June 2023

1. Right To Privacy/ Constitutional Protection

The Constitution of the State of Hawaii ('the Constitution') recognizes a constitutional right to privacy under Article I, Section 6.

The right to privacy is recognized in Hawaii case law (see Fergerstrom v. Hawaiian Ocean View Estates, 50 Hawai'i 374, 441 P.2d 141 (1968)), as well as being protected by statute (see Chapter 482P of Title 26 of the Hawaii Revised Statutes ('Haw. Rev. Stat.')). Although Hawaii has not formally recognized other types of common law claims for invasion of privacy (false light, the publication of private facts, and intrusion into seclusion), several Hawaii appellate decisions have articulated the elements of such claims (see for example, Lee Ching v. Loo Dung, 145 Hawai'i 99, 446 P.3d 1016 (2019); SHOP v. Soc'y of Prof'l Journalists, 83 Hawai'i 378, 92 P.2d 386 (1996); Mehau v. Reed, 76 Hawai'i 101, 869 P.2d 1320 (1994)).

2. Key Privacy Laws

Constitutional right to privacy

Article I, Section 6 of the Constitution states: 'The right of the people to privacy is recognized and shall not be infringed without the showing of compelling state interest. The legislature shall take affirmative steps to implement this right.' The constitutional right to privacy in Hawaii extends to informational privacy (see Brende v. Hara, 113 Hawai'i 424, 153 P.3d 1109 (2007)).

Statutory right to privacy

Under the Hawaii Penal Code, under Title 37 of the Haw. Rev. Stat., invasion of privacy is a criminal offense (see Haw. Rev. Stat. §§711-1110.9 and 711-1111). By statute, every individual or personality has a property right in the use of the individual's or personality's name, voice, signature, and likeness (Haw. Rev. Stat. §482P-2). The right to publicity is transferable and survives post-mortem for a period of 70 years (see Haw. Rev. Stat. §482P-4).

Identity theft

It is a criminal offense to intentionally or knowingly possess, without authorization, any confidential personal information of another in any form, including but not limited to mail, physical documents, identification cards, or information stored in digital form (§708-839.55 of Chapter 708 of Title 37 of the Haw. Rev. Stat.).

It is also a criminal offense in Hawaii to make or cause to be made 'a transmission of any personal information of another by any oral statement, any written statement, or any statement conveyed by any electronic means', with the intent to commit another offense (see Haw. Rev. Stat. §§708-839.6 to 708-839.8). These Sections provide for criminal penalties for different degrees of each offense. For example, a Class A felony is punishable by up to 20 years imprisonment and a fine of up to $50,000 (§§706-640 and 706-659 of Chapter 706 of Title 37 of the Haw. Rev. Stat.). A Class C felony is punishable by up to five years imprisonment and a fine of up to $10,000 (Haw. Rev. Stat. §§706-640 and 706-660).

'Personal information' means information associated with an actual person or a fictitious person that is a name, an address, a telephone number, a social security number, an employer, a place of employment, information related to employment, an employee identification number, a mother's maiden name, an identifying number of a depository account, a bank account number, a password used for accessing information, or any other name, number, or code that is used, alone or in conjunction with other information, to confirm the identity of an actual or a fictitious person  (Haw. Rev. Stat. §708-800).

Health data

§622-57 of Chapter 622 of Title 33 of the Haw. Rev. Stat. protects the right to privacy as to medical records. See the section on health data below for further information.

Financial information

The Hawaii Insurance Code, under Chapter 431 of Title 24 of the Haw. Rev. Stat., imposes certain requirements relating to privacy practices on licensed insurers, producers, or other licensees. See the section on financial data below for further information.

Enforcement

The Hawaii Attorney General ('AG') or the Executive Director of the Office of Consumer Protection enforces many privacy laws applicable to private commercial activity including data breach notification and data destruction requirements (§487R-3 of Chapter 487R of Title 26 of the Haw. Rev. Stat., and §489P-6 of Chapter 489P of Title 26 of the Haw. Rev. Stat.).

The Insurance Commissioner of the Hawaii Department of Commerce and Consumer Affairs enforces laws relating to informational privacy and insurance, as discussed in further detail in the section on financial data. 

3. Health Data

A 'health care provider' means a physician, osteopathic physician, surgeon, or licensed physician assistant, a licensed podiatrist, a healthcare facility as defined in §323D-2 of Chapter 323D of Title 19 of the Haw. Rev. Stat., and their employees. 'Health care provider' shall not mean any nursing institution or nursing service conducted by and for those who rely upon treatment by spiritual means through prayer alone, or employees of the institution or service.

