STAND. COM. REP. NO. 2388
Honolulu, Hawaii
RE: S.B. No. 2803
S.D. 1
Honorable Colleen Hanabusa
President of the Senate
Twenty-Fourth State Legislature
Regular Session of 2008
State of Hawaii
Madam:
Your Committees on Economic Development and Taxation and Judiciary and Labor, to which was referred S.B. No. 2803 entitled:
"A BILL FOR AN ACT RELATING TO PERSONAL INFORMATION,"
beg leave to report as follows:
The purpose of this measure is to implement recommendations of the December 2007 report of the Hawaii Identity Theft Task Force (ID Theft Task Force) to protect the security of personal information collected and maintained by state and county governments.
Testimony in support of this measure was received from the Department of Education, Hawaii Financial Services Association, and Retail Merchants of Hawaii. The Consumer Data Industry Association submitted testimony in opposition. The Department of Commerce and Consumer Affairs and the University of Hawai‘i System submitted comments.
Your Committees find that this measure reflects the lengthy briefings by state and county agencies and deliberations that the ID Theft Task Force conducted to develop recommendations to safeguard personal information contained in government records.
While some agencies may consider some of the recommended "best practices" adopted by federal agencies and other jurisdictions to be burdensome, the ID Theft Task Force carefully weighed the need to protect and safeguard personal information against procedural requirements that could hinder efficient government use of social security numbers and other information for legitimate identification purposes.
All in all, the ID Theft Task Force's final report and appendices reflect a comprehensive, thoughtful compilation of steps that security industry professionals, high-level government information technology officials, state and county policymakers, agency representatives, and private sector representatives agreed were the appropriate steps for Hawaii government agencies to use in safeguarding against unauthorized use or abuse of personal information in government records.
Your Committees have heard a number of concerns raised about this measure, ranging from the inadequacy of resources and the best place to house a security entity to the consequences for private sector businesses that use personal information in a legitimate manner.
Your Committees believe that some of these concerns, such as the consequences for private sector businesses needing to access personal information for legitimate credit evaluation purposes, have been partly addressed in the Task Force's recommendations.
For example, through the development of plans to protect and redact personal information, specifically social security numbers, in existing hardcopy records prior to allowing the documents to be publicly inspected (Section 10, Part VI of this measure), specific conditions could be established to allow third-party private sector businesses to obtain access to personal information for legitimate credit evaluation purposes. These safeguards could mirror the types of safeguards required to be adopted by agencies that contract with external parties for support services (Section 9, Part V of this measure).
With respect to other concerns identified by the University of Hawai‘i System, your Committees agree that further work is needed between the ID Theft Task Force consultant, user agencies, and policymakers to craft a reasonable means to accomplish the personal information safeguards developed by the Task Force. For example, if the collection and use of social security numbers for purposes other than required by state or federal law is the only means of verifying students' or employees' identities for purposes that are allowed by federal law (e.g., student loans and scholarships, employee benefits, etc.), your Committees believe additional time is needed to fine-tune this requirement and other requirements such as development of an annual report of personal information systems, establishment of Chief Privacy Officer positions to assist agencies in meeting their responsibilities under the measure, and modifications to the functions of the information privacy and security council.
Your Committees believe these concerns should be reviewed, and urge the various parties to work together to craft legislation that will provide the highest level of security for Hawaii residents.
Your Committees have amended this measure by:
(1) Moving the Information Privacy and Security Council from the Department of Commerce and Consumer Affairs to the Department of the Attorney General, and amending the appropriation to reflect the change in the expending agency;
(2) Changing the effective date of certain sections of the measure from 2008 to 2025, for the purposes of further discussion; and
(3) Making numerous technical amendments for the purposes of conformity and clarity.
As affirmed by the records of votes of the members of your Committees on Economic Development and Taxation and Judiciary and Labor that are attached to this report, your Committees are in accord with the intent and purpose of S.B. No. 2803, as amended herein, and recommend that it pass Second Reading in the form attached hereto as S.B. No. 2803, S.D. 1, and be referred to the Committee on Ways and Means.
Respectfully submitted on behalf of the members of the Committees on Economic Development and Taxation and Judiciary and Labor,
|
____________________________ BRIAN T. TANIGUCHI, Chair |
|
____________________________ CAROL FUKUNAGA, Chair |
|
|
|
|