

 
REPORT TITLE: 
Informational privacy


DESCRIPTION:
Establishes the Hawaii information privacy act. (HB1877 HD2)

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        1877
HOUSE OF REPRESENTATIVES                H.B. NO.           H.D. 2
TWENTIETH LEGISLATURE, 2000                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                     A BILL FOR AN ACT

RELATING TO INFORMATIONAL PRIVACY.



BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The flow of information has become essential to
 
 2 the modern global economy.  The multi-billion dollar commercial
 
 3 trade in personal information--financial, job-related, medical,
 
 4 and lifestyle--is one of the fastest growing industries in the
 
 5 world.  Most private organizations are sensitive to the privacy
 
 6 concerns of their customers, and endeavor to handle personal
 
 7 information responsibly.  However, other organizations have often
 
 8 treated this information as a commodity for development,
 
 9 purchase, and sale.  Personal information fuels an industry
 
10 devoted to the thorough tracking, monitoring, and recording of
 
11 specific aspects of individuals' lives and their interaction with
 
12 society.
 
13      There has been a dramatic increase in the use of the
 
14 internet to disseminate and gather information, as well as to buy
 
15 and sell products and services.  However, a major impediment to
 
16 the growth of the internet as a commercial market place is
 
17 customer confidence.  Surveys indicate that consumers will not
 
18 use the internet as a market place unless their privacy is
 
19 protected and their financial information is secure.
 

 
Page 2                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      Hawaii has a unique constitutional right to privacy.
 
 2 Article I, section 6 of the State Constitution, states that the
 
 3 "right of the people to privacy is recognized and shall not be
 
 4 infringed without the showing of a compelling state interest" and
 
 5 requires the legislature to "take affirmative steps to implement
 
 6 this right."  The standing committee report of the 1978
 
 7 Constitutional Convention specified three ways in which the
 
 8 constitutional privacy right applies:
 
 9      (1)  To protect an individual from disclosure of the
 
10           individual's private affairs;
 
11      (2)  To allow an individual to control the privacy of
 
12           information about the individual; and
 
13      (3)  To maintain the individual's right to be left alone in
 
14           certain highly personal areas of the individual's life.
 
15 It was intended that this right apply to private, as well as
 
16 governmental intrusions.
 
17      Federal and state governments have already established laws
 
18 and regulations protecting personal information in the control of
 
19 certain industries, such as the health care and financial
 
20 services industries.  Other sectors of the business community do
 
21 not have uniform standards for the protection of personal
 
22 information.
 

 
 
 
Page 3                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      Business recognizes that responsible handling of personal
 
 2 information engenders consumer confidence and trust.  Therefore,
 
 3 setting information privacy standards will be advantageous to
 
 4 businesses.  Businesses will know what their obligations are and
 
 5 consumers will know what to expect from businesses that collect
 
 6 or use their information.
 
 7      The purpose of this Act is to provide standards for the
 
 8 protection of personal information in those portions of the
 
 9 business community that are not already subject to privacy laws
 
10 and regulations.  These standards will assure an individual's
 
11 constitutional right to privacy, while providing for the
 
12 reasonable exchange of information with adequate safeguards to
 
13 protect its appropriate use.
 
14      SECTION 2.  The Hawaii Revised Statutes is amended by adding
 
15 a new chapter to be appropriately designated and to read as
 
16 follows:
 
17                             "CHAPTER
 
18                  HAWAII INFORMATION PRIVACY ACT
 
19                    PART I.  GENERAL PROVISIONS
 
20      §  -1 Definitions.  As used in this chapter:
 
21      "Director" means the director of the office of information
 
22 practices.
 
23      "Individual" means a natural person.
 

 
Page 4                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      "Nonaffiliated third party" means any organization that is
 
 2 not an affiliate of, or related by common ownership or affiliated
 
 3 by corporate control with, the organization, but does not include
 
 4 a joint employee of the organization.  An organization providing
 
 5 data processing, communications, customer service, or payment
 
 6 processing services is not a nonaffiliated third party if it
 
 7 receives and uses personal information for the sole purpose of
 
 8 facilitating the transaction in which the information is
 
 9 disclosed.
 
10      "Office" means the office of information practices.
 
