REPORT TITLE: 
Informational privacy


DESCRIPTION:
Establishes the Hawaii information privacy act. (HB1877 HD1)

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        1877 
HOUSE OF REPRESENTATIVES                H.B. NO.           H.D. 1        
TWENTIETH LEGISLATURE, 2000                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                     A BILL FOR AN ACT

RELATING TO INFORMATIONAL PRIVACY.



BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The flow of information has become essential to
 
 2 the modern global economy.  The multi-billion dollar commercial
 
 3 trade in personal information--financial, job-related, medical,
 
 4 and lifestyle--is one of the fastest growing industries in the
 
 5 world.  Most private organizations are sensitive to the privacy
 
 6 concerns of their customers, and endeavor to handle personal
 
 7 information responsibly.  However, other organizations have often
 
 8 treated this information as a commodity for development,
 
 9 purchase, and sale.  Personal information fuels an industry
 
10 devoted to the thorough tracking, monitoring, and recording of
 
11 specific aspects of individuals' lives and their interaction with
 
12 society.
 
13      There has been a dramatic increase in the use of the
 
14 internet to disseminate and gather information, as well as to buy
 
15 and sell products and services.  However, major impediment to the
 
16 growth of the internet as a commercial market place is customer
 
17 confidence.  Surveys indicate that consumers will not use the
 
18 internet as a market place unless their privacy is protected and
 
19 their financial information is secure.
 

 
Page 2                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1      Hawaii has a unique constitutional right to privacy.
 
 2 Article I, section 6 of the State Constitution, states that the
 
 3 "right of the people to privacy is recognized and shall not be
 
 4 infringed without the showing of a compelling state interest" and
 
 5 requires the legislature to "take affirmative steps to implement
 
 6 this right."  The standing committee report of the 1978
 
 7 Constitutional Convention specified three ways in which the
 
 8 constitutional privacy right applies:  to protect an individual
 
 9 from disclosure of the individual's private affairs; to allow an
 
10 individual to control the privacy of information about the
 
11 individual; and to maintain the individual's right to be left
 
12 alone in certain highly personal areas of the individual's life.
 
13 It was intended that this right apply to private, as well as
 
14 governmental intrusions.
 
15      Federal and state governments have already established laws
 
16 and regulations protecting personal information in the control of
 
17 certain industries, such as the health care and financial
 
18 services industries.  Other sectors of the business community do
 
19 not have uniform standards for the protection of personal
 
20 information.
 
21      Business recognizes that responsible handling of personal
 
22 information engenders consumer confidence and trust.  Therefore,
 
23 setting information privacy standards will be advantageous to
 

 
Page 3                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1 businesses.  Businesses will know what their obligations are and
 
 2 consumers will know what to expect from businesses that collect
 
 3 or use their information.
 
 4      The purpose of this Act is to provide standards for the
 
 5 protection of personal information in those portions of the
 
 6 business community which are not already subject to privacy laws
 
 7 and regulations.  These standards will assure an individual's
 
 8 constitutional right to privacy, while providing for the
 
 9 reasonable exchange of information with adequate safeguards to
 
10 protect its appropriate use.
 
11      SECTION 2.  The Hawaii Revised Statutes is amended by adding
 
12 a new chapter to be appropriately designated and to read as
 
13 follows:
 
14                             "CHAPTER
 
15                  HAWAII INFORMATION PRIVACY ACT
 
16                    PART I.  GENERAL PROVISIONS
 
17      §  -1 Definitions.  As used in this chapter:
 
18      "Director" means the director of the office of information
 
19 practices.
 
20      "Individual" means a natural person.
 
21      "Nonaffiliated third party" means any organization that is
 
22 not an affiliate of, or related by common ownership or affiliated
 
23 by corporate control with, the organization, but does not include
 

 
Page 4                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1 a joint employee of such organization.  An organization providing
 
 2 data processing, communications, customer service, or payment
 
 3 processing services is not a nonaffiliated third party if it
 
 4 receives and uses personal information for the sole purpose of
 
 5 facilitating the transaction in which the information is
 
 6 disclosed.
 
 7      "Office" means the office of information practices.
 
 8      "Organization" means all nongovernmental entities,
 
 9 associations, partnerships, and individuals using personal
 
10 information in a commercial context, including not-for-profit
 
11 entities.
 
