

 
REPORT TITLE: 
Informational privacy


DESCRIPTION:
Establishes the Hawaii information privacy act.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                            
THE SENATE                              S.B. NO.           2440
TWENTIETH LEGISLATURE, 2000                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                     A BILL FOR AN ACT

RELATING TO INFORMATIONAL PRIVACY.



BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The flow of information has become essential to
 
 2 the modern global economy.  The multi-billion dollar commercial
 
 3 trade in personal information--financial, job-related, medical,
 
 4 and lifestyle--is one of the fastest growing industries in the
 
 5 world.  In the private sector, this information is often treated
 
 6 as a commodity for development, purchase, and sale.  Personal
 
 7 information fuels an industry devoted to the thorough tracking,
 
 8 monitoring, and recording of specific aspects of individuals'
 
 9 lives and their interaction with society.
 
10      There has been a dramatic increase in the use of the
 
11 internet to disseminate and gather information, as well as to buy
 
12 and sell products and services.  However, major impediment to the
 
13 growth of the internet as a commercial market place is customer
 
14 confidence.  Surveys indicate that consumers will not use the
 
15 internet as a market place unless their privacy is protected and
 
16 their financial information is secure.
 
17      Hawaii has a unique constitutional right to privacy.
 
18 Article I, section 6 of the State Constitution, states that the
 
19 "right of the people to privacy is recognized and shall not be
 
20 infringed without the showing of a compelling state interest" and
 

 
Page 2                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1 requires the legislature to "take affirmative steps to implement
 
 2 this right."  The standing committee report of the 1978
 
 3 Constitutional Convention specified three ways in which the
 
 4 constitutional privacy right applies:  to protect an individual
 
 5 from disclosure of the individual's private affairs; to allow an
 
 6 individual to control the privacy of information about the
 
 7 individual; and to maintain the individual's right to be left
 
 8 alone in certain highly personal areas of the individual's life.
 
 9 It was intended that this right apply to private, as well as
 
10 governmental intrusions.
 
11      Business recognizes that responsible handling of personal
 
12 information engenders consumer confidence and trust.  Therefore,
 
13 setting information privacy standards will be advantageous to
 
14 businesses.  Businesses will know what their obligations are and
 
15 consumers will know what to expect from businesses that collect
 
16 or use their information.
 
17      In the United States, the individual behind each piece of
 
18 information is largely neglected, and has few, if any, rights to
 
19 review the information for accuracy or to restrict the use of the
 
20 information.  Other countries, such New Zealand, Hong Kong, and
 
21 those member states in the European Union, set standards for the
 
22 collection and dissemination of personal information out of
 
23 respect for an individual's personal privacy interests.  In
 

 
Page 3                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1 general, the United States has not developed comparable
 
 2 individual privacy protections.  While certain personal
 
 3 information needs to be collected to accommodate and further
 
 4 current practices in a modern age, safeguards need to be in place
 
 5 to ensure that privacy intrusions are both consented to and
 
 6 minimized to achieve only the intended purpose.  While chapter
 
 7 92F, Hawaii Revised Statutes, governs the public sector's
 
 8 information practices, including collection and dissemination of
 
 9 information, standards for the private sector are virtually
 
10 nonexistent.
 
11      Individual states, as well as the federal government, have
 
12 been trying to resolve the conflict between the use of personal
 
13 information and the right to privacy not only for the
 
14 individuals' rights but because of the European Union's recent
 
15 directive on the protection of personal information.  This
 
16 directive prohibits the transfer of personally identifiable data
 
17 to other countries that do not provide an adequate level of
 
18 privacy protection.  Failure to enact adequate protection can
 
19 restrict trade involving data, a situation that the federal
 
20 government is endeavoring to avoid in ongoing negotiations with
 
21 the European Union nations.  Hawaii, with its strong
 
22 constitutional mandate of individual privacy, can and must take
 
23 affirmative steps to ensure privacy even in the absence of
 
24 federal action.
 

 
Page 4                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      The purpose of this Act is to assure an individual's
 
 2 constitutional right to privacy, while providing for the
 
 3 reasonable exchange of information with adequate safeguards to
 
 4 protect its appropriate use.
 
