REPORT TITLE:
Privacy of Information


DESCRIPTION:
Establishes the Hawaii Information Privacy Act, an omnibus
privacy protection act to provide safeguards against the
unwarranted private commercial collection and dissemination of
personal information about individuals.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        
THE SENATE                              S.B. NO.           991
TWENTIETH LEGISLATURE, 1999                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                   A  BILL  FOR  AN  ACT

RELATING TO PRIVACY.



BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  This Act shall be known as the Hawaii
 
 2 Information Privacy Act.
 
 3      SECTION 2.  The multi-billion dollar commercial trade in
 
 4 personal information -- financial, job-related, medical, and
 
 5 lifestyle -- is one of the fastest growing industries in the
 
 6 world.  Such information is treated, in the private sector, as a
 
 7 commodity for development, purchase, and sale.  Personal
 
 8 information thus fuels an industry devoted to the thorough
 
 9 tracking, monitoring, and recording of specific aspects of
 
10 individuals' lives and their interaction with society.
 
11      In the United States, the person behind each piece of
 
12 information is largely neglected, and has few if any rights to
 
13 review that information for accuracy or to restrict the use of
 
14 that information.  Other countries, such as those in the European
 
15 Union, restrict and control the collection and dissemination of
 
16 sensitive personal information out of respect for a person's
 
17 personal privacy interests.  In such countries, personal
 
18 information may be collected, but its usage must be for the
 
19 purpose for which it was collected, and the individual has
 

 
Page 2                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1 certain rights to restrict further distribution as well as the
 
 2 right to review the information for accuracy and to correct it as
 
 3 necessary.
 
 4      The United States in general has not developed comparable
 
 5 individual privacy protections.  Hawaii, however, has a unique
 
 6 constitutional right to privacy.  Article I, section 7 of our
 
 7 constitution, states that the "right of the people to privacy is
 
 8 recognized and shall not be infringed without the showing of a
 
 9 compelling state interest.  The legislature shall take
 
10 affirmative steps to implement this right." (Emphasis added)
 
11      The standing committee report of the 1978 Constitutional
 
12 Convention specified three ways in which the constitutional
 
13 privacy right applies:  to protect an individual from disclosure
 
14 of the individual's private affairs; to allow an individual of
 
15 control the privacy of information about the individual; and the
 
16 right to be left alone in certain highly personal areas of the
 
17 person's life.  The fact that this right applies to private as
 
18 well as governmental intrusion was highlighted in the committee
 
19 of the whole report, which stated that "[p]rivacy as used in this
 
20 sense concerns the possible abuse ... of highly personal and
 
21 intimate information in the hands of government or private
 
22 parties[.]"  Accordingly, the legislature is specifically
 
23 authorized, if not required, to propose legislation to protect
 

 
Page 3                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1 against privacy encroachment by private entities.
 
 2      While certain personal information needs to be collected in
 
 3 order to accommodate and further current practices in a modern
 
 4 age, safeguards need to be in place to ensure that the privacy
 
 5 intrusions are both consented to and minimized to achieve only
 
 6 the intended purpose.  While chapter 92F, Hawaii Revised
 
 7 Statutes, contains constraints on governmental collection and
 
 8 dissemination of information, as well as giving individuals the
 
 9 right to review and correct their own records, corresponding
 
10 constraints on private business entities are virtually
 
11 nonexistent.
 
12      Individual states, as well as the federal government, have
 
13 been trying to resolve the increasing conflict between the result
 
14 of easy computer access to data and the right of privacy.  This
 
15 is of increasing concern because of the European Union's recent
 
16 directive on the protection of personal information.  This
 
17 directive prohibits the transfer of personally identifiable data
 
18 to other countries that do not provide an adequate level of
 
19 privacy protection.  Failure to comply with these guidelines, or
 
20 to guarantee equivalent protections, can be cause to restrict
 
21 trade involving data, a situation that the federal government is
 
22 endeavoring to avoid in ongoing negotiations with the European
 
23 Union nations.
 

 
Page 4                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1      Hawai`i, with its strong constitutional mandate of
 
 2 individual privacy, must take affirmative steps to ensure privacy
 
 3 even in the absence of federal action.  The purpose of this Act,
 
 4 therefore, is to assure the effectuation of an individual's
 
 5 constitutional right to privacy, while providing for the
 
 6 reasonable exchange of information with adequate safeguards to
 
 7 protect its appropriate use.
 