12      "Personal information" means all information that is
 
13 identifiable to an individual, and which is not publicly
 
14 available.
 
15      "Privacy standard" or "standard" means any of the privacy
 
16 standards set out in part II.
 
17      "Publicly available information" means information lawfully
 
18 made available to the general public and that is obtained from:
 
19      (1)  Federal, state, or local government records;
 
20      (2)  Widely distributed media such as a telephone directory,
 
21           newspaper, or unrestricted internet site; or
 
22      (3)  Disclosures made to the general public to comply with
 
23           federal, state, or local law.
 

 
Page 5                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1      "Secondary purpose" means a purpose other than the one
 
 2 originally intended or provided for.
 
 3      §  -2 Application.  This chapter shall not apply to:
 
 4      (1)  The collection, holding, use, or disclosure of personal
 
 5           information:
 
 6           (A)  By individuals or any organization consisting of
 
 7                fewer than fifty employees;
 
 8           (B)  By government agencies; and
 
 9           (C)  Solely for journalistic, artistic, or literary
 
10                purposes;
 
11      (2)  Any organization subject to informational privacy
 
12           regulation under state or federal law, including but
 
13           not limited to:
 
14           (A)  Privacy of healthcare information, chapter 323C;
 
15           (B)  The Financial Services Modernization Act, or
 
16                Gramm-Leach-Bliley Act, Public Law 106-102, 113
 
17                Stat. 1338;
 
18           (C)  The Fair Credit Reporting Act of 1970, 15 U.S.C.
 
19                1681 et seq.;
 
20           (D)  Electronic Fund Transfer Act of 1978, 15 U.S.C.
 
21                1693 et seq.; 
 
22           (E)  Fair Debt Collection Practices Act, 15 U.S.C. 1601
 
23                et seq.;
 

 
Page 6                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1           (F)  Fair Credit Billing Act, 15 U.S.C. 1666 et seq.;
 
 2           (G)  Telephone Consumer Protection Act of 1991, 47
 
 3                U.S.C. 227;
 
 4           (H)  Telemarketing and Consumer Fraud and Abuse
 
 5                Prevention Act of 1991, 15 U.S.C. 1601 et seq.;
 
 6           (I)  Federal Trade Commission Act, 15 U.S.C. 41 et
 
 7                seq.;
 
 8           (J)  Right to Financial Privacy Act of 1978, 12 U.S.C.
 
 9                1304 et seq.;
 
10           (K)  Electronic Communications Privacy Act of 1986, 18
 
11                U.S.C. et seq.;
 
12           (L)  Cable Communications Policy Act of 1984 and Cable
 
13                Television Consumer Protection and Competition Act
 
14                of 1992, 47 U.S.C. 551 et seq.;
 
15           (M)  Privacy Act of 1974, 5 U.S.C. 522a;
 
16           (N)  Video Privacy Protection Act, 18 U.S.C. 2710;
 
17           (O)  Children's On-Line Privacy Protection Act of 1999,
 
18                15 U.S.C. 6501 et seq.;
 
19           (P)  Comprehensive Crime Control Act of 1984, 18 U.S.C.
 
20                1030 et seq.;
 
21           (Q)  Infectious and Communicable Diseases, chapter 325;
 
22           (R)  Substance Abuse Testing, chapter 329B;
 
23           (S)  Mental Health, Mental Illness, Drug Addiction, and
 
24                Alcoholism, chapter 334;
 

 
Page 7                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1           (T)  Confidentiality of Alcohol and Drug Abuse Patient
 
 2                Records, 42 C.F.R. part II; and
 
 3           (U)  Standards for Privacy of Individually Identifiable
 
 4                Health Information, 45 C.F.R., parts 160-164;
 
 5           and
 
 6      (3)  Labor organizations recognized as such by the Hawaii
 
 7           labor relations board pursuant to section 377-144.
 
 8      §    -3  Obligations.  All organizations shall handle or
 
 9 process personal information pursuant either to the privacy
 
10 standards set forth in part II, as implemented by the codes of
 
11 information practice adopted by the director.
 