 5      SECTION 2.  The Hawaii Revised Statutes is amended by adding
 
 6 a new chapter to be appropriately designated and to read as
 
 7 follows:
 
 8                             "CHAPTER
 
 9                  HAWAII INFORMATION PRIVACY ACT
 
10            PART I.  GENERAL PROVISIONS AND DEFINITIONS
 
11      §  -1 General definitions.  As used in this chapter:
 
12      "Director" means the director of the office of information
 
13 practices.
 
14      "Individual" means a natural person.
 
15      "Office" means the office of information practices.
 
16      "Organization" means all nongovernmental entities,
 
17 associations, partnerships, and individuals using personal
 
18 information in a commercial context, including not-for-profit
 
19 entities.
 
20      "Personal information" means all information that is
 
21 identifiable to an individual.
 
22      "Privacy standard" or "standard" means any of the privacy
 
23 standards set out in part II.
 

 
Page 5                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      "Related organizations" means a group of organizations
 
 2 related by common ownership or control, and includes all parents,
 
 3 subsidiaries, branches, and divisions.
 
 4      §  -2 Application.  This chapter shall not apply to:
 
 5      (1)  The domestic collection, holding, use, or disclosure of
 
 6           personal information by individuals;
 
 7      (2)  The collection, holding, use, or disclosure of personal
 
 8           information by government agencies; or
 
 9      (3)  The collection, holding, use, or disclosure of personal
 
10           information solely for journalistic, artistic, or
 
11           literary purposes.
 
12      §    -3  Obligations.  All organizations shall handle or
 
13 process personal information pursuant either to the privacy
 
14 standards set forth in part II or to codes of practice adopted by
 
15 the director.
 
16      §    -4  Codes of practice.(a) The director may initiate
 
17 or receive requests for the adoption of organization codes of
 
18 practice after public hearing, if satisfied that the code:
 
19      (1)  Incorporates all the privacy standards and obligations
 
20           under this chapter, or sets out obligations that,
 
21           overall, are at least the equivalent of all the
 
22           obligations set out in those principles;
 

 
 
 
Page 6                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      (2)  Specifies or sets out a mechanism to identify all
 
 2           organizations bound by the code;
 
 3      (3)  Sets out procedures that allow an organization to be
 
 4           released from the code and when the release takes
 
 5           effect;
 
 6      (4)  Sets out appropriate procedures for making and dealing
 
 7           with complaints, including the appointment of one or
 
 8           more persons knowledgeable about this chapter and who
 
 9           have due regard for human rights and societal interests
 
10           that compete with privacy, including the free flow of
 
11           information through society;
 
12      (5)  Provides that decisions may be affirmed by the
 
13           director;
 
14      (6)  Provides that the organization against whom a decision
 
15           was rendered is bound by the requirements of the
 
16           decision;
 
17      (7)  Provides that the decisions shall be publicly available
 
18           through the office and that the director may segregate
 
19           parts of a decision that may identify a person or
 
20           otherwise constitute an invasion of the person's
 
21           privacy; and
 
22      (8)  Provides that a report be prepared and given to the
 
23           director no later than July 31st of each year to
 

 
Page 7                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1           include the number, nature, and outcome of complaints
 
 2           made under the code.
 
 3      (b)  Codes of practice may cover either, both, or all of the
 
 4 following:
 
 5      (1)  Personal information or specified types of personal
 
 6           information; or
 
 7      (2)  Specified activity or class of activities of an
 
 8           organization; or
 
 9      (3)  A specified industry sector and professions or a
 
10           specified class of industry sectors and professions.
 
11      (c)  Once adopted, the code shall have the force and effect
 
12 of a rule.
 
13      (d)  The director may amend or revoke codes of practices on
 
14 the director's initiative or on request by an organization that
 
15 is bound by the code, after public hearing.
 
16                   PART II.  PRIVACY STANDARDS 
 
17      §    -11  Accountability. An organization shall be
 
18 responsible for personal information under its control and shall
 
19 appoint at least one individual responsible for ensuring
 
20 compliance with this chapter.  In the absence of an appointment,
 
21 the owners, all partners, the president, or all members of the
 
22 board of directors of a corporation shall be held accountable for
 
23 compliance with this chapter.
 

 
Page 8                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      §    -12  Purpose of collection. The purposes for which
 
 2 personal information is collected shall be identified by the
 
 3 organization at or before the time the information is collected.
 