 8      SECTION 3.  The Hawaii Revised Statutes is amended by adding
 
 9 a new chapter to be appropriately designated and to read as
 
10 follows:
 
11                             "CHAPTER
 
12                  PRIVACY OF PERSONAL INFORMATION
 
13         -1  Purpose.  The purpose of this chapter is to
 
14 implement the state constitutional right to privacy by providing
 
15 safeguards to the collection and dissemination of personal
 
16 information about individuals by the private sector.  To
 
17 effectuate this purpose, this chapter shall be construed
 
18 liberally to protect each individual's personal information.
 
19 This chapter:
 
20      (1)  Establishes certain principles with respect to the
 
21           collection, usage, and dissemination by private sector
 
22           enterprises of personal data;
 
23      (2)  Assures individuals the right of advance consent to the
 

 
Page 5                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1           collection and dissemination of personal information;
 
 2      (3)  Provides for accurate, relevant, timely, and complete
 
 3           data collection by private sector enterprises;
 
 4      (4)  Enhances private sector accountability by allowing
 
 5           individuals access to their information; and
 
 6      (5)  Makes private sector enterprises accountable to
 
 7           individuals for improper collection, usage, or
 
 8           dissemination of personal data.
 
 9         -2  Definitions.  As used in this chapter:
 
10      "Personal data" means information about an individual which:
 
11      (1)  Identifies or easily leads to the identification of the
 
12           individual; and
 
13      (2)  Contains data about which the individual has a
 
14           reasonable expectation of privacy, including financial
 
15           records, employment records, and purchasing decisions.
 
16      For the purposes of this chapter, "personal data" does not
 
17 include medical or mental health data.
 
18      "Private enterprise" means any private agency, business,
 
19 organization, or individual who collects or disseminates
 
20 information on a primarily commercial or for-profit basis.
 
21 "Private enterprise" does not include the collection, usage, or
 
22 dissemination for:
 
23      (1)  Journalism; or
 

 
Page 6                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1      (2)  Artistic or literary use.
 
 2         -3  Collection of personal data; limitations.  Unless
 
 3 otherwise provided by law or by section    -10, personal data
 
 4 shall be collected:
 
 5      (1)  Only for a lawful, necessary purpose connected with the
 
 6           function or purpose of the collecting private
 
 7           enterprise; and
 
 8      (2)  From the individual and not a third party unless:
 
 9           (A)  The individual freely and voluntarily consents to
 
10                collection by a third party;
 
11           (B)  State or federal law requires the data to be
 
12                collected;
 
13           (C)  Collection by a third party is necessary to ensure
 
14                the accuracy of the information; or
 
15           (D)  The information is collected in the interests of
 
16                the individual and due to exigent circumstances
 
17                the information cannot be collected in a normal
 
18                manner.
 
19           Information collected by a third person shall indicate
 
20           the source of the information.
 
21         -4  Notice to individuals.  A private enterprise that
 
22 collects personal data shall inform the person of the:
 
23      (1)  Purpose of the collection;
 

 
Page 7                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1      (2)  Use for which the data will be used;
 
 2      (3)  Categories of persons in the enterprise who will have
 
 3           access to the data;
 
 4      (4)  The place where the data will be kept; and
 
 5      (5)  The individual's right of access and ability to correct
 
 6           the information.
 
 7         -5  Security safeguards; confidentiality.  Every private
 
 8 enterprise that collects, uses, or disseminates personal data
 
 9 about individuals shall establish reasonable safeguards to ensure
 
10 the confidentiality of personal data and to protect the data from
 
11 loss, misuse, theft, unauthorized access or disclosure,
 
12 defacement, alteration, or destruction.
 
13      If an industry develops a de facto standard for privacy
 
14 safeguards, failure of an enterprise within that industry to meet
 
15 or surpass that level of safeguards is rebuttable evidence that
 
16 the enterprise's safeguards are not reasonable.
 
17         -6  Limitations on use and disclosure.(a)  No personal
 
18 data shall be used in a manner inconsistent with the purpose as
 
19 stated to the individual under section  -4, or with the consent
 
20 given by the individual.
 
