§487R-2 Destruction of personal information records. (a) Any business or government agency that conducts business in Hawaii and any business or government agency that maintains or otherwise possesses personal information of a resident of Hawaii shall take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.
(b) The reasonable measures shall include:
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, recycling, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed;
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed; and
(3) Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.
(c) A business or government agency may satisfy its obligation hereunder by exercising due diligence and entering into a written contract with, and thereafter monitoring compliance by, another party engaged in the business of records destruction to destroy personal information in a manner consistent with this section. Due diligence should ordinarily include one or more of the following:
(1) Reviewing an independent audit of the disposal business' operations or its compliance with this chapter;
(2) Obtaining information about the disposal business from several references or other reliable sources and requiring that the disposal business be certified by a recognized trade association or similar third party with a reputation for high standards of quality review; or
(3) Reviewing and evaluating the disposal business' information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the disposal business.
(d) A disposal business that conducts business in Hawaii or disposes of personal information of residents of Hawaii shall take reasonable measures to dispose of records containing personal information by implementing and monitoring compliance with policies and procedures that protect against unauthorized access to, or use of, personal information during or after the collection, transportation, and disposing of such information.
(e) This chapter shall not apply to any of the following:
(1) Any financial institution that is subject to 15 U.S.C. sections 6801 to 6809, as amended;
(2) Any health plan or healthcare provider that is subject to and in compliance with the standards for privacy of individually identifiable health information and the security standards for the protection of electronic health information of the Health Insurance Portability and Accountability Act of 1996; or
(3) Any consumer reporting agency that is subject to and in compliance with the Fair Credit Reporting Act, 15 U.S.C. sections 1681 to 1681x. [L 2006, c 136, pt of §2; am L 2008, c 19, §72]
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.