 4 Every organization shall advise the individual about whom they
 
 5 are collecting personal information of the purposes, uses, and
 
 6 any anticipated disclosures of the collected information.  The
 
 7 advice or notice shall be given at or before the time of
 
 8 collection.
 
 9      §  -13  Collection, consent to collect.  Personal
 
10 information shall be collected by fair and lawful means.  An
 
11 organization shall obtain the individual's consent for the
 
12 collection, use, or disclosure of personal information about the
 
13 individual, except where such requirement is inappropriate.
 
14 Consent shall not be required where:
 
15      (1)  Collection is clearly in the interest of the individual
 
16           and consent cannot be obtained in a timely manner;
 
17      (2)  It is reasonable to believe collection with consent and
 
18           knowledge would compromise the accuracy of the
 
19           information and collection is for purposes of
 
20           investigating a breach of an agreement or contravention
 
21           of the laws of this State or the United States; or
 
22      (3)  The information is publicly available.
 
23      §    -14  Limitation on collection, use, and disclosure.
 

 
Page 9                                         
                                     S.B. NO.           2440
                                                        
                                                        

 
 1 (a)  Except with the consent of the individual or as required by
 
 2 law, personal information shall: 
 
 3      (1)  Not be used or disclosed for purposes other than those
 
 4           for which it was collected;
 
 5      (2)  Not be disclosed beyond this jurisdiction by an
 
 6           organization, whether to an agent, subcontractor, or
 
 7           unrelated third party, unless the transmitting
 
 8           organization has taken all reasonable measures to
 
 9           ensure that the transferee provides the same or greater
 
10           levels of protection of personal information as
 
11           required by these standards;
 
12      (3)  Not be compiled, used, or disclosed by the organization
 
13           in a discriminatory fashion on the basis of race,
 
14           medical condition or status, political or religious
 
15           association, or gender, unless there is a compelling
 
16           state interest; and 
 
17      (4)  Be retained only for so as long as is necessary for the
 
18           fulfillment of those purposes or as otherwise required
 
19           by law.
 
20      (b)  Consent shall not be required when the use or
 
21 disclosure is:
 
22      (1)  For the purpose of investigating an offense that has
 
23           been or is about to be committed under the laws of the
 

 
Page 10                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1           United States or a state and the information could be
 
 2           reasonably believed to be useful in the investigation
 
 3           of the offense;
 
 4      (2)  For an emergency that threatens the life, health, or
 
 5           security of any individual;
 
 6      (3)  Clearly in the interest of the individual and consent
 
 7           cannot be obtained in a timely manner;
 
 8      (4)  To the organization's lawyer for purposes of
 
 9           representation;
 
10      (5)  Pursuant to a subpoena or warrant issued by a court of
 
11           law or other administrative body with jurisdiction to
 
12           compel the production of information, records, or
 
13           documents;
 
14      (6)  To a government agency, pursuant to a lawful request,
 
15           for purposes of conservation of records of historic or
 
16           archival importance;
 
17      (7)  Made after one hundred years after the record
 
18           containing the information was created or twenty years
 
19           after the death of the individual whom the information
 
20           is about; or
 
21      (8)  Required by or specifically authorized by law.
 

 
 
 
 
 
Page 11                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      §  -15  Quality of personal information.  An organization
 
 2 shall take reasonable steps to ensure that personal information
 
 3 that it uses is accurate, complete, and up-to-date as is
 
 4 necessary for the purposes for which it is to be used.
 
 5      §    -16  Safeguarding personal information.  An
 
 6 organization shall take reasonable steps to ensure that personal
 
 7 information it maintains is protected against loss or theft, as
 
 8 well as unauthorized access, disclosure, copying, use, or
 
 9 modification by security safeguards appropriate to the
 
10 sensitivity of the information.
 
11      §    -17  Policies and practices.  An organization shall
 
12 make readily available to individuals clear information about its
 
13 policies and practices relating to the requirements of this
 
14 chapter, which shall include:
 
15      (1)  What personal information is made available to related
 
16           organizations;
 
17      (2)  The means of gaining access to personal information
 
18           held by the organization; and
 
19      (3)  The process by which complaints or inquiries can be
 
20           made within the organization.
 
21      §    -18  Individual access.(a)  Upon written request, an
 
22 organization shall inform an individual whether it holds, uses,
 
23 or discloses readily retrievable personal information about that
 
24 individual.
 

