Can I use third-party social media tools that collect personal information in Hawaii? What are the requirements?

Using Third-Party Social Media Tools in Hawaii

Yes, you can use third-party social media tools that collect personal information in Hawaii, but you must comply with the state’s laws and regulations regarding the protection of personal information.

According to HIRS 487R-2, any business or government agency that maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal. The reasonable measures shall include implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed.

Furthermore, a business or government agency may satisfy its obligation by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with this section. Due diligence should ordinarily include reviewing and evaluating the disposal business’ information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal business ^[1.1].

Therefore, if you are using third-party social media tools that collect personal information in Hawaii, you must ensure that the third-party provider complies with the state’s laws and regulations regarding the protection of personal information. You should review the provider’s information security policies and procedures and ensure that they are competent and have integrity. You should also enter into a written contract with the provider that prohibits the provider from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information ^[4.2].

Best Practices for Personal Information Security

The Hawaii Information Privacy and Security Council has identified best practices to assist government agencies in improving security and privacy programs relating to personal information. These best practices include automated tools, training, processes, and applicable standards. The best practices identified by the council are posted on each government agency’s website in a manner that is readily accessible by employees of the government agency ^[2.1].

Annual Report on Personal Information Systems

Effective January 1, 2009, any government agency that maintains one or more personal information systems shall submit to the council an annual report on the existence and character of each personal information system added or eliminated since the agency’s previous annual report. The annual report shall be submitted no later than September 30 of each year. The annual report shall include the name or descriptive title of the personal information system and its location, the nature and purpose of the personal information system and the statutory or administrative authority for its establishment, the categories of individuals on whom personal information is maintained, including the approximate number of all individuals on whom personal information is maintained, and the categories of personal information generally maintained in the system, including identification of records that are stored in computer accessible records or maintained manually. The report shall also include all confidentiality requirements relating to personal information systems or parts thereof that are confidential pursuant to statute, rule, or contractual obligation, and personal information systems maintained on an unrestricted basis. The report shall provide detailed justification of the need for statutory or regulatory authority to maintain any personal information system or part thereof on a confidential basis for all personal information systems or parts thereof that are required by law or rule. The categories of sources of personal information, the agency’s policies and practices regarding personal information storage, duration of retention of information, and elimination of information from the system, the uses made by the agency of personal information contained in any personal information system, the identity of agency personnel, by job classification, and other agencies, persons, or categories to whom disclosures of personal information are made or to whom access to the personal information system may be granted, including the purposes of access and any restrictions on disclosure, access, and redisclosure, a list identifying all forms used by the agency in the collection of personal information, and the name, title, business address, and telephone number of the individual immediately responsible for complying with this section shall also be included in the report. The report shall be confidential and not disclosed publicly in any form or forum ^[2.2].

Conclusion

In summary, you can use third-party social media tools that collect personal information in Hawaii, but you must ensure that the provider complies with the state’s laws and regulations regarding the protection of personal information. You should review the provider’s information security policies and procedures and ensure that they are competent and have integrity. You should also enter into a written contract with the provider that prohibits the provider from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information. The Hawaii Information Privacy and Security Council has identified best practices to assist government agencies in improving security and privacy programs relating to personal information. Any government agency that maintains one or more personal information systems shall submit to the council an annual report on the existence and character of each personal information system added or eliminated since the agency’s previous annual report ^{[1.1][2.1][2.2]}.

Source(s):

• [1.1] Destruction of personal information records
• [2.1] Personal information security; best practices; websites.
• [2.2] Personal information system; government agencies; annual report Personal information protection requirements. L Sp 2008, c 10, §§7 to 15. Personal information policy and oversight responsibilities for government agencies, see §487J-5.
• [4.2] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and for joint marketing.

Jurisdiction

Hawaii

• Privacy