Israel - Data Protection Overview
1. THE LAW
1.1. Key Acts, Regulations, Directives, Bills
Data protection in Israel is governed primarily by the Protection of Privacy Law, 5741-1981 ('the Privacy Law') and the regulations promulgated under it, the Basic Law: Human Dignity and Liberty, 5752-1992, and the guidelines of the Israeli regulator, the Privacy Protection Authority ('PPA') (formerly known as the Israel Law, Information and Technology Authority ('ILITA')).
Additional legislation includes:
- Protection of Privacy (Data Security) Regulations, 5777-2017 ('the Data Security Regulations');
- Amendment No. 40 to the Communications Law (Telecommunications and Broadcasting), 5742-1982 ('the Anti-Spam Law');
- Administrative Offences Regulations (Administrative Fines and Protection of Privacy) 2004 ('the Administrative Fine Regulations');
- Protection of Privacy Regulations (Transfer of Information to Databases Abroad), 5761-2001 ('the Transfer of Information Regulations');
- Protection of Privacy Regulations (Conditions for Possessing and Protecting Data and Procedures for Transferring Data Between Public Bodies) 1986 (only available in Hebrew here); and
- Protection of Privacy Regulations (Conditions for Inspection of Data and Procedures for Appeal on a Denial of a Request to Inspect) 1981 (only available in Hebrew here) ('the Data Inspection Regulations').
Although the guidelines published by the PPA do not have the status of law, they reflect the PPA's interpretation of the obligations under the existing Privacy Law and therefore should be considered. The guidelines include:
- 2/2011 Use of Outsourcing Services for Personal Data Processing (only available in Hebrew here);
- 4/2012 Use of Security and Surveillance Cameras and Databases of Recorded Images (only available in Hebrew here);
- 2/2017 Direct Mailing and Direct Mailing Services (only available in Hebrew here);
- 5/2017 Use of Surveillance Cameras at the Workplace and in the Framework of Employment (only available in Hebrew here);
- Draft Guidelines on the Transfer of Ownership in a Database (only available in Hebrew here) ('the Transfer of Ownership Draft Guidelines'), which relate to database transfers in a merger & acquisition context; and
- 3/2018 Application of the Data Security Regulations to Organisations Certified Under ISO 27001 (only available in Hebrew here).
1.3. Case Law
2. SCOPE OF APPLICATION
2.1. Who do the laws/regs apply to?
The Privacy Law does not explicitly determine its jurisdiction, nor does it require that the data subject be a resident or citizen of Israel. From this, one may conclude that the Privacy Law's jurisdiction is as of other Israeli laws, i.e. limited to acts within Israel. It is an unsettled legal question whether the Privacy Law applies to foreign entities processing personal information of Israelis, and whether it applies to Israeli entities processing personal information of non-Israelis. However, if the restrictions on the transfer of data are breached, any subsequent use of the data outside Israel is likely to be attributed to the party in Israel who breached the transfer restrictions.
The Privacy Law applies to all entities in Israel, private, business and public, that hold or process personal information.
2.2. What types of processing are covered/exempted?
3. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
3.1. Main regulator for data protection
The Israeli regulatory authority, the PPA, was founded in 2006, and is part of the Ministry of Justice.
The head of the PPA also serves as the Registrar of Databases ('the Registrar'). The PPA is responsible for the protection of all personal information held in digital databases, including through the use of administrative and criminal enforcement.
3.2. Main powers, duties and responsibilities
The PPA represents Israel in the international privacy arena and participates in the legislative process. As mentioned above, the PPA publishes guidelines that reflect the PPA's interpretation of the obligations under the Privacy Law. The PPA has administrative and criminal investigatory powers and may conduct inspections and audits on any entity subject to the Privacy Law. The PPA may also impose administrative fines, in certain circumstances, as described below.