 
Page 12                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      (b)  Upon request, and within a reasonable period of time,
 
 2 an organization shall give access to readily retrievable
 
 3 information about an individual and after payment of the
 
 4 reasonable costs of retrieval and duplication.
 
 5      (c)  An organization shall not give access to personal
 
 6 information if:
 
 7      (1)  Providing access would be unlawful;
 
 8      (2)  Denying access is required or authorized by law or
 
 9           rule;
 
10      (3)  Giving access could reasonably be expected to threaten
 
11           the life or security of another individual or group of
 
12           individuals or would have an unreasonable impact on the
 
13           privacy of other individuals;
 
14      (4)  The information is protected by a statutory privilege;
 
15      (5)  Giving access would prejudice the enforcement of laws,
 
16           protection of the public, or the legal enforcement of a
 
17           contract with the organization;
 
18      (6)  Giving access would reveal confidential business
 
19           information that cannot reasonably be protected by
 
20           other means;
 
21      (7)  Giving access would prejudice the organization's
 
22           ongoing negotiations; or
 

 
 
 
Page 13                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      (8)  The information was generated for purposes of
 
 2           litigation or within a formal dispute resolution
 
 3           process.
 
 4 These exceptions shall not apply if the individual needs the
 
 5 information because the individual's life, health, or security is
 
 6 threatened.
 
 7      (d)  An individual shall have the right to challenge the
 
 8 accuracy and completeness of the personal information held by the
 
 9 organization and have it amended as may be appropriate.
 
10      (e)  An organization shall provide an informal method of
 
11 reviewing a denial of access or amendment of personal
 
12 information.
 
13      (f)  An organization shall inform the individual in writing
 
14 of a denial, setting out the reasons and any recourse that the
 
15 individual may have.
 
16      §  -19  Sensitive data.  The director may adopt rules
 
17 pursuant to chapter 91 to protect sensitive personal information.
 
18               PART III.  ADMINISTRATIVE ENFORCEMENT
 
19      §    -31  Audits.  To enforce the standards or codes of
 
20 practice, the director may:
 
21      (1)  Require that organizations present to the director
 
22           periodic independent audits of their personal
 
23           information management practices and policies applying
 

 
Page 14                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1           assurance criteria consistent with the privacy
 
 2           standards set out in this chapter or code of practice
 
 3           adopted under this chapter, whichever is applicable;
 
 4           and
 
 5      (2)  On reasonable notice and at any reasonable time, audit
 
 6           the personal information management practices of an
 
 7           organization if the director has reasonable grounds to
 
 8           believe that the organization is violating a provision
 
 9           of this chapter.  After an audit, the director shall
 
10           provide the audited organization with a report that
 
11           contains the findings of the audit and any
 
12           recommendations that the director considers
 
13           appropriate.
 
14      Reports of audits performed under this section shall be made
 
15 public; provided the director shall segregate any confidential
 
16 business information or other information that may identify an
 
17 individual or otherwise constitute an invasion of the
 
18 individual's privacy that are contained in the reports.
 
19      §    -32  Complaints.  (a)  An individual may file with the
 
20 director a written complaint against an organization for alleged
 
21 violations of this chapter or of a code of practice.
 
22      (b)  A complaint that alleges a refusal to grant access and
 
23 correction or other amendment shall be filed within forty-five
 
24 days after the alleged refusal.
 

 
Page 15                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      (c)  The director may:
 
 2      (1)  Dismiss the complaint if the director determines that:
 
 3           (A)  The complaint is not timely, trivial, frivolous,
 
 4                vexatious, or made in bad faith;
 
 5           (B)  The complainant should exhaust other grievance or
 
 6                review procedures; or
 
 7           (C)  The complaint could more appropriately be dealt
 
 8                with either initially or in its totality by means
 
 9                of another procedure or body;
 
10      (2)  If appropriate, refer the complainant to other
 
11           procedures or bodies for review; or
 
12      (3)  If the director believes there are reasonable grounds
 
13           to believe there has been a violation of this chapter,
 
14           conduct an investigation under section  -33.
 
15      §  -33  Investigations.(a)  Pursuant to complaint under
 
16 section  -32 or by the director's initiative, the director may
 
17 conduct an investigation to determine whether there has been a
 
18 violation of this chapter or of a code of practice adopted under
 
19 this chapter.
 
