Privacy of Information

Establishes the Hawaii Information Privacy Act, an omnibus
privacy protection act to provide safeguards against the
unwarranted private commercial collection and dissemination of
personal information about individuals.

THE SENATE                              S.B. NO.           991
TWENTIETH LEGISLATURE, 1999                                
STATE OF HAWAII                                            

                   A  BILL  FOR  AN  ACT



 1      SECTION 1.  This Act shall be known as the Hawaii
 2 Information Privacy Act.
 3      SECTION 2.  The multi-billion dollar commercial trade in
 4 personal information -- financial, job-related, medical, and
 5 lifestyle -- is one of the fastest growing industries in the
 6 world.  Such information is treated, in the private sector, as a
 7 commodity for development, purchase, and sale.  Personal
 8 information thus fuels an industry devoted to the thorough
 9 tracking, monitoring, and recording of specific aspects of
10 individuals' lives and their interaction with society.
11      In the United States, the person behind each piece of
12 information is largely neglected, and has few if any rights to
13 review that information for accuracy or to restrict the use of
14 that information.  Other countries, such as those in the European
15 Union, restrict and control the collection and dissemination of
16 sensitive personal information out of respect for a person's
17 personal privacy interests.  In such countries, personal
18 information may be collected, but its usage must be for the
19 purpose for which it was collected, and the individual has

Page 2                                                     
                                     S.B. NO.           991

 1 certain rights to restrict further distribution as well as the
 2 right to review the information for accuracy and to correct it as
 3 necessary.
 4      The United States in general has not developed comparable
 5 individual privacy protections.  Hawaii, however, has a unique
 6 constitutional right to privacy.  Article I, section 7 of our
 7 constitution, states that the "right of the people to privacy is
 8 recognized and shall not be infringed without the showing of a
 9 compelling state interest.  The legislature shall take
10 affirmative steps to implement this right." (Emphasis added)
11      The standing committee report of the 1978 Constitutional
12 Convention specified three ways in which the constitutional
13 privacy right applies:  to protect an individual from disclosure
14 of the individual's private affairs; to allow an individual of
15 control the privacy of information about the individual; and the
16 right to be left alone in certain highly personal areas of the
17 person's life.  The fact that this right applies to private as
18 well as governmental intrusion was highlighted in the committee
19 of the whole report, which stated that "[p]rivacy as used in this
20 sense concerns the possible abuse ... of highly personal and
21 intimate information in the hands of government or private
22 parties[.]"  Accordingly, the legislature is specifically
23 authorized, if not required, to propose legislation to protect

Page 3                                                     
                                     S.B. NO.           991

 1 against privacy encroachment by private entities.
 2      While certain personal information needs to be collected in
 3 order to accommodate and further current practices in a modern
 4 age, safeguards need to be in place to ensure that the privacy
 5 intrusions are both consented to and minimized to achieve only
 6 the intended purpose.  While chapter 92F, Hawaii Revised
 7 Statutes, contains constraints on governmental collection and
 8 dissemination of information, as well as giving individuals the
 9 right to review and correct their own records, corresponding
10 constraints on private business entities are virtually
11 nonexistent.
12      Individual states, as well as the federal government, have
13 been trying to resolve the increasing conflict between the result
14 of easy computer access to data and the right of privacy.  This
15 is of increasing concern because of the European Union's recent
16 directive on the protection of personal information.  This
17 directive prohibits the transfer of personally identifiable data
18 to other countries that do not provide an adequate level of
19 privacy protection.  Failure to comply with these guidelines, or
20 to guarantee equivalent protections, can be cause to restrict
21 trade involving data, a situation that the federal government is
22 endeavoring to avoid in ongoing negotiations with the European
23 Union nations.