The Registrar is required to maintain the Registry of Databases and is empowered to supervise compliance with provisions of the Privacy Law and the regulations issued thereunder. The Registrar is authorised to refuse to register a database if it has reasonable grounds to assume that:
- the database is used, or might be used, for illegal activities, or as a cover for them; or
- the data included in the database was obtained, accrued, or collected in breach of the Privacy Law or any other law.
4. KEY DEFINITIONS | BASIC CONCEPTS
The Privacy Law regulates two principle matters, the general right to privacy and the protection of personal data in databases. The following terms are defined under the Privacy Law:
Personal data: Data regarding the personality, personal status, intimate affairs, state of health, economic situation, professional qualifications, opinions, and beliefs of a person.
Sensitive data: Data on the personality, intimate affairs, state of health, economic situation, opinions, and beliefs of a person, and other information if designated as such by the Minister of Justice, with the approval of a parliamentary committee (no such determination has been made to date).
A comparison between the definitions of personal data and sensitive data reveals that sensitive data does not include data regarding a person's personal status and professional qualifications.
Data controller | Data processor: The Privacy Law does not use the terms 'data controller' and 'data processor' but rather refers to 'database owner,' 'database holder,' and 'database manager'.
Data security: Protection of the data from disclosure, use, or copying performed without permission, or protection of the integrity of the data, i.e. that the data in the database is identical to the source from which they were extracted, and it has not been changed, delivered, or destroyed without permission.
Database: A collection of data, stored by magnetic or optical means and intended for computer processing, except for:
- a collection of data for personal use that is not business purposes; and
- a collection of data that includes only names, addresses and contact information of persons which in itself does not create any characterisation that breaches the privacy of such persons, provided that neither the owner of the collection nor any corporation under its control has an additional collection of data.
Note that contrary to previous interpretations of this exemption, on 28 November 2018, the PPA clarified that a collection containing only names and email addresses would not fall under the exemption and therefore will be considered as a database (only available in Hebrew here).
Database holder: A legal person who has a database in its possession on a permanent basis and is permitted to use it.
Database owner: Not defined in the Privacy Law. Some compare the role of the database owner to that of the data controller under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). Although there are several similarities between the two, they are not the same, as the Privacy Law does not state as a general rule that the database owner is primarily responsible for demonstrating compliance with the Privacy Law.
Database manager: The active manager of the legal entity which owns or possesses a database, or a legal person authorised to carry on such activities by the manager for this purpose.
Person: A natural person, as distinguished from a person for the purpose of ownership of a database, which may be a corporation. In order to differentiate the two meanings, in this Overview 'data subject' shall mean a natural person and 'legal person' shall mean a natural person or a corporation.
5. NOTIFICATION | REGISTRATION
5.1. Requirements and brief description
Subject to certain exceptions (see below), a database owner is required to register its database to the extent that one of the following conditions are met:
- the database contains data in respect of more than 10,000 data subjects;
- the database contains sensitive data;
- the database includes data about persons, and such was not provided by them, on their behalf, or with their consent;
- the database belongs to a public entity; or
- the database is used for direct mailing services.
A database must be registered prior to managing or holding the database unless the Registrar permits performing such acts prior to registration.
Although the Privacy Law imposes the obligation to register on the database owner, the Privacy Law also prohibits managing or holding a database that is required to be registered, but has not been registered. Therefore, database managers or database holders could also face liability in connection with a database that is not registered.
Databases are exempt from the registration obligation where:
- the database only contains data made public according to lawful authority; or
- the database only contains data which was made available for public inspection according to lawful authority.
6. DATA CONTROLLER RIGHTS AND RESPONSIBILITIES
A database owner is required to register its database in certain circumstances, as further detailed in section 5 above.