11      "Organization" means all nongovernmental entities,
 
12 associations, partnerships, and individuals using personal
 
13 information in a commercial context, including not-for-profit
 
14 entities.
 
15      "Personal information" means all information that is
 
16 identifiable to an individual, and that is not publicly
 
17 available.
 
18      "Privacy standard" or "standard" means any of the privacy
 
19 standards set out in part II.
 
20      "Publicly available information" means information lawfully
 
21 made available to the general public and that is obtained from:
 
22      (1)  Federal, state, or local government records;
 

 
 
 
Page 5                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (2)  Widely distributed media such as a telephone directory,
 
 2           newspaper, or unrestricted internet site; or
 
 3      (3)  Disclosures made to the general public to comply with
 
 4           federal, state, or local law.
 
 5      "Secondary purpose" means a purpose other than the one
 
 6 originally intended or provided for.
 
 7      §  -2 Application.  This chapter shall not apply to:
 
 8      (1)  The collection, holding, use, or disclosure of personal
 
 9           information:
 
10           (A)  By individuals or any organization consisting of
 
11                fewer than fifty employees;
 
12           (B)  By government agencies; and
 
13           (C)  Solely for journalistic, artistic, or literary
 
14                purposes;
 
15      (2)  Any organization subject to informational privacy
 
16           regulation under state or federal law, including but
 
17           not limited to:
 
18           (A)  Privacy of healthcare information, chapter 323C;
 
19           (B)  The Financial Services Modernization Act, or
 
20                Gramm-Leach-Bliley Act, Public Law 106-102, 113
 
21                Stat. 1338;
 
22           (C)  The Fair Credit Reporting Act of 1970, 15 U.S.C.
 
23                1681 et seq.;
 

 
Page 6                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1           (D)  Electronic Fund Transfer Act of 1978, 15 U.S.C.
 
 2                1693 et seq.; 
 
 3           (E)  Fair Debt Collection Practices Act, 15 U.S.C. 1601
 
 4                et seq.;
 
 5           (F)  Fair Credit Billing Act, 15 U.S.C. 1666 et seq.;
 
 6           (G)  Telephone Consumer Protection Act of 1991, 47
 
 7                U.S.C. 227;
 
 8           (H)  Telemarketing and Consumer Fraud and Abuse
 
 9                Prevention Act of 1991, 15 U.S.C. 1601 et seq.;
 
10           (I)  Federal Trade Commission Act, 15 U.S.C. 41 et
 
11                seq.;
 
12           (J)  Right to Financial Privacy Act of 1978, 12 U.S.C.
 
13                1304 et seq.;
 
14           (K)  Electronic Communications Privacy Act of 1986, 18
 
15                U.S.C. et seq.;
 
16           (L)  Cable Communications Policy Act of 1984 and Cable
 
17                Television Consumer Protection and Competition Act
 
18                of 1992, 47 U.S.C. 551 et seq.;
 
19           (M)  Privacy Act of 1974, 5 U.S.C. 522a;
 
20           (N)  Video Privacy Protection Act, 18 U.S.C. 2710;
 
21           (O)  Children's On-Line Privacy Protection Act of 1999,
 
22                15 U.S.C. 6501 et seq.;
 

 
 
 
Page 7                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1           (P)  Comprehensive Crime Control Act of 1984, 18 U.S.C.
 
 2                1030 et seq.;
 
 3           (Q)  Infectious and Communicable Diseases, chapter 325;
 
 4           (R)  Substance Abuse Testing, chapter 329B;
 
 5           (S)  Mental Health, Mental Illness, Drug Addiction, and
 
 6                Alcoholism, chapter 334;
 
 7           (T)  Confidentiality of Alcohol and Drug Abuse Patient
 
 8                Records, 42 C.F.R. part II; and
 
 9           (U)  Standards for Privacy of Individually Identifiable
 
10                Health Information, 45 C.F.R., parts 160-164;
 
11           and
 
12      (3)  Labor organizations recognized as such by the Hawaii
 
13           labor relations board pursuant to section 377-14.
 
14      §    -3  Obligations.  All organizations shall handle or
 
15 process personal information pursuant to the privacy standards
 
16 set forth in part II, as implemented by the codes of information
 
17 practice adopted by the director.
 