Page 4                                                     
                                     S.B. NO.           991

 1      Hawai`i, with its strong constitutional mandate of
 2 individual privacy, must take affirmative steps to ensure privacy
 3 even in the absence of federal action.  The purpose of this Act,
 4 therefore, is to assure the effectuation of an individual's
 5 constitutional right to privacy, while providing for the
 6 reasonable exchange of information with adequate safeguards to
 7 protect its appropriate use.
 8      SECTION 3.  The Hawaii Revised Statutes is amended by adding
 9 a new chapter to be appropriately designated and to read as
10 follows:
11                             "CHAPTER
13         -1  Purpose.  The purpose of this chapter is to
14 implement the state constitutional right to privacy by providing
15 safeguards to the collection and dissemination of personal
16 information about individuals by the private sector.  To
17 effectuate this purpose, this chapter shall be construed
18 liberally to protect each individual's personal information.
19 This chapter:
20      (1)  Establishes certain principles with respect to the
21           collection, usage, and dissemination by private sector
22           enterprises of personal data;
23      (2)  Assures individuals the right of advance consent to the

Page 5                                                     
                                     S.B. NO.           991

 1           collection and dissemination of personal information;
 2      (3)  Provides for accurate, relevant, timely, and complete
 3           data collection by private sector enterprises;
 4      (4)  Enhances private sector accountability by allowing
 5           individuals access to their information; and
 6      (5)  Makes private sector enterprises accountable to
 7           individuals for improper collection, usage, or
 8           dissemination of personal data.
 9         -2  Definitions.  As used in this chapter:
10      "Personal data" means information about an individual which:
11      (1)  Identifies or easily leads to the identification of the
12           individual; and
13      (2)  Contains data about which the individual has a
14           reasonable expectation of privacy, including financial
15           records, employment records, and purchasing decisions.
16      For the purposes of this chapter, "personal data" does not
17 include medical or mental health data.
18      "Private enterprise" means any private agency, business,
19 organization, or individual who collects or disseminates
20 information on a primarily commercial or for-profit basis.
21 "Private enterprise" does not include the collection, usage, or
22 dissemination for:
23      (1)  Journalism; or

Page 6                                                     
                                     S.B. NO.           991

 1      (2)  Artistic or literary use.
 2         -3  Collection of personal data; limitations.  Unless
 3 otherwise provided by law or by section    -10, personal data
 4 shall be collected:
 5      (1)  Only for a lawful, necessary purpose connected with the
 6           function or purpose of the collecting private
 7           enterprise; and
 8      (2)  From the individual and not a third party unless:
 9           (A)  The individual freely and voluntarily consents to
10                collection by a third party;
11           (B)  State or federal law requires the data to be
12                collected;
13           (C)  Collection by a third party is necessary to ensure
14                the accuracy of the information; or
15           (D)  The information is collected in the interests of
16                the individual and due to exigent circumstances
17                the information cannot be collected in a normal
18                manner.
19           Information collected by a third person shall indicate
20           the source of the information.
21         -4  Notice to individuals.  A private enterprise that
22 collects personal data shall inform the person of the:
23      (1)  Purpose of the collection;

Page 7                                                     
                                     S.B. NO.           991

 1      (2)  Use for which the data will be used;
 2      (3)  Categories of persons in the enterprise who will have
 3           access to the data;
 4      (4)  The place where the data will be kept; and
 5      (5)  The individual's right of access and ability to correct
 6           the information.
 7         -5  Security safeguards; confidentiality.  Every private
 8 enterprise that collects, uses, or disseminates personal data
 9 about individuals shall establish reasonable safeguards to ensure
10 the confidentiality of personal data and to protect the data from
11 loss, misuse, theft, unauthorized access or disclosure,
12 defacement, alteration, or destruction.
13      If an industry develops a de facto standard for privacy
14 safeguards, failure of an enterprise within that industry to meet
15 or surpass that level of safeguards is rebuttable evidence that
16 the enterprise's safeguards are not reasonable.
17         -6  Limitations on use and disclosure.(a)  No personal
18 data shall be used in a manner inconsistent with the purpose as
19 stated to the individual under section  -4, or with the consent
20 given by the individual.
21      (b)  Unless otherwise authorized by law or consented to by
22 the individual, no private enterprise shall communicate to a
23 third party the personal data collected about the individual. If

