Can I store personal information about my customers in Hawaii? What are the requirements?

Storing Personal Information in Hawaii

If you are a business or government agency that conducts business in Hawaii and stores personal information of a resident of Hawaii, you must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal ^[1.1].

The reasonable measures include implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed ^[1.1].

You must also describe procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity ^[1.1].

If you are a disposal business that conducts business in Hawaii or disposes of personal information of residents of Hawaii, you must take reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information ^[1.1].

You may satisfy your obligation by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with this section ^[1.1].

If you are a financial institution subject to 15 U.S.C. sections 6801 to 6809, a health plan or healthcare provider subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996, or a consumer reporting agency subject to and in compliance with the Fair Credit Reporting Act, this chapter shall not apply to you ^[1.1].

Additional Information

If you are a government agency that maintains one or more personal information systems, you must submit an annual report to the council on the existence and character of each personal information system added or eliminated since the agency’s previous annual report ^[2.1]. The annual report must include the name or descriptive title of the personal information system and its location, the nature and purpose of the personal information system and the statutory or administrative authority for its establishment, the categories of individuals on whom personal information is maintained, including the approximate number of all individuals on whom personal information is maintained, and the categories of personal information generally maintained in the system, including identification of records that are stored in computer accessible records or maintained manually ^[2.1].

If you are a licensee, you must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship ^[3.1]. You shall not be required to provide an annual notice to a customer under this section if you have provided nonpublic personal financial information to nonaffiliated third parties in accordance with section 431:3A-401, 431:3A-402, or 431:3A-403, and have not changed its policies and practices relating to the disclosure of nonpublic personal information from the most recent notice sent to customers in accordance with this section or section 431:3A-201 ^[3.1].

The requirements for initial notice, opt-out, and service providers and joint marketing shall not apply if you disclose nonpublic personal financial information with the consent or at the direction of the consumer, who has not revoked the consent or direction, to protect the confidentiality or security of your records pertaining to the consumer, service, product, or transaction, to protect against or prevent actual or potential fraud or unauthorized transactions, for required institutional risk control, for resolving consumer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer or to persons acting in a fiduciary or representative capacity on behalf of the consumer, to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating you, persons that are assessing your compliance with industry standards, or your attorneys, accountants, and auditors, to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978, Title 12 United States Code section 3401 et seq., as amended, to law enforcement agencies including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, and the Secretary of the Treasury, with respect to Title 31 United States Code chapter 53, subchapter II (Records and Reports on Monetary Instruments and Transactions), as amended, and Title 12 United States Code chapter 21 (Financial Recordkeeping), as amended, a state insurance authority, and the Federal Trade Commission, self‐regulatory organizations, or for an investigation on a matter related to public safety, to a consumer reporting agency in accordance with the federal Fair Credit Reporting Act, Title 15 United States Code section 1681, et seq., as amended, or from a consumer report reported by a consumer reporting agency, in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit, to comply with federal, state, or local laws, rules, and other applicable legal requirements, to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities, or for purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers’ compensation plan ^[3.2].

The opt-out requirements shall not apply if you provide nonpublic personal financial information to a nonaffiliated third party to perform services for you or functions on your behalf, if you provide the initial notice in accordance with section 431:3A-201, and enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in sections 431:3A-402 and 431:3A-403 in the ordinary course of business to carry out those purposes ^[3.4].

Therefore, you can store personal information about your customers in Hawaii as long as you comply with the requirements mentioned above.

Source(s):

• [1.1] Destruction of personal information records
• [2.1] Personal information system; government agencies; annual report Personal information protection requirements. L Sp 2008, c 10, §§7 to 15. Personal information policy and oversight responsibilities for government agencies, see §487J-5.
• [3.1] Annual privacy notice to customers required.
• [3.2] Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.
• [3.4] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and for joint marketing.

Jurisdiction

Hawaii

• Privacy