Can I use third-party collaboration tools that collect personal information in Hawaii? What are the requirements?

Personal Information Collection and Disclosure in Hawaii

In Hawaii, the collection and disclosure of personal information is regulated by various laws, including the Hawaii Revised Statutes (HRS) and the Hawaii Administrative Rules (HIAR).

Third-Party Collaboration Tools

If you are using third-party collaboration tools that collect personal information, you must ensure that you comply with the relevant laws and regulations.

Under HRS 487N-6, government agencies are required to identify best practices to improve security and privacy programs relating to personal information. These best practices include automated tools, training, processes, and applicable standards. The best practices identified by the council must be posted on each government agency’s website in a manner that is readily accessible by employees of the government agency ^[1.1].

Under HRS 431:3A-301, the opt-out requirements for disclosure of nonpublic personal financial information do not apply if a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with section 431:3A-201 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information ^[2.4].

Requirements

To use third-party collaboration tools that collect personal information in Hawaii, you must comply with the following requirements:

• Identify best practices to improve security and privacy programs relating to personal information.
• Post the best practices on your website in a manner that is readily accessible by your employees.
• Provide an initial notice in accordance with section 431:3A-201.
• Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.

Additionally, under HRS 487N-7, any government agency that maintains one or more personal information systems must submit an annual report to the council on the existence and character of each personal information system added or eliminated since the agency’s previous annual report. The annual report must be submitted no later than September 30 of each year and must include various details about the personal information system ^[1.2].

Conclusion

To use third-party collaboration tools that collect personal information in Hawaii, you must comply with the relevant laws and regulations, including identifying best practices, posting them on your website, providing an initial notice, and entering into a contractual agreement with the third party. Additionally, if you are a government agency, you must submit an annual report on your personal information systems to the council.

Source(s):

• [1.1] Personal information security; best practices; websites.
• [1.2] Personal information system; government agencies; annual report Personal information protection requirements. L Sp 2008, c 10, §§7 to 15. Personal information policy and oversight responsibilities for government agencies, see §487J-5.
• [2.4] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.

Jurisdiction

Hawaii

• Privacy