20      (b)  The director shall prepare a report of the findings and
 
21 shall issue the report to the organization investigated.  In
 
22 addition to the findings, the director may include in the report:
 

 
 
 
Page 16                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      (1)  Recommendations relating to the promotion of compliance
 
 2           with this chapter;
 
 3      (2)  Any actions the director may take, pursuant to
 
 4           subsection (c), as a result of the investigation; and
 
 5      (3)  Any other comments arising from the investigation as
 
 6           the director thinks fit to make.
 
 7 A summary of the report may be included in the director's
 
 8 published annual report.
 
 9      (c)  If the findings of an investigation give the director
 
10 reason to believe that an organization has violated the privacy
 
11 standards or codes of practice, the director may:
 
12      (1)  Arbitrate any dispute;
 
13      (2)  Hold a hearing for issuance of a cease and desist order
 
14           pursuant to section  -34;
 
15      (3)  Employ any other of the powers given to the director
 
16           under section  -51 as necessary to enforce the
 
17           obligations imposed by this chapter; and
 
18      (4)  If appropriate:
 
19           (A)  Recommend to appropriate bodies that the
 
20                organization's license to do business within the
 
21                State of Hawaii be removed;
 
22           (B)  Refer for or coordinate prosecution before other
 
23                regulatory bodies; and
 

 
Page 17                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1           (C)  Prosecute the organization through the judicial
 
 2                system on behalf of the State, or through other
 
 3                state, national, or international adjudicatory
 
 4                bodies.
 
 5      §    -34  Cease and desist orders.(a)  If the director has
 
 6 reason to believe that an organization has violated any of the
 
 7 privacy standards or codes of practice, and that a proceeding by
 
 8 the director in respect to that would be in the interest of the
 
 9 public, the director shall issue and serve upon the organization
 
10 and the complainant, if any:
 
11      (1)  A statement of the charges in that respect; and
 
12      (2)  A notice of a hearing, to be held at a time and place
 
13           fixed in the notice, which shall not be fewer than
 
14           fifteen days after the date of service.
 
15      (b)  At the time and place fixed for the hearing, the
 
16 organization and the complainant, if any, shall have an
 
17 opportunity to be heard and to show cause why an order should or
 
18 should not be made by the director requiring the organization to
 
19 cease and desist from the acts, methods, practices, or otherwise
 
20 to comply with this chapter.
 
21      (c)  The hearing shall be deemed a contested case hearing
 
22 pursuant to chapter 91.
 

 
 
 
Page 18                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      (d)  All remedies, penalties, and proceedings set forth in
 
 2 this section are to be invoked solely and exclusively by the
 
 3 director.
 
 4      (e)  If after the hearing the director determines that the
 
 5 organization charged has violated any provision of this chapter,
 
 6 the director shall reduce the findings to writing and shall issue
 
 7 and cause to be served on the organization charged with the
 
 8 violation a copy of the findings and an order requiring the
 
 9 organization to cease and desist from violating this chapter or
 
10 otherwise to comply with the requirements of this chapter.  At
 
11 the director's discretion, the director may also employ any other
 
12 of the powers given to the director under section  -51 as
 
13 necessary to enforce the obligations imposed by this chapter.
 
14      (f)  Any organization that violates a cease and desist order
 
15 or a compliance order of the director under this section may be
 
16 subject, at the discretion of the director, after notice and
 
17 hearing and upon order of the director, to a civil penalty of not
 
18 more than $10,000 for each and every act in violation of the
 
19 cease and desist order.
 
20      (g)  No order of the director pursuant to this section or
 
21 order of court to enforce it shall in any way relieve or absolve
 
22 any person affected by the order from any other liability,
 
23 penalty, or forfeiture required by law.
 

 
Page 19                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      §    -35  Notice to other regulatory agencies.  Whenever the
 
 2 director conducts any investigation or takes other action against
 
 3 any organization for violation of this chapter, the director
 
 4 shall notify any agency that has regulatory oversight over the
 
 5 organization of the director's action.
 
 6      §    -36  Whistleblowing.(a)  Any individual who has
 
 7 reasonable grounds to believe that an organization has violated
 
 8 or intends to violate a provision of this chapter, may notify the
 
 9 director and may request that the individual's identity be kept
 
10 confidential with respect to the notification.  The director
 
11 shall keep confidential the identity of an individual who has
 
12 notified the director and to whom an assurance of confidentiality
 
13 has been provided by the director.
 
