Report Title:
Informational Privacy
Description:
Establishes the Hawaii information privacy act.
|
HOUSE OF REPRESENTATIVES |
H.B. NO. |
1466 |
|
TWENTY-FIRST LEGISLATURE, 2001 |
||
|
STATE OF HAWAII |
||
|
|
A BILL FOR AN ACT
RELATING TO INFORMATIONAL PRIVACY.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The flow of information has become essential to the modern global economy. The multi-billion dollar commercial trade in personal information--financial, job-related, medical, and lifestyle--is one of the fastest growing industries in the world. In the private sector, this information is often treated as a commodity for development, purchase, and sale. Personal information fuels an industry devoted to the thorough tracking, monitoring, and recording of specific aspects of individuals' lives and their interaction with society.
There has been a dramatic increase in the use of the internet to disseminate and gather information, as well as to buy and sell products and services. However, major impediment to the growth of the internet as a commercial market place is customer confidence. Surveys indicate that consumers will not use the internet as a market place unless their privacy is protected and their financial information is secure.
Hawaii has a unique constitutional right to privacy. Article I, section 6 of the State Constitution, states that the "right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest" and requires the legislature to "take affirmative steps to implement this right." The standing committee report of the 1978 Constitutional Convention specified three ways in which the constitutional privacy right applies: to protect an individual from disclosure of the individual's private affairs; to allow an individual to control the privacy of information about the individual; and to maintain the individual's right to be left alone in certain highly personal areas of the individual's life. It was intended that this right apply to private, as well as governmental intrusions.
Business recognizes that responsible handling of personal information engenders consumer confidence and trust. Therefore, setting information privacy standards will be advantageous to businesses. Businesses will know what their obligations are and consumers will know what to expect from businesses that collect or use their information.
In the United States, the individual behind each piece of information is largely neglected, and has few, if any, rights to review the information for accuracy or to restrict the use of the information. Other countries, such New Zealand, Hong Kong, and those member states in the European Union, set standards for the collection and dissemination of personal information out of respect for an individual's personal privacy interests. In general, the United States has not developed comparable individual privacy protections. While certain personal information needs to be collected to accommodate and further current practices in a modern age, safeguards need to be in place to ensure that privacy intrusions are both consented to and minimized to achieve only the intended purpose. While chapter 92F, Hawaii Revised Statutes, governs the public sector's information practices, including collection and dissemination of information, standards for the private sector are virtually nonexistent.
Individual states, as well as the federal government, have been trying to resolve the conflict between the use of personal information and the right to privacy not only for the individuals' rights but because of the European Union's recent directive on the protection of personal information. This directive prohibits the transfer of personally identifiable data to other countries that do not provide an adequate level of privacy protection. Failure to enact adequate protection can restrict trade involving data, a situation that the federal government is endeavoring to avoid in ongoing negotiations with the European Union nations. Hawaii, with its strong constitutional mandate of individual privacy, can and must take affirmative steps to ensure privacy even in the absence of federal action.
The purpose of this Act is to assure an individual's constitutional right to privacy, while providing for the reasonable exchange of information with adequate safeguards to protect its appropriate use.
SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"CHAPTER
HAWAII INFORMATION PRIVACY ACT
PART I. GENERAL PROVISIONS AND DEFINITIONS
§ -1 General definitions. As used in this chapter:
"Director" means the director of the office of information practices.
"Individual" means a natural person.
"Office" means the office of information practices.
"Organization" means all nongovernmental entities, associations, partnerships, and individuals using personal information in a commercial context, including not-for-profit entities.
"Personal information" means all information that is identifiable to an individual.
"Privacy standard" or "standard" means any of the privacy standards set out in part II.
"Related organizations" means a group of organizations related by common ownership or control, and includes all parents, subsidiaries, branches, and divisions.
§ -2 Application. This chapter shall not apply to:
(1) The domestic collection, holding, use, or disclosure of personal information by individuals;
(2) The collection, holding, use, or disclosure of personal information by government agencies; or
(3) The collection, holding, use, or disclosure of personal information solely for journalistic, artistic, or literary purposes.
§ -3 Obligations. All organizations shall handle or process personal information pursuant either to the privacy standards set forth in part II or to codes of practice adopted by the director.
