1. New Guidelines for Employers on Use of Surveillance Cameras.
The Privacy Protection Authority (the "PPA"), formerly known as the Israel Law, Information and Technology Authority or ILITA, has published new guidelines for employers regarding the use of surveillance cameras (the "Guidelines"). These guidelines supplement guidelines issued by the PPA in 2012 regarding use of surveillance cameras generally (see our legal update at http://www.arnon.co.il/files/e3b84790d602b8d3179de6a92b2be89a/34.%20Database%20Registrar%20 Directive%20-%20Surveillance%20Cameras_0.pdf)
The principle underlying the Guidelines is that "in a place where technological monitoring is carried out on a regular basis, the employee cannot enjoy one moment of grace in which he would feel left alone, without an external gaze upon him and his actions. Even worse, recording and storing the images allows the employer to examine the employee's past conduct and demand an explanation for every act or omission, minor or archaic, without the employee being able to rely on the tempering effect of human forgetfulness and the moderating power of the context and the time in which the deeds were done". In response to this problem, Guidelines were implemented, restricting the employer's use of surveillance cameras and information stored therein.
The employer's managerial prerogative to implement surveillance technologies at the workplace is subject to the legal obligations of compliance with the principles of reasonableness, proportionality, good faith and fairness.
The "legitimacy principle" restricts the employer's ability to collect and use of personal information regarding his/her employees only as needed for specific purposes that are both vital for the workplace and consistent with the employer's business purposes. In all other cases, video monitoring will only be permitted where expressly sanctioned by law or the order of a competent authority (for example, a request from various supervisory bodies to receive or collect data). Depending on the circumstances, the following may serve as legitimate grounds for use of cameras in the workplace: (a) personal safety of personnel (b) protecting property in the workplace, (c) ensuring security of sensitive personal data and systems used to manage it and (d) disciplinary needs and customer service quality control.
Use of images for any purpose other than that determined at the outset is forbidden, even if the new purpose is legitimate in itself. For example, recordings from a camera installed by the employer for purposes of control of the entrance to the premises or for security purposes cannot be used for managerial or disciplinary purposes such as monitoring the employees' productivity or documentation of the duration of the employees' breaks.
The "proportionality principle" dictates that use of cameras be proportionate in light of the business need as balanced against the violation of employee rights inherent in such use. Proportionality is determined, inter alia, in accordance with the following criteria:
- Camera location: Filming is not permitted in restrooms or dressing rooms. Additionally, a space, room or work station used by the employee for the performance of his/her work, and which is not accessible to the public, is deemed to be a "private domain" in which the employee will have an expectation of privacy, free from constant monitoring.
- Rarely would an employer have a legitimate interest that would justify the use of cameras in an office or work station in which standard office activities are performed (such as typing on the computer or conducting phone calls). Such filming would generally be deemed to be a disproportionate and unreasonable infringement of employee privacy.
- Conducting constant filming of a room or a computer station at which the employee performs his work, for the purpose of enforcement of internal discipline such as the authorized break length or the prohibition of idle conversation between colleagues, infringes the employee's privacy to an unjustified extent and is therefore forbidden.
- Conversely, public spaces such as the corridors, the entrance hall and especially areas which are accessible to the business' customers and the public, are not deemed to be private domains in which the employee would have a heightened expectation of privacy. Therefore, use of cameras in such public areas for legitimate purposes is more reasonable, as long as such use is proportionate and the employees have been notified of the same.
- In all cases, alternative means, which would cause less harm, while achieving the desired goal should be explored.
- Design of the surveillance system: the area covered, the number of cameras, the times of recording, the resolution of the footage and the duration for storing the images should be carefully considered.
Exaggerated use of surveillance technologies that disproportionately violates employees' right to privacy puts the employer at risk of administrative and criminal sanctions, as well as exposure to civil suits (including possible payment of statutory damages without the obligation to prove actual harm). Additionally such use may constitute grounds for an employee to resign, with such resignation deemed to be termination by the employer for purposes of entitlement to severance pay.
In general, it is prohibited to install hidden cameras or film an employee without the employee's knowledge. The employer may not obtain "consent in principle" from the employees for the general, unspecified right to install or use hidden cameras in their offices at the employer's discretion.
Prior to the installation of the cameras, a clear and detailed policy must be formulated regarding the existence of the cameras, how they are used, the scope of such use, the purposes of their installation, the data collected by them, etc. This policy should be provided to the employees. The policy should be reviewed and updated by the employer from time to time and provided from time to time to the employees in order to ensure that they are aware of the existence of the policy and its content.
Data collected by means of surveillance cameras is deemed personal and the recordings are deemed a "database" under the Protection of Privacy Law 5741-1981 and consequently are subject to database registration, data security and other requirements under such law.
2. Guide to New Data Security Regulations.
Last spring, the Israeli Parliament approved the Privacy Protection Regulations (Data Security) 57772017 (the "Data Security Regulations"). The Data Security Regulations will come into effect in May 2018 and will impose substantive obligations on database owners and data processors (called "database holders" under Israeli law). In order to assist the process of the implementation of the Regulations, the PPA recently published a guide to implementing the Data Security Regulations on its website (the "Guide"). While the Guide mainly rephrases the requirements of the Regulations, it also provides certain additional information that may be useful to companies as they work towards compliance with the Data Security Regulations.
The Data Security Regulations establish four categories of databases which consider data sensitivity, how data is used, the number of individuals having database access and the number of data subjects. They impose various obligations on the database owners and holders based on these categorizations. One of these obligations is preparation of three documents regarding the company's databases, addressing data use, security and database architecture. The Guide provides tips on creating these mandatory documents. The Guide also proffers some of the reasoning behind the security measures of the Data Security Regulations, such as the role of human error in data breaches, which significance has led to the regulation of the procedures used for choosing which personnel would have access to the company's databases, considering the database's security level and the extent of access granted the employee. The Guide emphasizes the reasoning for regulating the use of mobile devices or imposing security measures when a database is linked to the Internet. The Guide also underscores the importance of creating "institutional memory" of security breaches and provides certain guidance as to which technological means could be used to document the same.
The Guide emphasizes two innovations of the Data Security Regulations:
- The Data Security Regulations create a new obligation for owners of medium and high security databases to notify the Database Registrar of "serious data breaches" in which there is unauthorized use of database information, or compromise in data integrity. As the Protection of Privacy Law defines "use" as "disclosure, transfer and delivery", mere access to the database, even without data use or copying, would still be deemed a serious data breach for which notification of the Database Registrar would be required.
- The Guide also emphasizes that the Database Registrar has discretion to absolve certain types of databases, as well as databases of certain sectors, from compliance with the provisions of the Data Security Regulations, so as to minimize the procedural and bureaucratic onus upon database owners.