14      (b)  No employer shall dismiss, suspend, demote, discipline,
 
15 harass, or otherwise disadvantage any employee or deny an
 
16 employee a benefit of employment by reason that the employee,
 
17 acting in good faith and on the basis of reasonable belief:
 
18      (1)  Has disclosed to the director that the employer or any
 
19           other individual has violated or intends to violate a
 
20           provision of this chapter;
 
21      (2)  Has refused or stated an intention of refusing to
 
22           perform anything that is a violation of a provision of
 
23           this chapter; or
 

 
Page 20                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      (3)  Has done or stated an intention of doing anything
 
 2           necessary in order that this chapter not be violated or
 
 3           the employer believes that the employee will do
 
 4           anything referred to in paragraph (1), (2), or (3).
 
 5      (c)  Nothing in this section shall impair any right of an
 
 6 employee or employer either at law or under an employment
 
 7 contract or collective agreement.
 
 8      (d)  As used in this section, "employee" includes an
 
 9 independent contractor.
 
10                     PART IV.  ADMINISTRATION
 
11      §    -51  Powers and duties of the office of information
 
12 practices.(a)  The director may:
 
13       (1) Compel witnesses and evidence;
 
14       (2) Administer oaths;
 
15       (3) Receive and accept any evidence and other information,
 
16           whether on oath, by affidavit, or otherwise, that the
 
17           director sees fit, regardless of whether it is or would
 
18           be admissible in a court of law;
 
19       (4) Examine or obtain copies or extracts from records;
 
20       (5) Bring lawsuits or other complaints in other tribunals;
 
21       (6) Delegate powers;
 
22       (7) Adopt rules for purposes of enforcement of this
 
23           chapter;
 

 
Page 21                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1       (8) Issue cease and desist orders;
 
 2       (9) Order an organization to amend or correct its practices
 
 3           to comply with this chapter;
 
 4     (10)  Order an organization to publish a notice of any action
 
 5           taken or proposed to be taken to correct its practices;
 
 6     (11)  Impose fines of not more than $1,000 per violation or a
 
 7           maximum of $50,000 for a business practice;
 
 8     (12)  File lawsuits or enter into settlement agreements; and
 
 9     (13)  Use all other legal powers necessary to carry out the
 
10           director's duties under this chapter.
 
11     (b)  The director shall administer this chapter.
 
12      §    -52  Education.  The director shall:
 
13      (1)  Develop and conduct information programs to foster
 
14           public understanding and recognition of the purposes of
 
15           this part;
 
16      (2)  Undertake and publish research that is related to the
 
17           protection of personal information;
 
18      (3)  Encourage organizations to develop detailed policies
 
19           and practices;
 
20      (4)  Promote, by any means the director feels appropriate,
 
21           the purposes of this chapter.
 
22      (5)  Make available to the public:
 
23           (A)  Audits performed under section  -11;
 

 
Page 22                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1           (B)  Reports of investigations under section  -32; and
 
 2           (C)  The number and nature of each complaint filed with
 
 3                an organization under an adopted code, or with the
 
 4                office, including the outcome of all complaints so
 
 5                described.
 
 6      §    -53  Reporting requirement.  The director shall submit
 
 7 a report to the legislature no later than twenty days before the
 
 8 convening of each legislative session.  On the fourth year of its
 
 9 existence, the director shall undertake a review of this
 
10 chapter."
 
11      SECTION 3.  There is appropriated out of the general
 
12 revenues of the State of Hawaii the sum of $          or so much
 
13 thereof as may be necessary for fiscal year 2000-2001 to carry
 
14 out the purposes of this Act, including the hiring of necessary
 
15 staff.
 
16      The sum appropriated shall be expended by the office of
 
17 information practices for the purposes of this Act.
 
18      SECTION 4.  Nothing in this Act shall be construed to
 
19 relieve any organization of its obligations under any of the laws
 
20 of this state or of the United States.
 

 
 
 
 
 
 
 
Page 23                                        
                                     S.B. NO.           2440
                                                        
                                                        

 
 1      SECTION 5.  This Act shall take effect upon its approval,
 
 2 provided that section 3 shall take effect on July 1, 2000.
 
 3 
 
 4                        INTRODUCED BY: ___________________________