The Constitution, Law and Justice Committee recently approved the Privacy Protection Regulations (Data Security), 5767-2017, which enacts new and comprehensive norms for entities that manage or hold databases regarding data security procedures. In practice, these regulations affect many entities in the Israeli marketplace, from small businesses managing client information databases to large corporations.
For the first time in Israel, the regulation's requirements include the requirement to notify the Registrar of Databases of the Israeli Law, Information and Technology Authority in the Ministry of Justice of severe security events. In some cases, the Registrar may also require the database owner to notify data subjects in the event of a security breach that may harm the subjects.
The regulations will take effect one year after their publication in the Official Gazette, and as noted, it is expected that they will require many entities in Israel to prepare and adjust their database management operations and data security.
Division of Databases into Categories
The regulations differentiate between four different levels of databases, each with its own scope of requirements:
Databases Managed by an Individual - This category refers to any database that is managed by an individual or a corporation owned by an individual that can be used by the individual and up to two additional authorized users. The regulations exclude a database intended primarily to provide services, such as direct mailing services, a database that contains information regarding 10,000 people or more, and a database that includes information that is subject to professional confidentiality by law or under professional ethics.
This level is subject to a relatively limited scope of requirements, such as preparing a document describing the main characteristics of the database, physical protection of the database, taking measures to restrict access to the database, documentation of any events that raise concern of potential harm to the integrity of the information, its use, or any deviation from authorized use, limiting the potential of linkage with portable devices, secure management of the database, and restricting linking of the database to the internet.
Databases with Basic Level Security - This category refers to any database that does not fit any of the other database level categories listed in the regulations.
In addition to the requirements that are applicable to databases...