                     S.B. NO.           2440

 1          -35  Notice to other regulatory agencies.  Whenever the
 2 director conducts any investigation or takes other action against
 3 any organization for violation of this chapter, the director
 4 shall notify any agency that has regulatory oversight over the
 5 organization of the director's action.
 6          -36  Whistleblowing.(a)  Any individual who has
 7 reasonable grounds to believe that an organization has violated
 8 or intends to violate a provision of this chapter, may notify the
 9 director and may request that the individual's identity be kept
10 confidential with respect to the notification.  The director
11 shall keep confidential the identity of an individual who has
12 notified the director and to whom an assurance of confidentiality
13 has been provided by the director.
14      (b)  No employer shall dismiss, suspend, demote, discipline,
15 harass, or otherwise disadvantage any employee or deny an
16 employee a benefit of employment by reason that the employee,
17 acting in good faith and on the basis of reasonable belief:
18      (1)  Has disclosed to the director that the employer or any
19           other individual has violated or intends to violate a
20           provision of this chapter;
21      (2)  Has refused or stated an intention of refusing to
22           perform anything that is a violation of a provision of
23           this chapter; or

Page 20                                        
                                     S.B. NO.           2440

 1      (3)  Has done or stated an intention of doing anything
 2           necessary in order that this chapter not be violated or
 3           the employer believes that the employee will do
 4           anything referred to in paragraph (1), (2), or (3).
 5      (c)  Nothing in this section shall impair any right of an
 6 employee or employer either at law or under an employment
 7 contract or collective agreement.
 8      (d)  As used in this section, "employee" includes an
 9 independent contractor.
10                     PART IV.  ADMINISTRATION
11          -51  Powers and duties of the office of information
12 practices.(a)  The director may:
13       (1) Compel witnesses and evidence;
14       (2) Administer oaths;
15       (3) Receive and accept any evidence and other information,
16           whether on oath, by affidavit, or otherwise, that the
17           director sees fit, regardless of whether it is or would
18           be admissible in a court of law;
19       (4) Examine or obtain copies or extracts from records;
20       (5) Bring lawsuits or other complaints in other tribunals;
21       (6) Delegate powers;
22       (7) Adopt rules for purposes of enforcement of this
23           chapter;

Page 21                                        
                                     S.B. NO.           2440

 1       (8) Issue cease and desist orders;
 2       (9) Order an organization to amend or correct its practices
 3           to comply with this chapter;
 4     (10)  Order an organization to publish a notice of any action
 5           taken or proposed to be taken to correct its practices;
 6     (11)  Impose fines of not more than $1,000 per violation or a
 7           maximum of $50,000 for a business practice;
 8     (12)  File lawsuits or enter into settlement agreements; and
 9     (13)  Use all other legal powers necessary to carry out the
10           director's duties under this chapter.
11     (b)  The director shall administer this chapter.
12          -52  Education.  The director shall:
13      (1)  Develop and conduct information programs to foster
14           public understanding and recognition of the purposes of
15           this part;
16      (2)  Undertake and publish research that is related to the
17           protection of personal information;
18      (3)  Encourage organizations to develop detailed policies
19           and practices;
20      (4)  Promote, by any means the director feels appropriate,
21           the purposes of this chapter.
22      (5)  Make available to the public:
23           (A)  Audits performed under section  -11;

Page 22                                        
                                     S.B. NO.           2440

 1           (B)  Reports of investigations under section  -32; and
 2           (C)  The number and nature of each complaint filed with
 3                an organization under an adopted code, or with the
 4                office, including the outcome of all complaints so
 5                described.
 6          -53  Reporting requirement.  The director shall submit
 7 a report to the legislature no later than twenty days before the
 8 convening of each legislative session.  On the fourth year of its
 9 existence, the director shall undertake a review of this
10 chapter."
11      SECTION 3.  There is appropriated out of the general
12 revenues of the State of Hawaii the sum of $          or so much
13 thereof as may be necessary for fiscal year 2000-2001 to carry
14 out the purposes of this Act, including the hiring of necessary
15 staff.
16      The sum appropriated shall be expended by the office of
17 information practices for the purposes of this Act.
18      SECTION 4.  Nothing in this Act shall be construed to
19 relieve any organization of its obligations under any of the laws
20 of this state or of the United States.

Page 23                                        
                                     S.B. NO.           2440

 1      SECTION 5.  This Act shall take effect upon its approval,
 2 provided that section 3 shall take effect on July 1, 2000.
 4                        INTRODUCED BY: ___________________________