Library of Congress

Law Library of Congress

The Library of Congress > Law Library > News & Events > Global Legal Monitor

Israel: Online Privacy Protection Regulations Adopted

(June 14, 2017) Comprehensive regulations for the protection of information stored online went into effect in Israel on May 8, 2017. (Protection of Privacy (Information Security) Regulations, 5777-2017, KOVETZ HATAKANOT [COLLECTION OF REGULATIONS] (Subsidiary Legislation) No. 7809 p. 1022, Ministry of Justice website (in Hebrew) (scroll down listings to No. 7809 to access).) The following are some of the key provisions of the Protection of Privacy (Information Security) (PPIS) Regulations on the operation of databanks.

Databank Definitions Document (DDD)

The PPIS Regulations require all databank owners to define and update on a yearly basis their Databank Definitions Document (DDD) to include information on the methods of collection, use, and type of data saved; data transfer or use outside of Israel; data processing activities; main security risks and ways to address them; and names of the databank owner or possessor and of the person in charge of information security, if one has been appointed. (Id. § 2.)

Groups of Databanks

The PPIS Regulations divide databanks into four groups according to the level of information security they require:

  1. Databases not requiring a specific level of security: those managed by an individual or by a corporation owned by an individual, accessible to that individual and to no more than two additional persons, and excluding databases “whose primary objective is the collection of data for delivery other entities as a business, including by targeted mail, that do not contain information on 10,000 persons or more; and that do not contain information subject to professional confidentiality under the law or professional ethics. (Id. § 1.) “Targeted mail” is defined as mail that is directed at a person based on his/her belonging to a segment of the population, an affinity determined on the basis of one or more characteristics of persons whose names are included in a database. (Questions and Answers on Registration of Databanks, THE ISRAELI LAW AND TECHNOLOGY AUTHORITY (scroll down to item 3) (last visited June 12, 2017).)
  2. Databases requiring basic-level security: those that are not managed by an individual, that are accessible by no more than ten persons, and that contain information that is exclusively used for administration of a business and do not contain information on a person’s private life, political or religious affiliation, or biometric or confidential genetic characteristics. (PPIS Regulations, Appendix 1 § 2.)
  3. Databases requiring mid-level security: those that are owned by a public body or that are principally intended “to collect data for delivery to another entity as a business, including by targeted mail,” and that generally include sensitive information, such as medical, genetic, or biometric information, information on a person’s private affairs, and information on a person’s political or religious beliefs. (Id. § 1.)
  4. Databases requiring high-level security: in general, those that would otherwise require mid-level security but include information on more than 100,000 people or that are accessible by more than 100 persons. (Id. Appendix 2.)

Protection Procedures

Databank owners are required to establish specific procedures for data protection. Data protection procedures will be disclosed to and must be followed by access permit holders only to the extent needed for performance of their job. (Id. § 4(a-b).) An access permit holder is defined as an individual who has obtained an access permit from the owner or possessor of a database to the databank’s stored information, systems, or information or to a component needed for operation of or access to the databank. (Id. § 1.)

The databank owner must create a data protection procedures document that includes, among other information, instructions on the physical protection of the databank, on access permit holders, and on possible security risks and responses that take into consideration the severity of a breach and the level of sensitivity of the data. (Id. § 4(c).) Supplemental information must be added by owners of databanks that are subject to mid- and high-levels of protection, to include references to means of identification and certification of those given access to the data, control of data use, instructions for the conduct of periodic audits, and backup procedures. (Id. § 4(d).)

Systems Specification and Risk Analysis

A databank owner must retain and keep updated a document that includes the databank structure and a list of its systems, including its infrastructure, telecommunications and security protection, operating system software, a diagram of the network on which the databank operates, and the connections among its different components. Special rules apply to databanks depending on their level of security. The document will be shared with access holders only to the extent needed. (Id. § 5(a-b).) At least once every 18 months owners of high-level security databanks must conduct a survey of the databank’s data security, analyze the security risks, and correct the errors identified. Such owners are also responsible for testing the susceptibility of the databank systems to internal and external security risks. (Id. § 5(c-d).)

Physical, Environmental, and Personnel Security

Databank owners must ensure that the systems enumerated above are protected. Owners of mid- to high-level security databases must also control and document any entry to and exit from the databanks. The Regulations also require caution in selection and placement of employees to operate databanks, with additional requirements applicable to mid- and high-level security databanks. (Id. §§ 6-7.)

Telecommunications

Databank owners may not connect databank systems to the Internet or to any other public system without installing proper protection against unauthorized penetration of the system or against software capable of causing damage to hardware or other software. Moreover, the transfer of information from a databank on a public system or the Internet must utilize common encryption methods. The identity of the user and his/her grant of permission to use the databank will be verified. Access to databanks at mid- and high-levels of security must be provided through a means that is subject to the exclusive control of the access permit holder. (Id. § 14.)