A database owner:
- who collects personal data directly from data subjects, shall request their consent and inform them: if they are under a legal duty to provide the data, the purpose of collection, and details of any third party that will receive the data and for what purpose;
- shall either allow a data subject access to any data about him/her kept in the database, or refuse to allow such access to the extent permitted by law, as further detailed in section 9 below;
- shall respond to a data subject's request to rectify or erase any data about him/her kept in the database, as further detailed in section 9 below;
- shall be required to appoint an information security officer ('ISO') in certain circumstances, as further detailed in section 10 below;
- shall document any security incident, and in certain circumstances inform the PPA of such incident, as further detailed in section 11 below;
- shall notify the Registrar and data subjects of a transfer of ownership in the database (in a merger or acquisition context or otherwise), as further detailed in section 12 below;
- may transfer, or permit the transfer of, data outside Israel in certain circumstances, as further detailed in section 13.1 below;
- shall require any of its contractors that have access personal data to adhere to certain requirements and shall monitor their compliance with such requirements, as further detailed in section 8 below;
- shall be required to comply with the security requirements set in the Data Security Regulations, as further detailed in sections 13.3 and 14 below; and
- may be subject to administrative fines, and to civil and/or criminal liability, as further detailed in section 12 below.
7. DATA PROCESSOR RIGHTS AND RESPONSIBILITIES
A database holder and a database manager may be liable for holding or managing a database prior to its registration with the Registrar.
A database holder shall either allow a data subject access to any data about him/her kept in a database it holds according to the instructions of the database owner, or refuse to allow such access to the extent permitted by law, as further detailed in section 9 below.
Additionally, a database holder shall be required to appoint an ISO in certain circumstances, as further detailed in section 10 below, and adhere to the database owner's directions and requirements, as further detailed in section 13 below.
A database manager shall inform the Registrar as to the identity of an ISO appointed in the database it manages, as further detailed in section 10 below.
A database holder and a database manager are required to comply with the security requirements set in the Data Security Regulations.
8. DATA CONTROLLER AND PROCESSOR AGREEMENTS
According to the Data Security Regulations, an owner of a database engaging a contractor for the provision of a service that requires granting such contractor access to the database, shall assess, prior to the engagement, the data protection risks involved in such engagement.
Considering the aforementioned risks, the Data Security Regulations require that the following matters shall be explicitly regulated in the database owner's agreement with the contractor:
- the data which the contractor will be authorised to process and the purpose of such processing;
- the type of processing which the contractor shall be authorised to perform;
- the database systems which the contractor will be authorised to access;
- the term of the contractor's engagement and how the data will be returned to the database owner at the termination of such engagement;
- directions as to how the contractor, a database holder, shall perform its obligations pursuant to the Data Security Regulations and other obligations imposed by the database owner;
- the contractor's duty to have its personnel sign an undertaking regarding confidentiality and adherence to the agreement between the database owner and the contractor; and
- the contractor's duty to inform the database owner of any security event and to provide a report to the database owner, at least annually, regarding its performance of all the above.
The database owner shall monitor the contractor's compliance with the terms of the agreement between the database owner and the contractor and with the Data Security Regulations, in the scope and to the extent appropriate considering the risks to data protection.
9. DATA SUBJECT RIGHTS
Access to data
A data subject may inspect any information about him/her that is kept in a database, whether in person, or by a representative or guardian. The database owner shall enable the inspection of the information in Hebrew, Arabic, or English, as requested by the data subject.
If a database is maintained by a database holder on behalf of a database owner, then the database owner must refer a data subject asking to access the information to the database holder and instruct the database holder to allow such inspection.
Pursuant to the Data Inspection Regulations, the data subject shall pay the owner or holder of the database a fee of ILS 20 (approx. €5) for the inspection. Inspection must be permitted within 30 days of the request, although the Registrar may extend the period by an additional 15 days.
The Data Inspection Regulations allow the database owner to provide a print-out of the requested information as the equivalent of permitting inspection of the data, but the print-out shall not be removed from the premises of the database owner or holder without permission.