18      §    -4  Codes of information practice.(a)  Organization
 
19 codes of information practice shall be adopted by the director
 
20 after public hearing pursuant to chapter 91.  The adoption of a
 
21 code of information practice may be initiated by the director, or
 
22 by request made to the director.  Each code of information
 
23 practice shall:
 

 
Page 8                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (1)  Interpret and apply the privacy standards and
 
 2           obligations under this chapter;
 
 3      (2)  Establish a mechanism to identify all organizations
 
 4           bound by the code;
 
 5      (3)  Include procedures allowing an organization to be
 
 6           released from the code under specific circumstances;
 
 7      (4)  Set out procedures for requesting formal
 
 8           interpretations of the code by the director; and 
 
 9      (5)  Provide a mechanism for making the director's formal
 
10           interpretations publicly available through the office
 
11           and that the director shall delete those portions of a
 
12           decision that may identify a person or otherwise
 
13           constitute an invasion of the person's privacy.
 
14      (b)  Codes of practice may govern any one or combination of
 
15 the following:
 
16      (1)  The handling of personal information or specified types
 
17           of personal information;
 
18      (2)  A specified activity or class of activities of an
 
19           organizations; and
 
20      (3)  A specified industry sector and professions or a
 
21           specified class of industry sectors and professions.
 
22      (c)  Once adopted, the code shall have the force and effect
 
23 of administrative rules adopted under chapter 91.
 

 
Page 9                                                     1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (d)  The director may initiate the amendment or repeal of a
 
 2 code of information practice pursuant to public hearing conducted
 
 3 as provided under chapter 91.  Amendment or repeal of a code of
 
 4 information practice may be initiated by the director or upon the
 
 5 request of an organization subject to the code.
 
 6                   PART II.  PRIVACY STANDARDS 
 
 7      §    -11  Individual's right to opt out.(a)  An
 
 8 organization may not use personal information for a secondary
 
 9 purpose or disclose personal information to a nonaffiliated third
 
10 party unless:
 
11      (1)  The organization clearly and conspicuously discloses to
 
12           the individual that the information may be used for a
 
13           secondary purpose or disclosed to a nonaffiliated third
 
14           party;
 
15      (2)  The individual is given the opportunity, before the
 
16           time that the information is initially collected, used,
 
17           or disclosed to direct that the information not be used
 
18           for a secondary purpose or disclosed to a nonaffiliated
 
19           third party; and
 
20      (3)  The individual is given an explanation of how the
 
21           individual can exercise the option to deny the use or
 
22           disclosure of their personal information.
 

 
 
 
Page 10                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (b)  Subsection (a) shall not apply where use or disclosure
 
 2 is:
 
 3      (1)  Clearly in the interest of the individual, and
 
 4           disclosure and the opportunity to opt out cannot be
 
 5           obtained in a timely manner;
 
 6      (2)  For purposes of investigating a breach of an agreement
 
 7           or contravention of the laws of this State or the
 
 8           United States, where disclosure and the opportunity to
 
 9           opt out would compromise the collection or accuracy of
 
10           the information;
 
11      (3)  Reasonably necessary to investigate an offense under
 
12           the laws of the United States or a state;
 
13      (4)  Required in an emergency, to protect the life, health,
 
14           or security of any individual;
 
15      (5)  For purposes of legal representation;
 
16      (6)  Pursuant to a valid subpoena or warrant issued by a
 
17           court of law or other administrative body;
 
18      (7)  Pursuant to a lawful request of a government agency for
 
19           purposes of conserving records of historic or archival
 
20           importance;
 
21      (8)  Performed one hundred years after the record containing
 
22           the information was created or twenty years after the
 
23           death of the individual who is the subject of the
 
24           information; or
 

 
Page 11                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (9)  Required by or specifically authorized by law.
 
 2     §    -12  Limitation on collection, use, and disclosure.  If
 
 3 an individual exercises the right to opt out under section     
 
 4      -11(a)(2), the personal information collected shall not be: 
 
 5     (1)   Used for secondary purposes or disclosed to a
 
 6           nonaffiliated third party for purposes other than those
 
 7           for which it was collected;
 
 8     (2)   Disclosed to parties not subject to this chapter,
 
 9           unless the transferor of the information has taken all
 
10           reasonable measures to ensure that the transferee
 
11           provides protection equal to or exceeding that provided
 
12           under this chapter; or
 
13     (3)   Retained for longer than necessary to fulfill the
 
14           purposes for which the information was collected, or as
 
15           otherwise required by law.
 