A 'deceased person's next of kin' means a person with the following relationship to the deceased person:

• the spouse or reciprocal beneficiary;
• an adult child;
• either parent;
• an adult sibling;
• a grandparent; and
• a guardian at the time of death.

Public health concerns

A patient's privacy with respect to medical records may be subject to public health concerns. §325-2 of Chapter 325 of Title 19 of the Haw. Rev. Stat. requires that every '[p]hysician or health care professional having a client affected by or suspected of being affected by a disease or condition declared to be communicable or dangerous to the public health by the director of health shall report the incidence or suspected incidence of such disease or condition to the department of health in writing or in the manner specified by the department of health.' 

Laboratories are also required to make such reports and, further, are required to disclose 'the individual's complete demographic information, including name, date of birth, residential address, and phone number, obtained and confirmed at the time of specimen collection for the purposes of facilitating a public health investigation as necessary by the department of health.'

AIDs, HIV, and AIDs-related complex

Medical records that relate to human immunodeficiency virus ('HIV') infection, AIDS-related complex ('ARC'), or acquired immune deficiency syndrome ('AIDS') receive special protection under Hawaii law. In particular, Haw. Rev. Stat. §325-101 states that such medical records are to be strictly confidential and only released under limited circumstances, such as to medical personnel during a medical emergency, to the Hawaii State Department of Health by a physician to report a sexual or needle-sharing contact, to the Department of Health for certain federal reporting requirements, and other reasons specifically stated in the statute.

Hawaii HIPAA harmonisation

Hawaii's Health Care Privacy Harmonization Act, under Chapter 323B of Title 19 of the Haw. Rev. Stat., harmonizes state law with the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), as amended.

Furthermore, Haw. Rev. Stat. §323B-3 provides that any use or disclosure of individually identifiable health information by a covered entity or business associate under HIPAA regulations is allowed under state law. Moreover, an authorization for the release of individually identifiable health information that is compliant with HIPAA is also compliant under state law. In case of a breach, any notice of breach of unsecured protected health information that complies with HIPAA regulations shall be deemed to comply with all state laws relating to notice of breach of protected health information.

4. Financial Data

Any licensed insurer, producer, or other licensee required to be licensed, authorized, or registered under Chapter 431, Chapter 432, or Chapter 432D of Title 24 of the Haw. Rev. Stat. ('licensees') are required to comply with the privacy practices set forth in Article 3(a) of Chapter 431 of the Haw. Rev. Stat. These practices include, inter alia, providing a clear and conspicuous notice that accurately reflects the licensee's privacy policies and practices to a consumer. The privacy policy and practices shall be updated and delivered to the consumer on an annual basis.

The privacy policy and practices must contain certain information, as set forth in Haw. Rev. Stat. §431:3A-203. For example, the licensee must disclose, inter alia, the following:

• the categories of non-public personal financial information that the licensee collects;
• the categories of non-public personal financial information that the licensee discloses;
• the categories of affiliates and non-affiliated third parties to whom the licensee discloses nonpublic personal financial information;
• the categories of non-public personal financial information about the licensee's former customers that the licensee discloses, and the categories of affiliates and non-affiliated third parties to whom the licensee discloses non-public personal financial information about the licensee's former customers;
• a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted, if a licensee discloses non-public personal financial information to a non-affiliated third party;
• an explanation of the consumer's right to opt out of the disclosure of non-public personal financial information to non-affiliated third parties, including the methods by which the consumer may exercise that right at that time;
• any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act of 1970 ('FCRA'); and
• the licensee's policies and practices with respect to protecting the confidentiality and security of non-public personal information.

A licensee shall also provide an opt-out notice to each of the licensee's consumers that is clear and conspicuous and accurately explains the right to opt-out, pursuant to Haw. Rev. Stat. §431:3A-204. The opt-out notice shall:

• state that the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a non-affiliated third party;
• state that the consumer has the right to opt out of that disclosure; and
• provide for a reasonable means by which the consumer may exercise the opt-out right.

However, a licensee is not required to provide an opt-out notice if a licensee provides non-public personal financial information to a non-affiliated third party to perform services for the licensee or functions on the licensee's behalf if the licensee provided the required privacy notices and such third parties execute a non-disclosure agreement.