Page 8                                                     
                                     S.B. NO.           991

 1 the individual consents to release to a third party, that third
 2 party shall provide at least the same level of privacy protection
 3 as the organization that originally gathered the information, and
 4 the holder of the information shall not release the information
 5 without a guarantee to the third party of this level of privacy
 6 protection.
 7         -7  Consent.  As used in this chapter, consent to
 8 disclosure of personal data by an individual means a knowing,
 9 informed, and voluntary waiver, which may be given for general
10 purposes or a specific purpose.  Consent shall be valid only for
11 the length of time necessary to achieve the purpose for which it
12 was requested.
13         -8  Subsequent transmission of personal data.  In any
14 subsequent transmission of personal data, whether to an agent,
15 subcontractor, or unrelated third party, the private enterprise
16 shall take all reasonable precautions to ensure that the
17 transferee, whether within the State or not, provides the same or
18 greater levels of protection of personal data as required by this
19 chapter.
20         -9  Discrimination prohibited.  No enterprise shall
21 refuse to respond to a request for goods or services, or to a
22 request relating to employment, on the ground that the individual
23 making the request refuses to disclose personal data, except

Page 9                                                     
                                     S.B. NO.           991

 1 where:
 2      (1)  Collection of that data is necessary for the
 3           performance of a contract; or
 4      (2)  Collection of the data is required by law.
 5         -10  Necessary disclosure of personal data.
 6 Notwithstanding the requirements of this chapter, a private
 7 enterprise shall communicate, without the consent of the
 8 individual, personal data on the individual to:
 9      (1)  The attorney general, if the information is necessary
10           for the purposes of prosecuting an offense under state
11           law;
12      (2)  A law enforcement agency that requires it in the
13           performance of its duties; or
14      (3)  Comply with a subpoena.
15         -11  Disposition of personal information.  All personal
16 information collected by a private enterprise shall be maintained
17 by the private enterprise for a period of eight years thereafter.
18 Upon the expiration of the eight-year period, the personal
19 information and all copies thereof shall be destroyed.
20         -12  Criminal penalties.  Any person who knowingly or
21 intentionally violates this chapter shall be guilty of a
22 misdemeanor.  If the defendant is a corporation or unincorporated
23 association, the court may sentence that private enterprise in

Page 10                                                    
                                     S.B. NO.           991

 1 accordance with section 706-608 in addition to any other penalty
 2 imposed by law.
 3         -13  Civil penalties.(a)  In addition to any criminal
 4 penalties imposed under section    -12, any private enterprise
 5 that intentionally or knowingly violates this chapter shall be:
 6      (1)  Fined not less than $1,000 nor more than $5,000 for
 7           each violation; and
 8      (2)  Subject to the revocation of the right of the private
 9           enterprise to collect or disseminate personal data, at
10           the discretion of the court.
11      (b)  The court, in issuing any final order in any action
12 brought pursuant to this section, may award costs of litigation,
13 including reasonable attorney's and expert witness fees, to any
14 prevailing or substantially prevailing party whenever the court
15 determines such an award to be appropriate.
16         -14  Private right of action.  Nothing in this chapter
17 shall be construed to prohibit a person aggrieved by a violation
18 of this chapter from commencing a civil action for injunctive
19 relief, actual and punitive damages, or any other remedy provided
20 by law.  A violation of this chapter shall be deemed a cause of
21 action for the purpose of the court action."
22      SECTION 4.  This Act shall take effect upon its approval.
24                              INTRODUCED BY:______________________

Page 11                                                    
                                     S.B. NO.           991


Page 12                                                    
                                     S.B. NO.           991