A database owner or holder may refuse the request for inspection of data from a database if:
- the database is of one of the types of databases the Privacy Law determines shall not be subject to inspection (e.g. a database of a security authority, tax authority, the database of the Israel Prison Service, data that the disclosure of may harm Israel's security or foreign relations or is prohibited by the provisions of any legislation); or
- the database is a service bureau that processes and stores data for its customers, so long as the database owner or holder refers the data subject to the owner of the data on whose behalf the processing or storage services are performed.
The data subject shall be notified if his/her request to inspect data is refused within 21 days of the request, although the Registrar may extend the period by an additional 15 days.
In the event the request is denied, the data subject requesting the data may file a suit in accordance with the procedures set forth in the Data Inspection Regulations.
A database owner may refrain from providing data to a data subject for his/her inspection if:
- the data relates to the data subject's physical or mental health, and the database owner believes that such data may endanger the life of, or cause severe harm to the data subject's physical or mental health, then the database owner shall provide the data to a physician or psychologist on behalf of the data subject; or
- it will breach a legal privilege applicable to the data, as prescribed under any legislation or ruling, unless the data subject is the legal person for whose benefit the privilege is enacted.
Rectification and erasure of data
The Privacy Law provides that if a data subject inspects data about him/her and finds that it is inaccurate, incomplete, unclear, or not up-to-date, the data subject may request from the database owner or holder that such data be amended or deleted. This is, however, not an absolute right, and the database owner may refuse to accommodate such erasure request.
If the database owner agrees to the request, the amendments to the data or its erasure shall be communicated to anyone who received the data from the database owner within the preceding three-year period. The data subject shall be notified if his/her request to rectify or erase the data is refused within 30 days of the request, although the Registrar may extend the period by an additional 15 days.
A data subject may demand, in writing, from the owner of a database used for direct mailing that the information about him/her be deleted from such a database.
Objection to processing
The Privacy Law allows a data subject to object to the processing of data only by means of a civil suit based on the claim that the processing violates the data subject's right to privacy. However, there is no established concept of a general right to object processing once the personal data has been provided for processing without violation of privacy (e.g. with the consent of the data subject). As of today, it is generally understood that data subjects in Israel do not have a right to withdraw their consent for processing.
In the PPA's Transfer of Ownership Draft Guidelines (which are still subject to change), a data subject's consent to processing must be obtained prior to the transfer of the data about such data subject to the new owner of the database.
A database holder and a database manager may be subject to administrative fines, and to civil and/or criminal liability.
10. DATA PROTECTION OFFICER
10.1. DPO – compulsory appointment (yes/no)
Appointment of a data protection officer ('DPO') is not required under the Privacy Law. However, there is a requirement to appoint an ISO by an entity meeting one of the following conditions:
- entities holding five or more databases requiring registration;
- public bodies; or
- banks, insurance companies or companies involved in ranking or evaluating credit.
The database manager must inform the Registrar as to the identity of the ISO.
Failure to nominate an ISO when required to do so may result in criminal sanctions, including administrative fines. While the ISO is to be responsible for data security, the database owner, holder, and manager nevertheless are each held individually responsible under the Privacy Law for data security as well.
The Privacy Law does not require that the ISO should be an Israeli citizen or resident. An individual convicted of an offence involving moral turpitude or an offence stipulated in the Privacy Law may not be appointed as an ISO.
The Data Security Regulations further detail the duties of the ISO and of the database owner with respect to the ISO. The ISO shall receive resources from the database owner in order to carry out its duties and shall report directly to the database manager. The ISO shall not perform other duties if such other duties may result in a conflict of interest with its duties as an ISO. The ISO shall develop a data protection procedure, and have it approved by the database owner, and shall develop an ongoing monitoring program and notify the database owner and the database manager of its results.
11. DATA BREACH NOTIFICATION
11.1. General obligation (yes/no)
A database owner is responsible for documenting any incident that raises concerns as to the integrity of the data or any unauthorised use of the data. If a severe security event occurs, then the database owner shall inform the PPA immediately, and not later than 72 hours from its occurrence and shall report the steps that were taken following such an event. The PPA may order the database owner to inform the data subjects that may be affected by the security event.
