Client Update: New Database Maintenance Regulations

On May 8, 2017, the Protection of Privacy Regulations (Information Security), 5777-2017 (the “Regulations“) were published. These Regulations will enter into effect on May 7, 2018.

The Protection of Privacy Law, 5741-1981 (the “Law“) prohibits managing or operating a database which is required to be registered under the Law without it being registered. The Information and Technology Authority of the Ministry of Justice serves as the Registrar of Databases in Israel (the “Registrar“). The Registrar is responsible for maintaining a register listing the databases that require registration. The Law requires to register a database if any of the following conditions is met: (a) the database contains information on more than ten thousand people; (b) the database contains “sensitive information”; (c) the database contains information on people that was either not provided by such people or was provided without their consent, or (d) the database is used for mail marketing purposes.

The Regulations are relevant to any organization with a database which includes private information about customers, suppliers or employees. For example, the Regulations apply to every organization that holds personal information about its employees, such as pay slips, information on performance of their work, health issues, resumes, etc. The purpose of the Regulations is to clarify the principles of information security related to the storage, use and management of information.

These Regulations, which seem to have been inspired by global information security standards, include for the first time a comprehensive and up-to-date arrangement with respect to existing legislation in the field of database protection.

The Regulations determine the classification of databases based on different levels of security. The classification is based on the types of information collected in the database, the sensitivity of the information, the purpose of the collection, the number of people whose information was collected, and the number of people who have authorized access to the database.

The Regulations distinguish between four different types of databases: a database managed by an individual; a basic security level database; a medium-security level database; and a high security level database. The higher the level of security required by the Regulations for a specific type of database, the more obligations there will be concerning its management and security. For example, an organization with one of the following types of information: medical information, genetic information, biometric information, communications data, information about a person’s consumption habits, information about a person’s assets, information about a person’s economic obligations or personal financial situation, will be classified at a medium security level. If such information is collected on 100,000 or more people or the number of people who are authorized to access the database is greater than 100, the database will be classified at a high security level.

The Regulations require database owners to implement various information security measures, which include, the creation of comprehensive policies and procedures on information security, mapping out the information systems in the organization, conducting a risk assessment review, managing access authorizations, establishing identification and verification mechanisms, documenting security incidents, and physical and environmental security of the database.

As part of the preparations for the entry into force of the Regulations, a database owner, even if its database is only subject to a basic security level, will be required to establish comprehensive and detailed security protocols. These protocols should include provisions regarding physical and environmental security of the database, access to the database and database systems, the security measures that have been deployed, existing security risks and manners of dealing with such risks as well as the use of mobile devices in the database.

In addition, any organization that wishes to outsource and thus communicate with third parties for services that require access to the database, must examine, prior to the engagement, the security risks involved in such engagement and ensure that the engagement agreement addresses specific provisions in the Regulations.

The Regulations impose a reporting obligation to the Registrar on database owners upon serious security incidents, including the steps taken in handling it. The Regulations grant the Registrar the authority to order such organizations to also provide such report to each person who may be effected by such incident.

Violation of certain provisions of the Law regarding the registration of a database, data collection and its use may amount to a criminal offense. In addition, violation of the provisions of the Law in certain cases also constitutes a civil cause or action and violation of the Regulations may result in violation of the information security duty established by the Law.

Though the Regulations will come into force only in May 2018, we recommend organization that operate databases to already take measures to ensure they are compliant, especially since implementing the requirements set forth in these Regulations may take a significant amount of time.

This publication provides general information and should not be used or taken as legal advice for specific situations, which depend on the evaluation of precise factual circumstances.

Fields marked with an * are required