Support Centre

Israel: Data protection compliance and data storage and processing service providers: Part 5

On 2 November 2020, the Israeli Privacy Protection Authority ('PPA') published its fifth report1 ('the Report') as part of a report series on the findings of the supervision process regarding compliance with the  Protection of Privacy Law, 5741-1981('the Law'), and the  Protection of Privacy Regulations (Data Security) 5777-2017 ('the Regulations'). The Report details a cross-sectoral inspection procedure of data storage and processing service providers of services such as software services (SaaS) or platform (PaaS), including applications, interfaces and developments or infrastructure services, highlighting the unique challenges in dealing with this sector, which includes databases that contain various types of identifiable data, including sensitive data. Dan Or-Hof, Founder of Or-Hof Technology and IP law firm, analyses the Report, the widespread data protection compliance deficiencies of data storage and processing service providers identified therein, and the accompanying PPA guidance to remediate said deficiencies.

koto_feja / Signature collection / istockphoto.com

Report overview

Over the years 2018-2019, the PPA conducted a large supervision process on the state of privacy compliance in Israel in relation to data protection governance, databases management, information security and outsourcing.

In the framework of the supervision process, the following sectors were inspected: medical service providers and labs, educational online platforms for children and educational institutions, data storage services, tourism, non-profit organisations, unions and loyalty programs.

The supervision process focused on certain sectors in the Israeli market, and the Report refers only to the findings of the supervision process on data storage and processing service providers.

The unique characteristics of these industries require adherence to strict rules in relation to all aspects inspected in the framework of the supervision process (i.e. data protection governance, databases management, information security and outsourcing).

The PPA has determined that storage and processing service providers fail to acknowledge their regulatory position as database holders and accordingly have also failed to acknowledge their information security statutory obligations under the Law and Regulations.

The PPA has set compliance levels with the Law and the Regulations as follows:

  1. High level of compliance – between 80% to 100%
  2. Medium level of compliance – between 50% to 80%
  3. Low level of resistance - less than 50%

In accordance with the scale indicated above, the Report presents the reviewed criteria from the lowest level of compliance to the highest.

Outsourcing

Out of all the criteria, outsourcing was found to have the lowest level of compliance.

According to the Report, 71% of the inspected service providers showed partial compliance or were non-compliant with the Law and Regulations in relation to outsourcing. 18% out of the 71% of the inspected service providers showed a low level of compliance, while the remaining 53% demonstrated a medium level of compliance.

The deficiencies found in in relation to outsourcing

  • The inspected service providers are not taking sufficient steps in advance to assess the level of risk in which data subjects might be exposed to, following their position as service providers, or their use of third-parties outsourcing services.
  • The inspected service providers are not properly monitoring third-party outsourcing service providers' compliance with their obligations under the outsourcing agreements and the Regulations.

The PPA's guidelines for remediating the deficiencies

  • The inspected service providers must execute an outsourcing agreement with the third-party outsourcing service providers and include all provisions of Article 15(a)(2) of the Regulations. These include, inter alia, the outsourcing service provider's obligation to report, at least once a year, to the database owner about the service provider's performance according to the Regulations and the outsourcing agreement and notify the database owner when a security event occurs.
  • The inspected service providers must implement appropriate controls and supervision measures to ensure the third-party outsourcing service providers' compliance with the Regulations and the outsourcing agreement.

Data protection governance

According to the Report, 31% of the inspected service providers attain a medium and low level of compliance with the Law and Regulations in relation to data protection governance and 69% of the inspected service providers comply with the Law and Regulations in a satisfactory manner.

Deficiencies found in relation to data protection governance

  • Database managers were not appointed as required, or in other cases appointed without proper appointment letters.
  • Deficiencies in documenting employees' periodic training for those with access to databases.
  • Some of the inspected service providers did not perform penetration tests at all or performed them insufficiently, despite being subject to the high level of security under the Regulations, which mandate such tests.

The PPA's guidelines for remediating the deficiencies

  • The inspected service providers should register their existing databases and make sure that the identity of the registered database's managers reflects the identity of these managers in practice.2
  • The inspected service providers should appoint database managers along with a proper appointment letter in accordance with the Law and Regulations, and where required by the Law, should also appoint information security officers.
  • The inspected service providers should perform trainings for employees with access to databases once every two years. These trainings should be conducted by presentations and documented.
  • The inspected service providers should immediately complete internal information security audits, risks assessment and penetration tests, in accordance with the Regulations.

Database management

According to the Report, 15% of the inspected service providers had database management attaining low and inadequate level of compliance with the Law and Regulations. Another 15% attain a medium level of compliance, and 70% of the inspected service providers comply with the Law and Regulation's provisions in a satisfactory manner.

