The Privacy Protection Authority ('PPA') published, on 2 November 2020, a report on the results of an investigation into organisations which hold and process personal information for other organisations, as well as guidance on the same, as part of a series of reports examining how various sectors comply with the provisions of the Protection of Privacy Law, 5741-1981 ('the Law'). In particular, the PPA outlined that it discovered horizontal deficiencies in such organisations, which are considered to have an increased risk for the invasion of privacy as they can hold many databases containing sensitive information. In addition, the PPA noted that these organisations classify as database holders under the Law, even if the information is encrypted and the key is not in their possession, thus the organisations are subject to the relevant obligations, such as the respect of principles of transparency, reporting to the PPA, and appointment of an information security officer. More specifically, the report found, among other things, that most bodies exhibited a high level of compliance with the provisions of the Law, but not with the Protection of Privacy Regulations (Data Security) 5777-2017, particularly in relation to the outsourcing of personal information.

You can read the press release here and the report here, both only available in Hebrew.