12      §    -4  Codes of information practice.(a)  Organization
 
13 codes of information practice shall be adopted by the director
 
14 after public hearing pursuant to chapter 91.  The adoption of a
 
15 code of information practice may be initiated by the director, or
 
16 by request made to the director.  Each code of information
 
17 practice shall:
 
18      (1)  Interpret and apply the privacy standards and
 
19           obligations under this chapter;
 
20      (2)  Establish a mechanism to identify all organizations
 
21           bound by the code;
 
22      (3)  Include procedures allowing an organization to be
 
23           released from the code under specific circumstances;
 

 
Page 8                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1      (4)  Set out procedures for requesting formal
 
 2           interpretations of the code by the director; and 
 
 3      (5)  Provide a mechanism for making the director's formal
 
 4           interpretations publicly available through the office
 
 5           and that the director shall delete those portions of a
 
 6           decision that may identify a person or otherwise
 
 7           constitute an invasion of the person's privacy.
 
 8      (b)  Codes of practice may govern any one or combination of
 
 9 the following:
 
10      (1)  The handling of personal information or specified types
 
11           of personal information;
 
12      (2)  A specified activity or class of activities of an
 
13           organizations; and
 
14      (3)  A specified industry sector and professions or a
 
15           specified class of industry sectors and professions.
 
16      (c)  Once adopted, the code shall have the force and effect
 
17 of administrative rules adopted under chapter 91.
 
18      (d)  The director may initiate the amendment or repeal of a
 
19 code of information practice pursuant to public hearing conducted
 
20 as provided under chapter 91.  Amendment or repeal of a code of
 
21 information practice may be initiated by the director or upon the
 
22 request of an organization subject to the code.
 

 
 
 
Page 9                                                     1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1                   PART II.  PRIVACY STANDARDS 
 
 2      §    -11  Individual's right to opt out.(a)  An
 
 3 organization may not use personal information for a secondary
 
 4 purpose or disclose personal information to a nonaffiliated third
 
 5 party unless:
 
 6      (1)  Such organization clearly and conspicuously discloses
 
 7           to the individual that such information may be used for
 
 8           a secondary purpose or disclosed to a nonaffiliated
 
 9           third party;
 
10      (2)  The individual is given the opportunity, before the
 
11           time that such information is initially collected,
 
12           used, or disclosed to direct that such information not
 
13           be used for a secondary purpose or disclosed to a
 
14           nonaffiliated third party; and
 
15      (3)  The individual is given an explanation of how the
 
16           individual can exercise the option to deny such use or
 
17           disclosure of their personal information.
 
18      (b)  Subsection (a) shall not apply where use or disclosure
 
19 is:
 
20      (1)  Clearly in the interest of the individual, and
 
21           disclosure and the opportunity to opt out cannot be
 
22           obtained in a timely manner;
 

 
 
 
Page 10                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1      (2)  For purposes of investigating a breach of an agreement
 
 2           or contravention of the laws of this State or the
 
 3           United States, where disclosure and the opportunity to
 
 4           opt out would compromise the collection or accuracy of
 
 5           the information;
 
 6      (3)  Reasonably necessary to investigate an offense under
 
 7           the laws of the United States or a state;
 
 8      (4)  Required in an emergency, to protect the life, health,
 
 9           or security of any individual;
 
10      (5)  For purposes of legal representation;
 
11      (6)  Pursuant to a valid subpoena or warrant issued by a
 
12           court of law or other administrative body;
 
13      (7)  Pursuant to a lawful request of a government agency for
 
14           purposes of conserving records of historic or archival
 
15           importance;
 
16      (8)  Performed one hundred years after the record containing
 
17           the information was created or twenty years after the
 
18           death of the individual who is the subject of the
 
19           information; or
 
20      (9)  Required by or specifically authorized by law.
 
21     §    -12  Limitation on collection, use, and disclosure.  If
 
22 an individual exercises the right to opt out under section
 
23 -11(2), the personal information collected shall not be: 
 

 
Page 11                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1     (1)   Used for secondary purposes or disclosed to a
 
 2           nonaffiliated third party for purposes other than those
 
 3           for which it was collected;
 
 4     (2)   Disclosed to parties not subject to this chapter,
 
 5           unless the tranferor of the information has taken all
 
 6           reasonable measures to ensure that the transferee
 
 7           provides protection equal to or exceeding that provided
 
 8           under this chapter; or
 
 9     (3)   Retained for longer than necessary to fulfill the
 
10           purposes for which the information was collected, or as
 
11           otherwise required by law.
 
