On February 21, 2024, the Privacy Protection Authority (PPA) announced that it had published a broad inspection report detailing the deficiencies in the protection of personal information among non-profit organizations and the third sector. In particular, the report details whether inspected organizations implemented the Protection of Privacy Law, 5741-1981 (PPL) and the Protection of Privacy Regulations (Data Security) 5777-2017 (the Data Security Regulations). 

More specifically, the PPA stated that 24 entities were inspected and they received specific instructions for correcting the deficiencies found in them, as well as a report of instructions for all entities operating in this sector detailing the steps they must take in order to meet the requirements of the law and regulations.

Further, the PPA specified that the findings of the report pointed to a lack of awareness among many of the inspected entities. Moreover, the PPA identified a few risks to the privacy of the people who use the services of associations and third-sector organizations and noted that these risks arise from managing a lot of personal, identifiable, and sensitive information, both themselves and through external outsourcing services. Notably, the report highlighted that:

• in terms of organizational control, in 40% of the organizations examined, there were no information security procedures, or that the existing procedures did not meet the requirements of the law;
• in the field of information security, 33% of the organizations tested presented a medium or low level of compliance with the provisions of the law and regulations, while 22% of the entities tested did not have a strong password policy; and
• in 48% of the public bodies among the bodies examined, no committee was appointed to transfer information between public bodies, as required by law.

You can read the press release here and the report here, both only available in Hebrew.