11.2. Sectoral obligations
In addition to the general obligation to notify a security event, entities in certain sectors are subject to more specific legislation that imposes on them additional duties.
Notably, the Supervisor of the Capital Market, Insurance and Savings Authority of the Ministry of Finance ('the Capital Market Supervisor') published a circular (only available in Hebrew here) regarding cyber risk management by financial institutions (such as insurance companies and investment banks). The circular requires financial institutions to, inter alia, report to the Capital Market Supervisor and to the Board of Directors of such institution any significant cyber event that resulted in the unavailability of systems containing sensitive data for over three hours or if there is any indication that sensitive data was accessed.
In addition, the Supervisor of Banks of the Bank of Israel ('the Banks Supervisor') published Circular No. C-06-2560 Re: Supply Chain Cyber Risk Management (24 April 2018) ('the Banks Supervisor Circular'). The Banks Supervisor Circular requires banks to, inter alia, report to the Banks Supervisor of any cyber event that already occurred or any warning about a possible cyber event that may occur in the future.
The Administrative Fine Regulations authorise the Registrar to impose administrative fines of ILS 2,000 (approx. €500) on an individual for:
- using, holding, or managing an unregistered database which requires registration;
- delivering false information in a database registration application;
- failing to deliver documents or an affidavit to the Registrar, on an annual basis, by a holder of at least five databases which require registration; and
- managing or possessing a database used for direct mail services without properly tracking the sources of the information used.
Administrative fines of ILS 3,000 (approx. €750) may be imposed for:
- managing or possessing a database used for direct mail services without designation of such use in the database registration;
- managing or possessing a database used for direct mail services without properly notifying data subjects or responding to requests for removal;
- failing to deliver information or delivering false information in a notice soliciting information that will be included or used in a database;
- failing to comply with data subjects' inspection rights;
- granting access to a database to a legal person not authorised under a written agreement between the database holder and database owner; and
- failing to appoint an ISO for databases which are so required by law.
An administrative fine of ILS 5,000 (approx. €1,250) may be imposed for using information from a database for purposes differing from those for which the database was registered.
A five-fold fine for every type of breach listed above shall be imposed on a corporation. For continuing breaches, one-tenth of the fine can be imposed for each day of such continuance of the breach after a warning of the breach has been served.
Those found to have committed the aforementioned types of breaches may be charged with criminal liability and subjected to a one-year term of imprisonment. These are strict liability offences, as neither criminal intent nor negligence need to be proven.
Those found to be in breach may be subjected to five years imprisonment for disclosing data obtained by virtue of their position as an employee, manager, or holder of a database, except for disclosure for the purposes of performing one's duties, compliance with the Privacy Law, or under a court order in connection with legal proceedings. Violations of general privacy obligations (i.e. not specifically related to databases), such as publishing or handing over information that was obtained through breach of certain provisions of the Privacy Law, or publishing of a matter that relates to a data subject's intimate life or state of health, may entail five years imprisonment provided that such violations were conducted with malicious intent (a relatively high standard under Israeli criminal law).
A breach of privacy is actionable as a civil wrong pursuant to the Privacy Law, and a claimant may obtain monetary compensation or injunctive relief. A court may award damages amounting to ILS 50,000 (approx. €12,490) without proof of damages for breach of privacy rights, and if such breach was intentional the damages may be doubled. Such statutory damages apply only to individual claims and cannot be the basis for class-action damages. In addition to providing that a breach of privacy is actionable as a civil wrong, the Privacy Law also specifies that an act of omission in breach of certain of its provisions may give rise to a tortious claim under the Torts Ordinance 2009 (New Version). This provision was added in order to ensure that even omissions, such as a failure to ensure data security, would also be actionable as a civil wrong. As a civil wrong, in certain cases such as business-consumer relationships, violation of privacy could be actionable as a class action under the Israeli Class Action Law, 2006 (only available in Hebrew here).