12     §  -13  Quality of personal information.  An organization
 
13 shall take reasonable steps to ensure that the personal
 
14 information used is as accurate, complete, and up-to-date as is
 
15 necessary for the purposes for which it is to be used.
 
16     §    -14  Safeguarding personal information.  An organization
 
17 shall take reasonable steps to ensure that personal information
 
18 is protected against loss or theft, as well as unauthorized
 
19 access, disclosure, copying, use, or modification, and shall
 
20 utilize security safeguards appropriate to the sensitivity of the
 
21 information.
 
22     §    -15  Policies and practices.  Each organization that
 
23 uses personal information for secondary purposes or discloses
 

 
Page 12                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1 personal information to a nonaffiliated third party shall make
 
 2 readily available to individuals clear information about its
 
 3 personal information policies and practices, including:
 
 4     (1)   The types of personal information used for secondary
 
 5           purposes or disclosed to nonaffiliated third parties; 
 
 6     (2)   The procedure by which an individual may gain access to
 
 7           the individual's personal information held by the
 
 8           organization; and
 
 9     (3)   The procedure by which the individual may make
 
10           complaints or inquiries concerning the organization's
 
11           collection or handling of personal information.
 
12 Each organization shall appoint at least one individual who will
 
13 be responsible for receiving and responding to such complaints
 
14 and inquiries.  Denials of requests to access readily retrievable
 
15 personal information or to submit additional or clarifying
 
16 information shall be provided to the individual in writing, shall
 
17 state the reasons for denial, and shall specify any recourse
 
18 available under the organization's policies and practices, and
 
19 under section     -31.
 
20     §    -16  Individual access.(a)  Each organization that
 
21 uses personal information or secondary purposes or discloses
 
22 personal information to a nonaffiliated third party shall
 
23 establish procedures with regard to readily retrievable personal
 

 
Page 13                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1 information of an individual held by an organization.  The
 
 2 procedures shall allow the individual to:
 
 3     (1)   Determine whether the organization holds such
 
 4           information;
 
 5     (2)   Obtain access to the information;
 
 6     (3)   Challenge the accuracy or completeness of the
 
 7           information; and
 
 8     (4)   Submit additional or clarifying information.
 
 9 Procedures shall include provisions for the informal review and
 
10 disposition of a request for access to, or challenge to the
 
11 accuracy or completeness of personal information.
 
12     (b)  Access shall be provided within a reasonable time after
 
13 a request by an individual, and upon payment of reasonable costs
 
14 for retrieval and duplication.
 
15     (c)  An organization shall not provide access to personal
 
16 information if providing access would:
 
17     (1)   Be unlawful, or contrary to law or rule requiring or
 
18           authorizing the denial of access;
 
19     (2)   Reasonably be expected to threaten the life or security
 
20           of another individual or group of individuals or would
 
21           have an unreasonable impact on the privacy of other
 
22           individuals;
 

 
 
 
Page 14                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1     (3)   Violate a privilege established by statute, regulation,
 
 2           or rule of court;
 
 3     (4)   Prejudice the enforcement of laws, protection of the
 
 4           public, or the legal enforcement of a contract with the
 
 5           organization;
 
 6     (5)   Reveal confidential business information that cannot
 
 7           reasonably be protected by other means;
 
 8     (6)   Prejudice ongoing negotiations of the organization; or
 
 9     (7)   Involve the disclosure of information generated for
 
10           purposes of litigation or within a formal dispute
 
11           resolution process;
 
12 provided that, the above exceptions notwithstanding, access shall
 
13 be provided if the information is necessary to protect the
 
14 individual's life, health, or security.
 
15               PART III.  ADMINISTRATIVE ENFORCEMENT
 
16     §    -31  Complaints.  (a)  An individual may file a written
 
17 complaint with the director, alleging violations of this chapter
 
18 or of a code of information practice adopted pursuant to this
 
19 chapter by an organization.
 
20     (b)  A complaint that alleges a refusal to grant access to
 
21 readily available personal information or to submit additional or
 
22 clarifying information shall be filed within forty-five days
 
23 after the refusal.
 