21      (b)  Unless otherwise authorized by law or consented to by
 
22 the individual, no private enterprise shall communicate to a
 
23 third party the personal data collected about the individual. If
 

 
Page 8                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1 the individual consents to release to a third party, that third
 
 2 party shall provide at least the same level of privacy protection
 
 3 as the organization that originally gathered the information, and
 
 4 the holder of the information shall not release the information
 
 5 without a guarantee to the third party of this level of privacy
 
 6 protection.
 
 7         -7  Consent.  As used in this chapter, consent to
 
 8 disclosure of personal data by an individual means a knowing,
 
 9 informed, and voluntary waiver, which may be given for general
 
10 purposes or a specific purpose.  Consent shall be valid only for
 
11 the length of time necessary to achieve the purpose for which it
 
12 was requested.
 
13         -8  Subsequent transmission of personal data.  In any
 
14 subsequent transmission of personal data, whether to an agent,
 
15 subcontractor, or unrelated third party, the private enterprise
 
16 shall take all reasonable precautions to ensure that the
 
17 transferee, whether within the State or not, provides the same or
 
18 greater levels of protection of personal data as required by this
 
19 chapter.
 
20         -9  Discrimination prohibited.  No enterprise shall
 
21 refuse to respond to a request for goods or services, or to a
 
22 request relating to employment, on the ground that the individual
 
23 making the request refuses to disclose personal data, except
 

 
Page 9                                                     
                                     S.B. NO.           991
                                                        
                                                        


 1 where:
 
 2      (1)  Collection of that data is necessary for the
 
 3           performance of a contract; or
 
 4      (2)  Collection of the data is required by law.
 
 5         -10  Necessary disclosure of personal data.
 
 6 Notwithstanding the requirements of this chapter, a private
 
 7 enterprise shall communicate, without the consent of the
 
 8 individual, personal data on the individual to:
 
 9      (1)  The attorney general, if the information is necessary
 
10           for the purposes of prosecuting an offense under state
 
11           law;
 
12      (2)  A law enforcement agency that requires it in the
 
13           performance of its duties; or
 
14      (3)  Comply with a subpoena.
 
15         -11  Disposition of personal information.  All personal
 
16 information collected by a private enterprise shall be maintained
 
17 by the private enterprise for a period of eight years thereafter.
 
18 Upon the expiration of the eight-year period, the personal
 
19 information and all copies thereof shall be destroyed.
 
20         -12  Criminal penalties.  Any person who knowingly or
 
21 intentionally violates this chapter shall be guilty of a
 
22 misdemeanor.  If the defendant is a corporation or unincorporated
 
23 association, the court may sentence that private enterprise in
 

 
Page 10                                                    
                                     S.B. NO.           991
                                                        
                                                        


 1 accordance with section 706-608 in addition to any other penalty
 
 2 imposed by law.
 
 3         -13  Civil penalties.(a)  In addition to any criminal
 
 4 penalties imposed under section    -12, any private enterprise
 
 5 that intentionally or knowingly violates this chapter shall be:
 
 6      (1)  Fined not less than $1,000 nor more than $5,000 for
 
 7           each violation; and
 
 8      (2)  Subject to the revocation of the right of the private
 
 9           enterprise to collect or disseminate personal data, at
 
10           the discretion of the court.
 
11      (b)  The court, in issuing any final order in any action
 
12 brought pursuant to this section, may award costs of litigation,
 
13 including reasonable attorney's and expert witness fees, to any
 
14 prevailing or substantially prevailing party whenever the court
 
15 determines such an award to be appropriate.
 
16         -14  Private right of action.  Nothing in this chapter
 
17 shall be construed to prohibit a person aggrieved by a violation
 
18 of this chapter from commencing a civil action for injunctive
 
19 relief, actual and punitive damages, or any other remedy provided
 
20 by law.  A violation of this chapter shall be deemed a cause of
 
21 action for the purpose of the court action."
 
22      SECTION 4.  This Act shall take effect upon its approval.
 
23 
 
24                              INTRODUCED BY:______________________
 

 
Page 11                                                    
                                     S.B. NO.           991
                                                        
                                                        


 1 
 
 2 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Page 12                                                    
                                     S.B. NO.           991
                                                        
                                                        


 1