Information Privacy & Security Council

Any government agency that maintains one or more personal information (PI) systems must submit to the IPSC an annual report on the existence and character of each PI system added or eliminated since the agency’s previous annual report, pursuant to HRS §487N-7. Annual reports are due no later than September 30 of each year.

Reporting Method

All agencies are asked to submit the completed form via e-mail to [email protected] to comply with this reporting requirement. Privacy Impact Assessment (PIA) PDF Form

Frequently Asked Questions

Can I access older reports?

Online submissions from 2018 and prior can be reviewed to facilitate transitioning to the PDF form. (Login required; request access by emailing [email protected])

PIA Online Form

Which agencies need to submit reports?

Any government agency that maintains one or more personal information systems shall submit to the council an annual report on the existence and character of each personal information system added or eliminated since the agency’s previous annual report.

When are reports due?

The annual report shall be submitted no later than September 30 of each year.

What is considered “personal information”?

“Personal information” is defined under HRS Chapter 487N as an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:

     (1)  Social security number;

     (2)  Driver’s license number or Hawaii identification card number; or

     (3)  Account number, credit or debit card number, access code, or password that would permit access to an individual’s financial account.

What is considered a “personal information system”?

“Personal Information System” is defined under HRS Chapter 487N as any manual or automated recordkeeping process that contains personal information and the name, personal number, or other identifying particulars of a data subject.

What is considered a “government agency”?

“Government agency” means any department, division, board, commission, public corporation, or other agency or instrumentality of the state or of any county.

Do agencies need to use the provided Privacy Impact Assessment (PIA) form?

Agencies may choose to submit their reports in a format of their choosing, as long as reports contained all requirement elements (see below).

The PIA Online Form and the fillable PDF version are provided as a courtesy. The PIA form not only fulfills agencies’ reporting requirement, it also has been aligned with federal terminology and requirements. Further, PIA Online Form facilitates the IPSC’s review of the submitted reports so that the council may more effectively and efficiently identify significant trends and develop recommendations to protect PI maintained by government agencies.

What should be included in agency reports?

Pursuant to HRS §487N-7, agencies’ PI Annual Reports shall include:

     (1)  The name or descriptive title of the personal information system and its location;

     (2)  The nature and purpose of the personal information system and the statutory or administrative authority for its establishment;

     (3)  The categories of individuals on whom personal information is maintained, including:

          (A)  The approximate number of all individuals on whom personal information is maintained; and

          (B)  The categories of personal information generally maintained in the system, including identification of records that are:

               (i)  Stored in computer accessible records; or

              (ii)  Maintained manually;

     (4)  All confidentiality requirements relating to:

          (A)  Personal information systems or parts thereof that are confidential pursuant to statute, rule, or contractual obligation; and

          (B)  Personal information systems maintained on an unrestricted basis;

     (5)  Detailed justification of the need for statutory or regulatory authority to maintain any personal information system or part thereof on a confidential basis for all personal information systems or parts thereof that are required by law or rule;

     (6)  The categories of sources of personal information;

     (7)  The agency’s policies and practices regarding personal information storage, duration of retention of information, and elimination of information from the system;

     (8)  The uses made by the agency of personal information contained in any personal information system;

     (9)  The identity of agency personnel, by job classification, and other agencies, persons, or categories to whom disclosures of personal information are made or to whom access to the personal information system may be granted, including the purposes of access and any restrictions on disclosure, access, and redisclosure;

    (10)  A list identifying all forms used by the agency in the collection of personal information; and

    (11)  The name, title, business address, and telephone number of the individual immediately responsible for complying with this section.

---

For more information, please email [email protected].