 
Page 15                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1     (c)  The director may:
 
 2     (1)   Dismiss the complaint if the director determines that
 
 3           the complaint:
 
 4           (A)  Is untimely, trivial, frivolous, vexatious, or
 
 5                made in bad faith;
 
 6           (B)  Is made prior to exhaustion of other grievance or
 
 7                review procedures; or
 
 8           (C)  Could more appropriately be dealt with either
 
 9                initially or in its totality by means of another
 
10                procedure or body;
 
11     (2)   Refer the complainant to other agencies; or
 
12     (3)   Conduct an investigation under section  -32 if there
 
13           are reasonable grounds to believe that there has been a
 
14           violation of this chapter.
 
15     §  -32  Investigations.(a)  The director, pursuant to a
 
16 complaint under section   -31, or on the director's own
 
17 initiative, may conduct an investigation to determine whether
 
18 there has been a violation of this chapter or of a code of
 
19 information practice adopted under this chapter.
 
20     (b)  The director shall make findings and issue a report to
 
21 the organization investigated.  A summary of the report may be
 
22 included in the annual report of the office under section    -52.
 

 
 
 
Page 16                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1     §    -33  Cease and desist orders.(a)  If the director has
 
 2 reason to believe that an organization has violated this chapter
 
 3 or a code of practice adopted under this chapter, and that it
 
 4 would be in the interest of the public to issue an order to the
 
 5 organization to cease and desist, the director shall issue a
 
 6 cease and desist order after holding a contested case hearing
 
 7 pursuant to chapter 91.  If any party is aggrieved by the
 
 8 director's decision, the party may file an appeal in the manner
 
 9 provided in chapter 91 to the circuit court of the circuit in
 
10 which the party resides or has its principal place of business.
 
11     (b)  Violation of a cease and desist order issued pursuant to
 
12 this section shall be subject to a civil penalty of not more than
 
13 $        , in an action brought in the circuit court of the
 
14 circuit in which the organization has its principal place of
 
15 business by the attorney general.
 
16     (c)  Nothing in this section shall be construed to relieve or
 
17 any person from liability for any other penalty or forfeiture
 
18 otherwise applicable under the law.
 
19     §    -34  Notice to other regulatory agencies.  The director
 
20 shall provide a copy of each cease and desist order issued
 
21 pursuant to section    -33 to all agencies having regulatory
 
22 oversight over the organization.
 

 
 
 
Page 17                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1                     PART IV.  ADMINISTRATION
 
 2     §    -51  Powers and duties of the office of information
 
 3 practices.  In conducting hearings authorized by this chapter,
 
 4 the director shall have the power to subpoena witnesses, examine
 
 5 witnesses under oath, and require the production of books,
 
 6 papers, documents, or objects.  Upon application by the director,
 
 7 obedience to the subpoena may be enforced by the circuit court in
 
 8 the county in which the person subpoenaed resides or is found in
 
 9 the same manner as a subpoena issued by the clerk of a circuit
 
10 court.
 
11      §    -52  Reporting requirement.  The director shall submit
 
12 a report to the legislature no later than twenty days before the
 
13 convening of each regular legislative session.  The report shall
 
14 include the number, nature, and outcome of requests for formal
 
15 interpretations of codes of information practice and complaints
 
16 against organizations  .The director shall undertake a review of
 
17 this chapter during the fourth year of the existence of this
 
18 chapter and shall include the resulting findings in the following
 
19 year's report to the legislature.
 
20      §    -53  No private right of action.  Nothing in this
 
21 chapter shall be construed to create a private right of action.
 
22      SECTION 3.  There is appropriated out of the general
 
23 revenues of the State of Hawaii the sum of $          or so much
 

 
Page 18                                                    1877 
                                     H.B. NO.           H.D. 1        
                                                        
                                                        

 
 1 thereof as may be necessary for fiscal year 2000-2001 to carry
 
 2 out the purposes of this Act, including the hiring of necessary
 
 3 staff.
 
 4      The sum appropriated shall be expended by the office of
 
 5 information practices for the purposes of this Act.
 
 6      SECTION 4.  Nothing in this Act shall be construed to
 
 7 relieve any organization of its obligations under any of the laws
 
 8 of this state or of the United States.
 
 9      SECTION 5.  This Act shall take effect on ________ and shall
 
10 be repealed on ________ .