At the end of March, 2017, the Constitution, Law and Justice Committee of the Knesset approved the Privacy Protection Regulations (Information Security), 2017 (the "Regulations"), which will apply to all entities in Israel that manage or hold a database, as defined in the Protection of Privacy Law, 1981 (the "Law").
The Regulations establish a broader and more comprehensive arrangement regarding the physical and logical protection of databases and their management, than applied until now under the Law and the regulations of 1986. The Regulations establish rules and mechanisms the aim of which is to prevent the misuse of personal information, both by entities within an organization and by outside parties.
The Regulations distinguish between four types of databases: (1) databases managed by an individual; (2) databases having a basic level of security; (3) databases having a medium level of security; and (4) databases having a high level of security. As a result, the provisions set out in the Regulations apply according to the type of databases.
It should be noted that most of the obligations set out under the Regulations apply not only to the owner of the database but to the database manager and to the holder of the database. The main obligations set out under the Regulations (these obligations do not apply to all databases, and they should be complied with based on the type of database, as detailed in the regulations):
- Formulation of a database definition document - a database definition document should be prepared, including a general description of the information collected and used; a description of the purpose for which the information is used; the various types of information included in the database; and details on the transfer of the database outside of Israel. The document will be updated at any time in which there is a significant change and the necessity of retaining the information in the database will be checked once a year.
- Security Procedure - An information security procedure document will be drafted and will include, inter alia, provisions regarding the physical and environmental security of the database's sites; access to the database; description of security measures which apply to the database's systems; persons who are authorized to access the database; risks which the database may give rise to and how to deal with such risks, ways to deal with information security events, etc.
- Mapping the systems and risk surveys - an updated document, containing the structure of the database, will be maintained and will include, information concerning the database's infrastructure and hardware systems, the types of communication and information security components, the software systems used to operate the database, management and maintenance of the database, Information security risks and penetration tests for the database systems, etc.
- Physical and Environmental Security - The database's systems will be retained in a protected location, which is consistent with the nature of the database's activity and the sensitivity of the information maintained within it.
- Access permissions management - Access permissions to the database will be determined according to job definitions. In this regard, an updated list of valid permissions will be maintained and access to the database will need to be specifically authorized. Granting permission to access or change of its scope will occur after reasonable measures are taken, which are customary in the process of screening and assigning employees.
- Security Event Documentation - A database owner will record all security events in connection with the database.
- Mobile devices - The owner of the database shall limit or prevent the possibility of connecting mobile devices to the database systems or shall take protective measures while considering the special risks associated with the use of a mobile device.
- Communication security - The database systems shall not be connected to the Internet or to any other public network without the installation of appropriate means of protection from unauthorized intrusion, or from programs capable of causing damage or disruption to the computer or computer material (including the use of accepted means of encryption).
- Outsourcing - The Regulations set out obligations regarding contracts with various external entities for the purpose of obtaining services, which involves providing access to the database.
- Backup and recovery - Depending on the level of sensitivity of the information of the database, formal procedures will be established in order to perform data backup and recovery.
- Periodic audits - Internal or external auditing by an entity with appropriate training for auditing information security other than the database's security officer, in order to ensure compliance with the provisions of the Regulations.
The Regulations allow the Registrar of Databases to exempt a specific database from the information security obligations or to apply certain security obligations to a specific database, if justified under the circumstances, inter alia, considering the size of the database, the type of information found within it, the scope of activity of the database or the number of persons authorized to have access to the database.
In addition, the Registrar of Databases may determine that a person who complies with the provisions of a guideline document in the matter of information security (namely an official standard, Israeli standard or international standard as defined in the Standards Law, 1953 or other document approved by the Registrar in this matter) or the instructions of a competent authority (a public body authorized by law to give instructions regarding information security) in respect of information security applicable to it, shall be deemed to comply with the provisions of the Regulations, in whole or in part.
In addition, the Regulations determine, for some types of databases, the obligation to report to the Registrar of Databases regarding serious information security events (as specified in the Regulations) in which case, the Registrar of Databases, may order that data subjects, who may be harmed by the incident, should be notified accordingly. The Regulations will come into force within one year from their publication. It should be noted that the final version of the Regulations has not yet been published in the Israeli Records, and accordingly, the period of one year has not yet commenced.