Privacy Protection In Outsourcing Services

Author:Ms Maya Racine-Netser and Dan Sharot
Profession:Herzog Fox & Neeman

The Israeli Law, Information and Technology Authority (ILITA), the authority in charge of enforcing privacy laws in Israel, has recently published guidelines on the use of outsourcing services for the purpose of managing and processing private information.

Any company that holds information or manages private information of Israeli citizens and outsources any aspect that requires the transfer of private information should be aware of these guidelines and should review its agreements to see whether it complies with them. Likewise, any company providing outsourcing services which include handling private information of Israeli citizens should be aware of these guidelines, as they will also need to comply with them. The Israeli Protection of Privacy Law defines the term private information, and any company which handles information of Israeli citizens should seek legal advice if it has any doubt whether the law applies in their case.

The guidelines are bound to come up in future negotiations when companies will need to justify stringent provisions on matters such as audit rights or requirements to adhere to certain security measures. As a side note, if the outsourcing is offshored the parties also need to comply with the relevant regulation from 2001 that deals with the transfer of data out of Israel (the Protection of Privacy (Transfer of Data Abroad) Regulations). The guidelines deal with all the aspects of the outsourcing project, from the decision as to which services to outsource, choosing the contractor, drafting the agreement, and dealing with the ongoing relationship during the provisions of the services, in particular the auditing and supervision of the service provider, and the conduct of the parties following the termination of the relationship. The following is a brief overview of these guidelines.

As a general rule, an organization outsourcing activities relating to the processing and managing of private information, should opt for a limited contract in which the contractor only has limited access to the information that is necessary for the specific service provided. The contractor should not be provided access to all the data which that organization holds unless there is a good reason for this practice. Outsourcing any service that requires transferring an entire database or outsourcing a service that requires handling private information, from the stage in which the information is gathered to the processing of information, should be justified,...

To continue reading