§ -4 Codes of practice. (a) The director may initiate or receive requests for the adoption of organization codes of practice after public hearing, if satisfied that the code:
(1) Incorporates all the privacy standards and obligations under this chapter, or sets out obligations that, overall, are at least the equivalent of all the obligations set out in those principles;
(2) Specifies or sets out a mechanism to identify all organizations bound by the code;
(3) Sets out procedures that allow an organization to be released from the code and when the release takes effect;
(4) Sets out appropriate procedures for making and dealing with complaints, including the appointment of one or more persons knowledgeable about this chapter and who have due regard for human rights and societal interests that compete with privacy, including the free flow of information through society;
(5) Provides that decisions may be affirmed by the director;
(6) Provides that the organization against whom a decision was rendered is bound by the requirements of the decision;
(7) Provides that the decisions shall be publicly available through the office and that the director may segregate parts of a decision that may identify a person or otherwise constitute an invasion of the person's privacy; and
(8) Provides that a report be prepared and given to the director no later than July 31st of each year to include the number, nature, and outcome of complaints made under the code.
(b) Codes of practice may cover either, both, or all of the following:
(1) Personal information or specified types of personal information; or
(2) Specified activity or class of activities of an organization; or
(3) A specified industry sector and professions or a specified class of industry sectors and professions.
(c) Once adopted, the code shall have the force and effect of a rule.
(d) The director may amend or revoke codes of practices on the director's initiative or on request by an organization that is bound by the code, after public hearing.
PART II. PRIVACY STANDARDS
§ -11 Accountability. An organization shall be responsible for personal information under its control and shall appoint at least one individual responsible for ensuring compliance with this chapter. In the absence of an appointment, the owners, all partners, the president, or all members of the board of directors of a corporation shall be held accountable for compliance with this chapter.
§ -12 Purpose of collection. The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. Every organization shall advise the individual about whom they are collecting personal information of the purposes, uses, and any anticipated disclosures of the collected information. The advice or notice shall be given at or before the time of collection.
§ -13 Collection, consent to collect. Personal information shall be collected by fair and lawful means. An organization shall obtain the individual's consent for the collection, use, or disclosure of personal information about the individual, except where such requirement is inappropriate. Consent shall not be required where:
(1) Collection is clearly in the interest of the individual and consent cannot be obtained in a timely manner;
(2) It is reasonable to believe collection with consent and knowledge would compromise the accuracy of the information and collection is for purposes of investigating a breach of an agreement or contravention of the laws of this State or the United States; or
(3) The information is publicly available.
§ -14 Limitation on collection, use, and disclosure.
(a) Except with the consent of the individual or as required by law, personal information shall:
(1) Not be used or disclosed for purposes other than those for which it was collected;
(2) Not be disclosed beyond this jurisdiction by an organization, whether to an agent, subcontractor, or unrelated third party, unless the transmitting organization has taken all reasonable measures to ensure that the transferee provides the same or greater levels of protection of personal information as required by these standards;
(3) Not be compiled, used, or disclosed by the organization in a discriminatory fashion on the basis of race, medical condition or status, political or religious association, or gender, unless there is a compelling state interest; and
(4) Be retained only for so as long as is necessary for the fulfillment of those purposes or as otherwise required by law.
(b) Consent shall not be required when the use or disclosure is:
(1) For the purpose of investigating an offense that has been or is about to be committed under the laws of the United States or a state and the information could be reasonably believed to be useful in the investigation of the offense;
(2) For an emergency that threatens the life, health, or security of any individual;
(3) Clearly in the interest of the individual and consent cannot be obtained in a timely manner;
(4) To the organization's lawyer for purposes of representation;
(5) Pursuant to a subpoena or warrant issued by a court of law or other administrative body with jurisdiction to compel the production of information, records, or documents;
(6) To a government agency, pursuant to a lawful request, for purposes of conservation of records of historic or archival importance;
(7) Made after one hundred years after the record containing the information was created or twenty years after the death of the individual whom the information is about; or
(8) Required by or specifically authorized by law.
§ -15 Quality of personal information. An organization shall take reasonable steps to ensure that personal information that it uses is accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
§ -16 Safeguarding personal information. An organization shall take reasonable steps to ensure that personal information it maintains is protected against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification by security safeguards appropriate to the sensitivity of the information.
§ -17 Policies and practices. An organization shall make readily available to individuals clear information about its policies and practices relating to the requirements of this chapter, which shall include:
(1) What personal information is made available to related organizations;
(2) The means of gaining access to personal information held by the organization; and
(3) The process by which complaints or inquiries can be made within the organization.
§ -18 Individual access. (a) Upon written request, an organization shall inform an individual whether it holds, uses, or discloses readily retrievable personal information about that individual.
(b) Upon request, and within a reasonable period of time, an organization shall give access to readily retrievable information about an individual and after payment of the reasonable costs of retrieval and duplication.