No civil or criminal action may be brought for breaches that cause no substantive harm. In addition, the Privacy Law provides the following defences from liability:
- the violation of privacy was done through a protected publication under the Israeli Libel Law, 1965 (only available in Hebrew here);
- the infringing party performed the violation in good faith under one of the following circumstances:
- it did not know and was not supposed to know about the potential violation
- it was committed in circumstances under which the infringer has a legal, moral, social, or professional duty to do so
- it was committed in order to protect a legitimate interest of the infringer
- it was committed in the lawful ordinary course of business of the infringer and was not publicly disclosed; or
- it was committed through the photography or publication of photographs taken in public places in which the plaintiff appeared incidentally; or
- there was a public interest justifying the violation, and if it was performed by publication, the publication was truthful.
13. ADDITIONAL RELEVANT TOPICS
13.1. Data Transfers and Outsourcing
Transfer of ownership of a database
In the PPA's Transfer of Ownership Draft Guidelines, the PPA presents its proposed position with respect to the duties of database owners and the rights of data subjects in situations where the ownership of a database is transferred to another legal person due to sale of the database, or of the merger or acquisition of the database owner. According to the Transfer of Ownership Draft Guidelines, such duties and rights include the following:
- The transferring database owner (the former owner) and the recipient database owner (the new owner) shall notify the Registrar of such transfer of ownership.
- If the characteristics of the database recipient are different from those of the transferring database owner in a significant way that may adversely affect the rights of a data subject, then the data subject's consent must be obtained prior to the transfer of the data to the database recipient. If such data subject's consent was not obtained, the data about him/her should not be transferred to the database recipient and should be erased.
- If, due to the transfer of ownership in the database, the purposes of processing of, or the processing activities performed on, the data in the database shall change, the data subject's consent must be obtained prior to the transfer of the data to the database recipient.
- If, due to the transfer of ownership in the database, the purposes of processing and the processing activities shall not change, generally notifying the data subjects of the transfer of ownership and contact details of the database recipient shall suffice.
The Transfer of Information Regulations state that data from a database in Israel shall not be transferred to another country, except if the law of such country ensures a level of protection with respect to personal data that is no less stringent than that provided by Israeli law. On 1 July 2020, the PPA notified that its position is that the law of the European Union ensures such level of protection, and therefore transfer of personal data to countries that are or were members of the European Union is permitted, provided that those countries continue to comply with the provisions of the European Union law with regard to protection of personal data.
Notwithstanding the foregoing, a database owner may transfer, or permit the transfer, of personal data to another country if:
- the data subject gave his/her consent to the transfer;
- the data subject's consent cannot be obtained and the transfer is necessary in order to protect the data subject's health or bodily integrity;
- the data is transferred to an entity under the control of the database owner and the database owner ensured the protection of the personal data post-transfer;
- the data is transferred to an entity that is obligated in an agreement with the database owner to hold the information in accordance with the conditions required in Israel;
- the data was made public according to lawful authority or was made available for public inspection according to lawful authority;
- the transfer of the data is imperative for the protection of public safety;
- the transfer of the data is mandatory pursuant to Israeli law; or
- the data is transferred to a country which is party to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') or receives data under similar conditions.
On 1 July 2020, the PPA clarified that personal data may continue to be transferred to the United Kingdom after its withdrawal from the European Union, since the United Kingdom is party to Convention 108. This includes transfers of data to countries who enjoy an 'adequacy' status by the European Commission, or other transfers of data to non-EU countries which comply with the data transfer requirements of the GDPR (e.g. under Standard Contractual Clauses).
If data is transferred, the database owner shall obtain the recipient's written obligation that it takes measures appropriate to ensure the protection of the data and that it shall not transfer the data to any person, whether in the same country as the recipient or otherwise.