Licensees are required to abide by their privacy policy and practices and consumers desire to opt out of such privacy policies and practices. A licensee may not disclose, directly or through any affiliate, any non-public personal financial information about a consumer to a non-affiliated third party unless they have complied with the applicable privacy policy and practices' notice requirements, given the consumer an opt-out notice, and allowed the consumer a reasonable opportunity to opt-out, with the consumer not doing so.

Hawaii has adopted the National Association of Insurance Commissioners Insurance Data Security Model Law, which is codified under Article 3B of Chapter 431 of the Haw. Rev. Stat. ('the Model Law'). The Model Law requires a licensee with ten or more employees to develop a written information security program and engage in the assessment of data security risks and mitigate identified risks. Licensees also must establish a written incident response plan. In addition, the Model Law imposes data breach investigation and notification requirements.

5. EMPLOYMENT DATA

Expectation of privacy at the workplace

Subject to certain restrictions, employers may generally use surveillance monitoring devices in common areas of the workplace where there is no expectation of privacy. An expectation of privacy would exist in places such as nursing rooms, restrooms, and dressing rooms. Individuals may record communications if they are a party to the communication, or if one of the parties to the communication has given consent to the recording (§803-42 of Chapter 803 of Title 38 of the Haw. Rev. Stat.).

Credit history

As set forth in §378-2.7 of Chapter 378 of Title 21 of the Haw. Rev. Stat., employers may only inquire into a prospective employee's credit history or report upon giving such person a conditional offer of employment. Employers may not consider a prospective employee's credit history or credit reports unless:

• the credit history or credit report is directly related to a bona fide occupational qualification;
• the employer is permitted or required by federal or state law to consider such information;
• the prospective employee is being considered for a managerial or supervisory employee role; or
• the employer is a federally insured financial institution.

Salary history

Haw. Rev. Stat. §378-2.4 prohibits any employer or employment agency from inquiring into the salary history of a prospective employee or relying on such information in determining salary, benefits, or the hiring of a prospective employee. A prospective employee, however, may offer such information to the employer for consideration of determining salary, benefits, or other compensation, if such information was offered voluntarily and without prompting from the employer.

Substance abuse testing

Employers are permitted to conduct or order drug and alcohol testing of prospective employees. Employers must cover the cost of such substance abuse testing. The individual to be tested must also receive a written statement of the specific substances to be tested for and a statement that over-the-counter medications or prescribed drugs may result in a positive test result. Any information concerning a substance abuse on-site screening test shall be strictly confidential. With limited exceptions, such information shall not be released to a third party without the informed written consent of the individual tested (see Chapter 329B of Title 19 of the Haw.  Rev. Stat.).

Criminal records

Hawaii law prohibits employers from including requests for information on criminal convictions in employment applications. Employers may take criminal convictions into consideration after a conditional offer of employment is given, but only if such conviction (see Haw. Rev. Stat. §378-2.5):

• occurred within the most recent seven-year period, excluding periods of incarceration; and
• bears a rational relationship to the duties and responsibilities of the position in question.

Certain types of employers are not subject to foregoing restrictions. These include but are not limited to, private schools, armed security services, financial institutions, detective agencies, and certain state and local government employers.

Employee online accounts

Hawaii has adopted the Uniform Employee and Student Online Privacy Protection Act, under which employers are prohibited from requiring, coercing, or requesting an employee to grant access to the employee's personal online account or its contents. An employee may request or require an employee to share specifically identified content from the employee's personal online account for certain purposes, including complying with the employer's legal and regulatory obligations and investigating allegations of employee misconduct and threats to safety. The AG is authorized to bring a civil action to enforce the law and seek penalties of $1,000 for each violation and up $100,000 for all violations caused by the same event. An employee may also bring a private right of action for damages and equitable relief.

Employee tracking

Hawaii law prohibits employers from requiring an employee, including applicants for employment, to download a mobile application to the employee's personal communication device that enables the employee's location to be tracked or the employee's personal information to be revealed as a condition of employment or continued employment (see Haw. Rev. Stat. §378-102). Employees may consent to downloading such an application. The prohibition does not apply to a device that the employer owns or the cost of which the employer reimburses the employee. An employee may bring a civil action for injunctive relief or actual damages for violating the law.  Violators law also may be fined $500 for each violation.

