The Constitution, Law and Justice Committee recently approved the Privacy Protection Regulations (Data Security), 5767-2017, which enacts new and comprehensive norms for entities that manage or hold databases regarding data security procedures. In practice, these regulations affect many entities in the Israeli marketplace, from small businesses managing client information databases to large corporations.
For the first time in Israel, the regulation's requirements include the requirement to notify the Registrar of Databases of the Israeli Law, Information and Technology Authority in the Ministry of Justice of severe security events. In some cases, the Registrar may also require the database owner to notify data subjects in the event of a security breach that may harm the subjects.
The regulations will take effect one year after their publication in the Official Gazette, and as noted, it is expected that they will require many entities in Israel to prepare and adjust their database management operations and data security.
Division of Databases into Categories
The regulations differentiate between four different levels of databases, each with its own scope of requirements:
Databases Managed by an Individual – This category refers to any database that is managed by an individual or a corporation owned by an individual that can be used by the individual and up to two additional authorized users. The regulations exclude a database intended primarily to provide services, such as direct mailing services, a database that contains information regarding 10,000 people or more, and a database that includes information that is subject to professional confidentiality by law or under professional ethics.
This level is subject to a relatively limited scope of requirements, such as preparing a document describing the main characteristics of the database, physical protection of the database, taking measures to restrict access to the database, documentation of any events that raise concern of potential harm to the integrity of the information, its use, or any deviation from authorized use, limiting the potential of linkage with portable devices, secure management of the database, and restricting linking of the database to the internet.
Databases with Basic Level Security – This category refers to any database that does not fit any of the other database level categories listed in the regulations.
In addition to the requirements that are applicable to databases managed by an individual, this database is subject to further requirements, such as appointing a data security officer, defining data security procedures and updating them annually, mapping out the database system, securing data regarding personnel management and authorized user management, provisions relating to identification and authentication, and provisions regarding outsourcing and maintaining security data.
Databases with Medium Level Security – This category refers to any database that has more than ten authorized users and meets one of the following conditions: (a) its primary purpose is gathering data for the business of delivery to another party including direct mailing services; (b) it is owned by a public authority; (c) it includes sensitive data regarding one of these topics: personal private information, medical or mental health information, genetic information, information regarding political beliefs and religion, criminal history information, contact information, biometric information, information regarding a person's financial status, and a person's consumption habits.
In addition to the requirements applicable to databases with basic level security, these databases are subject to further requirements, such as strict data security procedures, periodic training of authorized users at least once every two years, strict guidelines regarding identification and authentication, management of an automatic mechanism for logging access to the database system, obligation to report any serious security breach, periodic reviews at least once every 24 months, classification of employees, and establishing data backup procedures.
Databases with High Level Security – This category refers to any database intended primarily to gather data to be delivered to another party, including direct mailing services, or that contains sensitive information, provided that it holds data pertaining to 100,000 people or more or the number of authorized users who have access to the data is over 100 people.
All requirements of the regulations apply to this category of databases. In addition to adhering to the requirements that are applicable to databases with medium level security, further requirements must be met, such as conducting data security risk surveys and executing infiltration tests at least once every 18 months.
Any violation of the requirements listed in the regulations may be subject to administrative and criminal sanctions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.