In 2011, Israel's National Labour Tribunal issued a decision ('the Employee Monitoring Decision') which established the rules regarding employers' monitoring of employees' computer, information technology, and email use at the workplace. The Employee Monitoring Decision defines three types of email inboxes:
- a professional email inbox, designated to the employee by the employer for business use;
- a private email inbox, designated to the employee by the employer for private use; and
- a mixed email inbox, for both business and private use.
Pursuant to the Employee Monitoring Decision, as a precondition to monitoring its employees' use of email, an employer must fulfil certain requirements, including the following:
- Legitimate purpose: Monitoring must be in the interest of a legitimate business purpose. The employer shall check alternative monitoring technologies which involve the lowest degree of violation of the employees' privacy considering the purpose.
- Computer resources policy: The employer shall adopt a policy regarding computer resources usage at the workplace and monitoring activities. The policy shall be incorporated in the employees' employment agreement. The policy shall expressly state that the use of emails shall be monitored, and include details about the monitoring activities to be performed by the employer and the measures used to perform such activities. The policy should also state if the email inboxes that the employer provides to employees are strictly for professional use.
- Written consent: An employee must consent in writing to the infringement of his/her privacy with respect to private email accounts or private emails in mixed accounts. The consent must be explicit, informed and voluntary, and provided after the employee has been notified of the employer's intention to monitor the employee's use of personal or private emails and/or perform another activity that may violate the employee's privacy.
13.3. Data Retention
A data subject may request that data about him/her be erased from a database, as further detailed in section 9 above. Under the Data Security Regulations, a database owner must consider, on a yearly basis, whether the personal data included in its databases exceeds what would be considered necessary for such database owner. Effectively, this requires database owners to establish data retention policies.
14. OTHER SPECIFIC JURISDICTIONAL ISSUES
Security of personal data
The Data Security Regulations set a list of requirements regarding data security. These requirements shall apply to a database owner, manager, and holder. Although the Data Security Regulations do not establish what specific technical information security measures a database owner must adopt, they do mandate the adoption of a series of corporate and managerial measures, as well as technological measures, that conform to the types of information that the organisation stores and the uses that are made of the personal information. The security requirements may include, inter alia:
- drafting a database settings document (similar to a record of processing), that will include a general description of the collection and processing of data and details of any transfer of data from the database to another country;
- development and implementation of an information security policy and procedures, that will include provisions as to the physical security of the site where the infrastructure of the database is located, access authorisation to the database, and risks to which the database is vulnerable and how to resolve such risks, including by use of encryption mechanisms;
- taking reasonable measures, customary in employee sorting procedures, in order to verify that there is no concern that an employee should not be authorised to access the database;
- training and informing authorised employees of the requirements of the Privacy Law, the Data Security Regulations, and the security policy and procedures;
- limitation or absolute prevention of the possibility to connect a portable device to the systems of the database, considering the sensitivity of the data contained in the database;
- appointing an ISO, as further detailed in section 10 above;
- documenting any security incident, as further detailed in section 11 above;
- assessing the risks involved in the engagement with a contractor and regulating certain matters in a written agreement with the contractor, as further detailed in section 13.1 above;
- conducting a periodical review by a competent person, other than the ISO, in order to verify compliance with the provisions of the Data Security Regulations; and
- maintaining, in a secured manner, data accumulated in the implementation of the Data Security Regulations provisions for a period of at least 24 months.
In the PPA guidelines regarding the application of the Data Security Regulations to organisations certified under ISO 27001(only available in Hebrew here), the PPA outlined that organisations that are certified under and comply with ISO 27001 shall be considered as compliant with most of the requirements under the Data Security Regulations.
