Privacy Protection Law
Database Registration Project
Criticism of the Law
The Privacy Protection Law of 1981 regulates the ownership and possession of electronic databases. A new provision was added in 1996 with the aim of protecting individuals from the collection and electronic storage of personal information while acknowledging the usefulness of databases.
The law stipulates that databases must be registered and that the information stored therein can be used only for the purposes for which it was registered. In addition, the law regulates the operation and management of databases.
Section 7 of the Privacy Protection Law defines a 'database' as "a collection of data kept by magnetic or optical means and intended for computer processing". This definition contrasts with that of the European Commission's Data Protection Directive by excluding traditional paper and microfilm files, and their owners.
A database's owner is responsible for registering it with the database registrar, who is accountable to the minister of justice. A database must be registered if it contains 'sensitive information' or information concerning more than 10,000 individuals. 'Sensitive information' is defined as personal and private data concerning an individual (eg, regarding health, economic conditions, opinions, faiths or beliefs). A credit card number is regarded as data related to an individual's economic status and, therefore, constitutes sensitive information under the law.
Databases that include information which was not provided by, or which was obtained without the consent of, the relevant individual must be registered, as must databases that are used for direct marketing.
The database registrar recently initiated a national database registration campaign. Following press releases and extensive advertising, registration requests were sent to approximately 100,000 individuals and companies with unregistered databases (including, for example, tax consultants, private hospitals, financial institutions and mobile telephone companies).
As part of the project, the registrar outlined the necessary content of applications, as well as the obligations that follow from registration. Database owners must be particularly aware of their duty to:
- issue a notice with any request that they receive for information, specifying the purpose of the data processing;
- allow an individual to inspect information relating to him or her and to request amendments to it; and
- protect all information stored in the database.
The registrar also highlighted the fact that an enforcement unit has been established to supervise the uses of databases in Israel. Previously, there was no significant enforcement of the database regulations. Recent action includes the filing of dozens of charges against government workers and private companies for infringement of database regulations.
This enforcement activity is expected to continue, given that database registration fees are being used to finance investigations into unregistered databases, among other things.
According to the broad definitions of the Privacy Protection Law, virtually all medium-sized businesses must register their databases and ensure that they meet the law's other requirements.
The Israeli Accountants and Auditors Council has protested to the database registrar, arguing that every employer that holds computerized information about, for example, employees' salaries must register under the law. The council claimed that registration not only places a heavy burden on employers but fails to serve the purposes for which the law was originally created.
The registrar agreed that the definition of 'sensitive information' may be too broad. However, the law remains unchanged and effective, and so all employers holding such data continue to be obliged to register.
For further information on this topic please contact Tally Eitan at Eitan, Pearl, Latzer & Cohen-Zedek by telephone (+972 9 970 9000) or by fax (+972 9 9709001) or by email ([email protected]).
An earlier version of this article first appeared on the Eitan, Pearl, Latzer & Cohen-Zedek website, www.technolawgy.com.