Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I skip obtaining consent to disclose personal information for a business purpose in Hawaii? What are the requirements?

Disclosure of Personal Information for Business Purpose in Hawaii

In Hawaii, generally, you need to obtain consent from the consumer to disclose personal information for a business purpose. However, there are exceptions to this requirement [HIRS 431:3A-403].

According to HIRS 431:3A-403, a licensee may disclose nonpublic personal financial information without obtaining consent in the following circumstances:

  • With the consent or at the direction of the consumer, who has not revoked the consent or direction;
  • To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction;
  • To protect against or prevent actual or potential fraud or unauthorized transactions;
  • For required institutional risk control;
  • For resolving consumer disputes or inquiries;
  • To persons holding a legal or beneficial interest relating to the consumer or to persons acting in a fiduciary or representative capacity on behalf of the consumer;
  • To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, or the licensee’s attorneys, accountants, and auditors;
  • To comply with federal, state, or local laws, rules, and other applicable legal requirements;
  • To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities;
  • To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law;
  • For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers’ compensation plan.

However, even when an exception applies, a licensee must still comply with other requirements, such as providing initial and opt-out notices to consumers, as outlined in HIRS 431:3A-301.

If you are unsure whether an exception applies to your situation, you should consult with legal counsel.

Annual Report on Personal Information System

If you are a government agency that maintains one or more personal information systems in Hawaii, you are required to submit an annual report on the existence and character of each personal information system added or eliminated since the agency’s previous annual report [HIRS 487N-7]. The annual report should include the name or descriptive title of the personal information system and its location, the nature and purpose of the personal information system and the statutory or administrative authority for its establishment, the categories of individuals on whom personal information is maintained, including the approximate number of all individuals on whom personal information is maintained, and the categories of personal information generally maintained in the system, including identification of records that are stored in computer accessible records or maintained manually. The report should also include all confidentiality requirements relating to personal information systems or parts thereof that are confidential pursuant to statute, rule, or contractual obligation, and personal information systems maintained on an unrestricted basis. The report should provide detailed justification of the need for statutory or regulatory authority to maintain any personal information system or part thereof on a confidential basis for all personal information systems or parts thereof that are required by law or rule. The report should also include the categories of sources of personal information, the agency’s policies and practices regarding personal information storage, duration of retention of information, and elimination of information from the system, the uses made by the agency of personal information contained in any personal information system, the identity of agency personnel, by job classification, and other agencies, persons, or categories to whom disclosures of personal information are made or to whom access to the personal information system may be granted, including the purposes of access and any restrictions on disclosure, access, and redisclosure, a list identifying all forms used by the agency in the collection of personal information, and the name, title, business address, and telephone number of the individual immediately responsible for complying with this section.

Conclusion

In Hawaii, you generally need to obtain consent from the consumer to disclose personal information for a business purpose. However, there are exceptions to this requirement. If you are unsure whether an exception applies to your situation, you should consult with legal counsel. If you are a government agency that maintains one or more personal information systems in Hawaii, you are required to submit an annual report on the existence and character of each personal information system added or eliminated since the agency’s previous annual report.

Jurisdiction

Hawaii