Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Personal data can be collected, stored and processed where:
- an individual has consented to this;
- the personal data has already been lawfully published and thus became legally public; or
- there is a specific legal provision which allows it.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The Israeli data protection and privacy laws do not include specific limitations regarding the period for which records must be retained.
However, specific requirements do exist with regard to certain kinds of data, such as medical (especially in hospitals) and credit data, which dictate that the relevant data be retained for specific minimum periods.
Also, as part of draft guidelines published by the Israeli Law, Information and Technology Authority (ILITA) with regard to identification numbers, ILITA has interpreted the term ‘consent’ of an individual as meaning an individual’s consent to the records being retained as long as required (and no longer).
The bottom line is that, generally, no explicit restriction has been imposed on the period for which an organisation may (or must) retain records.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes. Every individual is entitled to inspect, either himself or herself or through a representative authorised by him or her in writing or his or her guardian, any personal information about him or her that is maintained in a database (Section 13 of the Protection of Privacy Law).
Moreover, the Protection of Privacy Regulations (Conditions for Inspection of Data and Procedures for Appeal from a Denial of a Request to Inspect) (5741-1981) set out specific provisions regarding the schedule and manner of inspecting the data.
Do individuals have a right to request deletion of their data?
Yes, particularly where the individual finds that the data about him or her is incorrect, incomplete, unclear or out of date. In those cases, the individual may request that the owner of the database (or, if the owner is a foreign resident, the possessor thereof) amend or delete the information (Section 14 of the Protection of Privacy Law).
Moreover, an individual has the right to request the deletion of his or her personal data where:
- the owner of the database has no legitimate reason for retaining this;
- the data was collected in an illegal manner; or
- the owner does not safeguard the data in a proper and reasonable way.
However, where the owner has a legitimate and reasonable reason for maintaining the data and the data is correct and accurate, it has a legitimate interest in continuing to maintain the data, even if the data subject has requested its deletion.
In addition, where the database is used for direct mailing, any individual whose details are held in the database may demand, in writing, that the owner delete all information relating to him or her from the database (Section 17F(b) of the Protection of Privacy Law).
Is consent required before processing personal data?
Yes. An individual’s consent is required before personal data about him or her can be processed.
Section 11 of the Protection of Privacy Law provides as follows (emphasis added):
“A request to a person for information with a view to the keeping and use thereof in a database shall be accompanied by a notice indicating –
(1) whether that person is under a legal duty to deliver that information or whether its delivery depends on his volition and consent;
(2) the purpose for which the information is requested;
(3) to whom the information is to be delivered and the purposes of such delivery. ”
Moreover, Section 2 of the Protection of Privacy Law provides as follows:
“Infringement of privacy is any of the following: … (9) using, or passing on to another, information on a person’s private affairs otherwise than for the purpose for which it was given”.
Therefore, one cannot store or process personal data without notifying the individual regarding the purpose for which the information is required at the time the information is requested.
There are several exceptions to this rule, which are relevant in specific areas (eg, some credit checks and some medical events).
The term ‘consent’ is defined in the Protection of Privacy Law as meaning “informed, express or implied consent”.
If consent is not provided, are there other circumstances in which data processing is permitted?
As a general rule, no one may process (nor collect) personal data without the consent of the individual in question. Exceptions to the general rule may include cases where the personal data has already been lawfully published and thus become public.
What information must be provided to individuals when personal data is collected?
As established by Section 11 of the Protection of Privacy Law, individuals should be notified of the purpose for which the personal data being collected from them has been requested. Individuals should also be notified whether they are under a legal duty to deliver that information or whether its delivery depends on their volition and consent; and to whom the information is to be delivered and the purposes of such delivery (Section 11). However, this obligation does not necessarily apply where data is being collected under a specific provision of the law (which allows for certain data to be collected without the consent of the individual).
In practice, ILITA also recommends that the individual also be provided with the relevant database registration number at the time he or she is notified.
Click here to view the full article.