16     §  -13  Quality of personal information.  An organization
 
17 shall take reasonable steps to ensure that the personal
 
18 information used is as accurate, complete, and up-to-date as is
 
19 necessary for the purposes for which it is to be used.
 
20     §    -14  Safeguarding personal information.  An organization
 
21 shall take reasonable steps to ensure that personal information
 
22 is protected against loss or theft, as well as unauthorized
 
23 access, disclosure, copying, use, or modification, and shall
 

 
Page 12                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 utilize security safeguards appropriate to the sensitivity of the
 
 2 information.
 
 3     §    -15  Policies and practices.  Each organization that
 
 4 uses personal information for secondary purposes or discloses
 
 5 personal information to a nonaffiliated third party shall make
 
 6 readily available to individuals clear information about its
 
 7 personal information policies and practices, including:
 
 8     (1)   The types of personal information used for secondary
 
 9           purposes or disclosed to nonaffiliated third parties; 
 
10     (2)   The procedure by which an individual may gain access to
 
11           the individual's personal information held by the
 
12           organization; and
 
13     (3)   The procedure by which the individual may make
 
14           complaints or inquiries concerning the organization's
 
15           collection or handling of personal information.
 
16 Each organization shall appoint at least one person who will be
 
17 responsible for receiving and responding to complaints and
 
18 inquiries.  Denials of requests to access readily retrievable
 
19 personal information or to submit additional or clarifying
 
20 information shall be provided to the individual in writing, shall
 
21 state the reasons for denial, and shall specify any recourse
 
22 available under the organization's policies and practices, and
 
23 under section     -31.
 

 
Page 13                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1     §    -16  Individual access.(a)  Each organization that
 
 2 uses personal information or secondary purposes or discloses
 
 3 personal information to a nonaffiliated third party shall
 
 4 establish procedures with regard to readily retrievable personal
 
 5 information of an individual held by an organization.  The
 
 6 procedures shall allow the individual to:
 
 7     (1)   Determine whether the organization holds the
 
 8           information;
 
 9     (2)   Obtain access to the information;
 
10     (3)   Challenge the accuracy or completeness of the
 
11           information; and
 
12     (4)   Submit additional or clarifying information.
 
13 Procedures shall include provisions for the informal review and
 
14 disposition of a request for access to, or challenge to the
 
15 accuracy or completeness of personal information.
 
16     (b)  Access shall be provided within a reasonable time after
 
17 a request by an individual, and upon payment of reasonable costs
 
18 for retrieval and duplication.
 
19     (c)  An organization shall not provide access to personal
 
20 information if providing access would:
 
21     (1)   Be unlawful, or contrary to law or rule requiring or
 
22           authorizing the denial of access;
 

 
 
 
Page 14                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1     (2)   Reasonably be expected to threaten the life or security
 
 2           of another individual or group of individuals or would
 
 3           have an unreasonable impact on the privacy of other
 
 4           individuals;
 
 5     (3)   Violate a privilege established by statute, regulation,
 
 6           or rule of court;
 
 7     (4)   Prejudice the enforcement of laws, protection of the
 
 8           public, or the legal enforcement of a contract with the
 
 9           organization;
 
10     (5)   Reveal confidential business information that cannot
 
11           reasonably be protected by other means;
 
12     (6)   Prejudice ongoing negotiations of the organization; or
 
13     (7)   Involve the disclosure of information generated for
 
14           purposes of litigation or within a formal dispute
 
15           resolution process;
 
16 provided that, the above exceptions notwithstanding, access shall
 
17 be provided if the information is necessary to protect the
 
18 individual's life, health, or security.
 
19               PART III.  ADMINISTRATIVE ENFORCEMENT
 
20     §    -31  Complaints.  (a)  An individual may file a written
 
21 complaint with the director, alleging violations of this chapter
 
22 or of a code of information practice adopted pursuant to this
 
23 chapter by an organization.
 

 
Page 15                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1     (b)  A complaint that alleges a refusal to grant access to
 
 2 readily available personal information or to submit additional or
 
 3 clarifying information shall be filed within forty-five days
 
 4 after the refusal.
 