The deficiencies found in relation to databases management

  • Lack of transparency regarding the lawful grounds for collecting personal information.
  • Data subjects are not informed of their rights with respect to the personal information that relates to them and is being held in the databases, such as the right to access to such personal information.3

The PPA's guidelines for remediating the deficiencies

  • Database owners should map their existing databases, and accordingly register all unregistered databases or update the registration.
  • Database owners must provide appropriate notices to data subjects to obtain their informed consent to use personal information lawfully.
  • Database owners should ensure that any type of direct mailing to data subjects will follow the requirements under the Law, including, inter alia, an indication that the message constitutes a direct mailing message, and that it includes the identity and address of the database owner, the source of the information, and the recipients of such information.4
  • Service providers with a minimum of five databases owned by different owners in their possession, must submit to the Databases Registrar (part of the PPA), once a year, a list of databases held by the service provider, specifying the databases owners' names and an affidavit stating that the agreements with the database owners indicate access authorisations for each of the databases.

Information security

According to the Report, 81% of the inspected service providers comply with the Law and Regulations in a satisfactory manner, and only 19% of the inspected service providers have a medium and low level of compliance with the Law and Regulations in relation to information security.

The deficiencies found in relation to information security

  • The service providers which are subject to medium or high security have failed to implement an appropriate physical measure subject to the exclusive control of the authorised user to access the database via the internet.
  • Deficiencies in managing authorised access to the databases, such as implementing access authorisations on a need-to-know basis only.
  • Deficiencies in implementing information security measures in accordance with the Regulations, in addition to implementing ISO 27001 standard, as required by the PPA's Directive No.03/2018 ('the PPA Directive').
  • Lack of documentation of information security incidents.

The PPA's guidelines for remediating the deficiencies

  • The inspected service providers should create security procedures in accordance with the Regulations' requirements and perform periodic examination of their validity.
  • Database holders among the inspected service providers must ensure authorised access to database only according to their agreement with database owners. To the extent that the inspected service providers hold five databases or more, they must appoint a security officer.
  • The inspected service providers must ensure that there is an annual work plan in accordance with the Regulations and perform an internal or external information security audit every two years, to be conducted by appropriate professionals other than their own security officer.
  • The inspected service providers must implement information security measures in accordance, not only with the ISO 27001 requirements, but also with the Regulations' requirements, pursuant to the PPA Directive.
  • The inspected service providers should create proper authorisation mechanisms to access the databases in accordance with the Regulations which will ensure that only authorised employees will have access to the database, and only as required for the performance of their roles.
  • The inspected service providers should manage portable devices properly, including by restricting access to databases through these devices, by implementing appropriate security measures, and by using adequate encryption methods.
  • The inspected service providers should implement sufficient physical security measures in accordance with the Regulations, ensure that access to databases is done by using physical means subject to the exclusive control of the authorised user, ensure proper documentation of security incidents, and automated disconnection after a period of inactivity.
  • The inspected service providers should have in place the necessary information security procedures and make sure that such procedures are subject to annual review, as required under Article 4 of the Regulations.

Conclusions

There are risks associated with outsourced data storage and data processing to a data subject's privacy. Mitigation of these risks requires adherence to regulatory provisions, transparency with data subjects, and proper direct marketing practices.

In light of these findings, which demonstrated cross-sectoral deficiencies, the PPA did not approach the inspected service providers individually, but clarified that a company which supplies storage or back-up services, including by providing storage facilities and hardware, is considered as a database holder, even if the content of the information is encrypted and the encryption keys are held exclusively by the database owner. As a result, all the obligations under the Law and Regulations apply to data storage and processing service providers, also in terms of their position as database holders.5

The cross-sectoral inspection procedure of data storage and proceeding service providers discovered deficiencies and gaps in compliance with the Law, particularly in processing information through third-party outsourcing service providers and security event documentation. In addition, some of the inspected service providers failed to inform data subjects about the source of the information and their rights to access, rectify and erasure of inaccurate data under the Law.

The PPA's supervision process has triggered inspected service providers to conduct a comprehensive self-assessment of their privacy and information security compliance.

Dan Or-Hof CIPP/E ; CIPP/US Founder
[email protected]
Or-Hof Technology and IP law firm, Tel Aviv


1. The full report is available (in Hebrew) at https://www.gov.il/BlobFolder/reports/audit_report_database_companies/he/dtatbase%20compeny.pdf.
2. We note that databases' registration has never been subject to enforcement actions by the Protection of Privacy Authority, that the Justice Department is in the process of re-introducing a bill to amend the Law, which would significantly reduce the extent of databases' registrations and that in practice only a small fraction of Israeli companies and organisations have registered their databases.

3. We note that these findings go beyond the requirements of the Law. Indication of the lawful grounds for collecting personal data and an indication to the data subjects about their rights under the Law, are not part of the notice requirements under the Law.

4. We note that the contents of a direct mailing message pursuant to the Law, does not require to disclose the recipients of the information. Therefore, the Protection of Privacy Authority's guidance goes beyond the requirement under the Law.

5. We note that under the Law, a 'database holder' is defined as a person who has a database in that person's possession on a regular basis and is permitted to use the database. The definition of 'use' under the Law is open-ended. Under that definition, 'use' includes disclosure, transfer and delivery. Presumably, a service provider who stores encrypted data, while the encryption keys are available only to the client, cannot use the data, though arguably, the service provider can be deemed as 'disclosing, transferring or delivering” the data in an encrypted form. Accordingly, the correlation made by the PPA in its guidance with the provisions of the Law is questionable.