6. Online Privacy

Hawaii's Uniform Employee and Student Online Privacy Protection Act prohibits educational institutions from requiring, coercing, or requesting a student to grant access to the student's personal online account or its contents. A 'student', for purposes of this Act, includes a parent or legal guardian of a student under the age of 18 years. An educational institution may request or require a student to share specifically identified content from the student's personal online account for certain purposes, including complying with the educational institution's legal and regulatory obligations and investigating allegations of education-related student misconduct and threats to safety. The AG is authorized to bring a civil action to enforce the law and seek penalties of $1,000 for each violation and up $100,000 for all violations caused by the same event. A student may also bring a private right of action for damages and equitable relief.

7. Unsolicited Commercial Communications

Hawaii does not have specific laws addressing unsolicited commercial messages and spam.

8. Privacy Policies

Hawaii does not have a specific law requiring websites to post a privacy policy.

9. Data Disposal/Cybersecurity/Data Security

Data disposal

Haw. Rev. Stat. Chapter 487R requires any business or government agency that conducts business in Hawaii or maintains or otherwise, possesses the personal information of a Hawaii resident to 'take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal' (Haw. Rev. Stat. §487R-2). Reasonable measures include (Haw. Rev. Stat. §487R-2(b)):

• implementing and monitoring compliance with policies and procedures that require the destruction of personal information, electronic media, and other non-paper media in a manner that the information cannot be practicably read or reconstructed; and
• describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.

A business or government agency may satisfy its obligations under Haw. Rev. Stat. Chapter 487R by exercising due diligence and contracting with another party engaged in the business of records destruction to destroy personal information (see Haw. Rev. Stat. §487R-2(c)). Haw. Rev. Stat. Chapter 487R does not apply to financial institutions governed by the Gramm-Leach-Bliley Act of 1999, health plans or healthcare providers subject to HIPAA, and consumer reporting agencies subject to the FCRA per Haw. Rev. Stat. §487R-2(e). In addition, violations of Haw. Rev. Stat. Chapter 487R by businesses is punishable by penalties of not more than $2,500 for each violation. Injured parties may also sue businesses for actual damages caused by violations of the statute per Haw. Rev. Stat. §487R-3.

Security breach reporting

Hawaii's data breach notification law requires disclosure of a security breach 'without unreasonable delay' (§487N-2(a) of Chapter 487N of Title 26 of the Haw. Rev. Stat.). The law applies to any business that owns or licenses personal information of residents of Hawaii, any business that conducts business in Hawaii that owns or licenses personal information in any form, or any government agency that collects personal information for specific government purposes. Notice of a security breach shall be delayed if a law enforcement agency informs the business or government agency that notification may impede a criminal investigation or jeopardize national security and requests a delay. The business or government agency is then required to provide notice of the security breach without unreasonable delay after the law enforcement agency communicates that there is no longer a need to suspend disclosure. The timeliness of the giving of notice takes into account measures necessary to determine sufficient contact information, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the data system.

Where a business or government agency maintains or possesses records or data containing personal information of Hawaii residents that the business or government agency does not own or license, notification of a security breach must be given to the owner or licensee of the information immediately after the discovery of the breach (Haw. Rev. Stat. §487N-2(b)).

The data breach notification law defines 'personal information as an individual's first name or first initial and last name in combination with any one or more of the following data elements when either the name or the data elements are not encrypted (Haw. Rev. Stat. §487N-1):

• social security number;
• driver's license number or Hawaii identification card number; or
• account number, credit or debit card number, access code, or password that would permit access to an individual's financial account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records (Haw. Rev. Stat. §487N-1).

A 'security breach' is defined as an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur and that creates a risk of harm to a person. Any incident of unauthorized access to and acquisition of encrypted records or data containing personal information along with the confidential process or key constitutes a security breach. Good faith acquisition of personal information by an employee or agent of the business for a legitimate purpose is not a security breach, provided that the personal information is not used for a purpose other than a lawful purpose of the business and is not subject to further unauthorized disclosure (Haw. Rev. Stat. §487N-1).

Violators of the data breach notification law are subject to penalties not to exceed $2,500 for each violation. Injured parties may also sue businesses for actual damages caused by violations of the statute (Haw. Rev. Stat. §487N-3).

The Insurance Code also contains data breach requirements (see Haw. Rev. Stat. §§431:3B-301 to 431:3B-306). See the section on financial data above for more information.

10. Other Specific Jurisdictional Requirements

Not applicable.