 5     (c)  The director may:
 
 6     (1)   Dismiss the complaint if the director determines that
 
 7           the complaint:
 
 8           (A)  Is untimely, trivial, frivolous, vexatious, or
 
 9                made in bad faith;
 
10           (B)  Is made prior to exhaustion of other grievance or
 
11                review procedures; or
 
12           (C)  Could more appropriately be dealt with either
 
13                initially or in its totality by means of another
 
14                procedure or body;
 
15     (2)   Refer the complainant to other agencies; or
 
16     (3)   Conduct an investigation under section  -32 if there
 
17           are reasonable grounds to believe that there has been a
 
18           violation of this chapter.
 
19     §  -32  Investigations.(a)  The director, pursuant to a
 
20 complaint under section   -31, or on the director's own
 
21 initiative, may conduct an investigation to determine whether
 
22 there has been a violation of this chapter or of a code of
 
23 information practice adopted under this chapter.
 

 
Page 16                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1     (b)  The director shall make findings and issue a report to
 
 2 the organization investigated.  A summary of the report may be
 
 3 included in the annual report of the office under section    -52.
 
 4     §    -33  Cease and desist orders.(a)  If the director has
 
 5 reason to believe that an organization has violated this chapter
 
 6 or a code of practice adopted under this chapter, and that it
 
 7 would be in the interest of the public to issue an order to the
 
 8 organization to cease and desist, the director shall issue a
 
 9 cease and desist order after holding a contested case hearing
 
10 pursuant to chapter 91.  If any party is aggrieved by the
 
11 director's decision, the party may file an appeal in the manner
 
12 provided in chapter 91 to the circuit court of the circuit in
 
13 which the party resides or has its principal place of business.
 
14     (b)  Violation of a cease and desist order issued pursuant to
 
15 this section shall be subject to a civil penalty of not more than
 
16 $        , in an action brought in the circuit court of the
 
17 circuit in which the organization has its principal place of
 
18 business by the attorney general.
 
19     (c)  Nothing in this section shall be construed to relieve
 
20 any person from liability for any other penalty or forfeiture
 
21 otherwise applicable under the law.
 
22     §    -34  Notice to other regulatory agencies.  The director
 
23 shall provide a copy of each cease and desist order issued
 

 
Page 17                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 pursuant to section    -33 to all agencies having regulatory
 
 2 oversight over the organization.
 
 3                     PART IV.  ADMINISTRATION
 
 4     §    -51  Powers and duties of the office of information
 
 5 practices.  In conducting hearings authorized by this chapter,
 
 6 the director shall have the power to subpoena witnesses, examine
 
 7 witnesses under oath, and require the production of books,
 
 8 papers, documents, or objects.  Upon application by the director,
 
 9 obedience to the subpoena may be enforced by the circuit court in
 
10 the county in which the person subpoenaed resides or is found in
 
11 the same manner as a subpoena issued by the clerk of a circuit
 
12 court.
 
13      §    -52  Reporting requirement.  The director shall submit
 
14 a report to the legislature no later than twenty days before the
 
15 convening of each regular legislative session.  The report shall
 
16 include the number, nature, and outcome of requests for formal
 
17 interpretations of codes of information practice and complaints
 
18 against organizations.  The director shall undertake a review of
 
19 this chapter during the fourth year of the existence of this
 
20 chapter and shall include the resulting findings in the following
 
21 year's report to the legislature.
 
22      §    -53  No private right of action.  Nothing in this
 
23 chapter shall be construed to create a private right of action."
 

 
Page 18                                                    1877
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      SECTION 3.  There is appropriated out of the general
 
 2 revenues of the State of Hawaii the sum of $          or so much
 
 3 thereof as may be necessary for fiscal year 2000-2001 to carry
 
 4 out the purposes of this Act, including the hiring of necessary
 
 5 staff.
 
 6      The sum appropriated shall be expended by the office of
 
 7 information practices for the purposes of this Act.
 
 8      SECTION 4.  Nothing in this Act shall be construed to
 
 9 relieve any organization of its obligations under any of the laws
 
10 of this state or of the United States.
 
11      SECTION 5.  This Act shall take effect on ________ and shall
 
12 be repealed on ________ .