Privacy and use of drones
On 29 March 2020, the PPA published guidelines explaining the privacy aspects of use of drones and how to mitigate them (only available in Hebrew here). In the guidelines, the PPA explains that the Privacy Law applies to use of drones if such use generates a database, for example a database of photos, videos or other data about data subjects. The recommendations include:
- conducting a Privacy Impact Assessment prior to deciding whether to use a drone for the task at hand;
- identifying a significant justification to use a drone (i.e. a legitimate interest that the benefit from its promotion is greater than the increased harm to the privacy of data subjects);
- exploring alternatives ways to complete the task by use of less invasive methods.
Direct mailing and marketing
The Privacy Law imposes certain obligations with respect to databases that are used for direct mailing and direct marketing services (as defined below). For example, any approach to a person in a direct mailing requires a notice that will disclose the fact that it is a direct mail, the sources of the personal information used for the direct mailing, the rights of the data subject to be deleted from the database or applicable mailing list, and similar matters. Direct mailing should be distinguished from spam activities.
The term 'direct mailing' is defined as 'any personal approach to a person, based on his belonging to a certain group in the population, determined according to a categorisation of the data subjects included in the database.' The term 'direct mailing services' is defined as 'direct mailing services to others by providing lists, stickers or other personally identifiable information to others for the purpose of direct mailing.'
In addition to the Privacy Law, Section 30A of the Anti-Spam Law provides a general prohibition on the publication of advertisement by means of distribution of spam messages. An 'advertisement' is defined as a 'commercially distributed message which purpose is to encourage the acquisition of a product or service or the expenditure of moneys in any other way.' An 'advertiser' is defined as 'the person whose name or address appear in the advertisement for communication purposes or for the acquisition of the subject of the advertisement, whoever the content of the advertisement may publish its business […] or whoever markets the subject of the advertisement of another person.'
The general prohibition is on the communication of advertisements by an advertiser, using certain technological means, without the explicit consent of the recipient. In addition, even if consent of the recipient is obtained, the Anti-Spam Law requires that any advertisement sent to a recipient include the word 'advertisement' in the subject line as well as the contact details of the advertiser and the option for the recipient to unsubscribe from receiving future advertisements.
Additional legislation that regulates the protection of privacy in relation to specific types of information include:
- the Credit Data Law, 5776-2016, which regulates the activities of entities that provide credit information services, and regulates the privacy of data subjects whose credit information may be collected, processed, and/or transferred by such entities;
- the Genetic Information Law, 5761-2000 (only available in Hebrew here), which regulates the activities of legal persons that are authorised to conduct genetic tests and provide genetic counselling, and regulates the privacy of data subjects whose genetic information may be obtained by such entities, including by way of the collection of samples and transfer of tests results; and
- the Patient's Rights Act (1996), which regulates the rights of patients and applies to any individual providing professional health services and/or medical institutions, and regulates privacy matters with respect to the medical information of such patients.
Entering places of work and commerce
In order to prevent the spread of the COVID-19 pandemic, places of work and commerce are required to monitor those entering their premises. Such monitoring may entail the collection of certain personal data relating to data subjects' health. On 8 May 2020, the PPA published recommendations (only available in Hebrew here) on how to implement said requirements, including:
- to avoid collecting personal data not required to be collected by law;
- not to use personal data collected for any other purpose;
- not to disclose the personal data unless disclosure is required by law; and
- not to retain the personal data if it is not necessary.
In order to prevent the spread of the COVID-19 pandemic schools operate partially and a significant amount of the lessons are being taught online. Students may connect to online lessons using commercial applications, such as Zoom and Microsoft Teams. On 20 August 2020, the PPA published recommendations aimed to assist students, parents and schools to minimise the risks to students' privacy in connection with e-learning. Recommendations to students and parents include:
- setting strong passwords to enter the applications;
- installing anti-virus and firewall software on the computer used for e-learning; and
- covering the camera whenever use of it is unnecessary.
Recommendations to schools include:
- examining an application's level of information security when considering which application to use for e-learning; and
- allow recording of the lessons only by the teacher and only if it is necessary.