Submit Agency Reports
Any government agency that maintains one or more personal information (PI) systems must submit to the IPSC an annual report on the existence and character of each PI system added or eliminated since the agency’s previous annual report, pursuant to HRS §487N-7. Annual reports are due no later than September 30 of each year.
Reporting Method
All agencies are asked to submit the completed form via e-mail to [email protected] to comply with this reporting requirement. |
Frequently Asked Questions
Can I access older reports?
If your department needs access to a PIA form previously submitted, please email us at [email protected].
Which agencies need to submit reports?
Any government agency that maintains one or more personal information systems shall submit to the council an annual report on the existence and character of each personal information system added or eliminated since the agency’s previous annual report.
When are reports due?
The annual report shall be submitted no later than September 30 of each year.
What is considered “personal information”?
“Personal information” is defined under HRS Chapter 487N as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number;
(2) Driver’s license number or Hawaii identification card number; or
(3) Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.
However, the definition of “Personal Information” is projected to be updated and expanded. Most recently related to this modification is SB 2695. While this senate bill did not pass, the annual PIA (Privacy Impact Assessment) form has been modified to utilize the definition on SB 2695 in order to understand the impacts to local and state government should a similar bill pass.
What is considered a “personal information system”?
“Personal Information System” is defined under HRS Chapter 487N as any manual or automated recordkeeping process that contains personal information and the name, personal number, or other identifying particulars of a data subject.
What is considered a “government agency”?
“Government agency” means any department, division, board, commission, public corporation, or other agency or instrumentality of the state or of any county.
Do agencies need to use the provided Privacy Impact Assessment (PIA) form?
Agencies may choose to submit their reports in a format of their choosing, as long as reports contained all requirement elements (see below).
The PIA Online Form and the fillable PDF version are provided as a courtesy. The PIA form not only fulfills agencies’ reporting requirement, it also has been aligned with federal terminology and requirements. Further, PIA Online Form facilitates the IPSC’s review of the submitted reports so that the council may more effectively and efficiently identify significant trends and develop recommendations to protect PI maintained by government agencies.
What should be included in agency reports?
Pursuant to HRS §487N-7, agencies’ PI Annual Reports shall include:
(1) The name or descriptive title of the personal information system and its location;
(2) The nature and purpose of the personal information system and the statutory or administrative authority for its establishment;
(3) The categories of individuals on whom personal information is maintained, including:
(A) The approximate number of all individuals on whom personal information is maintained; and
(B) The categories of personal information generally maintained in the system, including identification of records that are:
(i) Stored in computer accessible records; or
(ii) Maintained manually;
(4) All confidentiality requirements relating to:
(A) Personal information systems or parts thereof that are confidential pursuant to statute, rule, or contractual obligation; and
(B) Personal information systems maintained on an unrestricted basis;
(5) Detailed justification of the need for statutory or regulatory authority to maintain any personal information system or part thereof on a confidential basis for all personal information systems or parts thereof that are required by law or rule;
(6) The categories of sources of personal information;
(7) The agency’s policies and practices regarding personal information storage, duration of retention of information, and elimination of information from the system;
(8) The uses made by the agency of personal information contained in any personal information system;
(9) The identity of agency personnel, by job classification, and other agencies, persons, or categories to whom disclosures of personal information are made or to whom access to the personal information system may be granted, including the purposes of access and any restrictions on disclosure, access, and redisclosure;
(10) A list identifying all forms used by the agency in the collection of personal information; and
(11) The name, title, business address, and telephone number of the individual immediately responsible for complying with this section.
For more information, please email [email protected].