(c) An organization shall not give access to personal information if:
(1) Providing access would be unlawful;
(2) Denying access is required or authorized by law or rule;
(3) Giving access could reasonably be expected to threaten the life or security of another individual or group of individuals or would have an unreasonable impact on the privacy of other individuals;
(4) The information is protected by a statutory privilege;
(5) Giving access would prejudice the enforcement of laws, protection of the public, or the legal enforcement of a contract with the organization;
(6) Giving access would reveal confidential business information that cannot reasonably be protected by other means;
(7) Giving access would prejudice the organization's ongoing negotiations; or
(8) The information was generated for purposes of litigation or within a formal dispute resolution process.
These exceptions shall not apply if the individual needs the information because the individual's life, health, or security is threatened.
(d) An individual shall have the right to challenge the accuracy and completeness of the personal information held by the organization and have it amended as may be appropriate.
(e) An organization shall provide an informal method of reviewing a denial of access or amendment of personal information.
(f) An organization shall inform the individual in writing of a denial, setting out the reasons and any recourse that the individual may have.
§ -19 Sensitive data. The director may adopt rules pursuant to chapter 91 to protect sensitive personal information.
PART III. ADMINISTRATIVE ENFORCEMENT
§ -31 Audits. To enforce the standards or codes of practice, the director may:
(1) Require that organizations present to the director periodic independent audits of their personal information management practices and policies applying assurance criteria consistent with the privacy standards set out in this chapter or code of practice adopted under this chapter, whichever is applicable; and
(2) On reasonable notice and at any reasonable time, audit the personal information management practices of an organization if the director has reasonable grounds to believe that the organization is violating a provision of this chapter. After an audit, the director shall provide the audited organization with a report that contains the findings of the audit and any recommendations that the director considers appropriate.
Reports of audits performed under this section shall be made public; provided the director shall segregate any confidential business information or other information that may identify an individual or otherwise constitute an invasion of the individual's privacy that are contained in the reports.
§ -32 Complaints. (a) An individual may file with the director a written complaint against an organization for alleged violations of this chapter or of a code of practice.
(b) A complaint that alleges a refusal to grant access and correction or other amendment shall be filed within forty-five days after the alleged refusal.
(c) The director may:
(1) Dismiss the complaint if the director determines that:
(A) The complaint is not timely, trivial, frivolous, vexatious, or made in bad faith;
(B) The complainant should exhaust other grievance or review procedures; or
(C) The complaint could more appropriately be dealt with either initially or in its totality by means of another procedure or body;
(2) If appropriate, refer the complainant to other procedures or bodies for review; or
(3) If the director believes there are reasonable grounds to believe there has been a violation of this chapter, conduct an investigation under section -33.
§ -33 Investigations. (a) Pursuant to complaint under section -32 or by the director's initiative, the director may conduct an investigation to determine whether there has been a violation of this chapter or of a code of practice adopted under this chapter.
(b) The director shall prepare a report of the findings and shall issue the report to the organization investigated. In addition to the findings, the director may include in the report:
(1) Recommendations relating to the promotion of compliance with this chapter;
(2) Any actions the director may take, pursuant to subsection (c), as a result of the investigation; and
(3) Any other comments arising from the investigation as the director thinks fit to make.
A summary of the report may be included in the director's published annual report.
(c) If the findings of an investigation give the director reason to believe that an organization has violated the privacy standards or codes of practice, the director may:
(1) Arbitrate any dispute;
(2) Hold a hearing for issuance of a cease and desist order pursuant to section -34;
(3) Employ any other of the powers given to the director under section -51 as necessary to enforce the obligations imposed by this chapter; and
(4) If appropriate:
(A) Recommend to appropriate bodies that the organization's license to do business within the State of Hawaii be removed;
(B) Refer for or coordinate prosecution before other regulatory bodies; and
(C) Prosecute the organization through the judicial system on behalf of the State, or through other state, national, or international adjudicatory bodies.
§ -34 Cease and desist orders. (a) If the director has reason to believe that an organization has violated any of the privacy standards or codes of practice, and that a proceeding by the director in respect to that would be in the interest of the public, the director shall issue and serve upon the organization and the complainant, if any:
(1) A statement of the charges in that respect; and
(2) A notice of a hearing, to be held at a time and place fixed in the notice, which shall not be fewer than fifteen days after the date of service.
(b) At the time and place fixed for the hearing, the organization and the complainant, if any, shall have an opportunity to be heard and to show cause why an order should or should not be made by the director requiring the organization to cease and desist from the acts, methods, practices, or otherwise to comply with this chapter.
(c) The hearing shall be deemed a contested case hearing pursuant to chapter 91.
(d) All remedies, penalties, and proceedings set forth in this section are to be invoked solely and exclusively by the director.
(e) If after the hearing the director determines that the organization charged has violated any provision of this chapter, the director shall reduce the findings to writing and shall issue and cause to be served on the organization charged with the violation a copy of the findings and an order requiring the organization to cease and desist from violating this chapter or otherwise to comply with the requirements of this chapter. At the director's discretion, the director may also employ any other of the powers given to the director under section -51 as necessary to enforce the obligations imposed by this chapter.
(f) Any organization that violates a cease and desist order or a compliance order of the director under this section may be subject, at the discretion of the director, after notice and hearing and upon order of the director, to a civil penalty of not more than $10,000 for each and every act in violation of the cease and desist order.
(g) No order of the director pursuant to this section or order of court to enforce it shall in any way relieve or absolve any person affected by the order from any other liability, penalty, or forfeiture required by law.
§ -35 Notice to other regulatory agencies. Whenever the director conducts any investigation or takes other action against any organization for violation of this chapter, the director shall notify any agency that has regulatory oversight over the organization of the director's action.
§ -36 Whistleblowing. (a) Any individual who has reasonable grounds to believe that an organization has violated or intends to violate a provision of this chapter, may notify the director and may request that the individual's identity be kept confidential with respect to the notification. The director shall keep confidential the identity of an individual who has notified the director and to whom an assurance of confidentiality has been provided by the director.
(b) No employer shall dismiss, suspend, demote, discipline, harass, or otherwise disadvantage any employee or deny an employee a benefit of employment by reason that the employee, acting in good faith and on the basis of reasonable belief:
(1) Has disclosed to the director that the employer or any other individual has violated or intends to violate a provision of this chapter;
(2) Has refused or stated an intention of refusing to perform anything that is a violation of a provision of this chapter; or
(3) Has done or stated an intention of doing anything necessary in order that this chapter not be violated or the employer believes that the employee will do anything referred to in paragraph (1), (2), or (3).
(c) Nothing in this section shall impair any right of an employee or employer either at law or under an employment contract or collective agreement.
(d) As used in this section, "employee" includes an independent contractor.
PART IV. ADMINISTRATION
§ -51 Powers and duties of the office of information practices. (a) The director may:
(1) Compel witnesses and evidence;
(2) Administer oaths;
(3) Receive and accept any evidence and other information, whether on oath, by affidavit, or otherwise, that the director sees fit, regardless of whether it is or would be admissible in a court of law;
(4) Examine or obtain copies or extracts from records;
(5) Bring lawsuits or other complaints in other tribunals;
(6) Delegate powers;
(7) Adopt rules for purposes of enforcement of this chapter;
(8) Issue cease and desist orders;
(9) Order an organization to amend or correct its practices to comply with this chapter;
(10) Order an organization to publish a notice of any action taken or proposed to be taken to correct its practices;
(11) Impose fines of not more than $1,000 per violation or a maximum of $50,000 for a business practice;
(12) File lawsuits or enter into settlement agreements; and
(13) Use all other legal powers necessary to carry out the director's duties under this chapter.
(b) The director shall administer this chapter.
§ -52 Education. The director shall:
(1) Develop and conduct information programs to foster public understanding and recognition of the purposes of this part;
(2) Undertake and publish research that is related to the protection of personal information;
(3) Encourage organizations to develop detailed policies and practices;
(4) Promote, by any means the director feels appropriate, the purposes of this chapter.
(5) Make available to the public:
(A) Audits performed under section -11;
(B) Reports of investigations under section -32; and
(C) The number and nature of each complaint filed with an organization under an adopted code, or with the office, including the outcome of all complaints so described.
§ -53 Reporting requirement. The director shall submit a report to the legislature no later than twenty days before the convening of each legislative session. On the fourth year of its existence, the director shall undertake a review of this chapter."
SECTION 3. There is appropriated out of the general revenues of the State of Hawaii the sum of $ or so much thereof as may be necessary for fiscal year 2001-2002 to carry out the purposes of this Act, including the hiring of necessary staff.
The sum appropriated shall be expended by the office of information practices for the purposes of this Act.
SECTION 4. Nothing in this Act shall be construed to relieve any organization of its obligations under any of the laws of this State or of the United States.
SECTION 5. This Act shall take effect upon its approval, provided that section 3 shall take effect on July 1, 2001.
|
INTRODUCED BY: |
_____________________________ |