Data protectioni Requirements for registration
The Privacy Law 5741-1981 (the Privacy Law) regulates the matter of databases and their registration. The Privacy Law defines a database as 'a collection of data, maintained by magnetic or optical means and intended for computer processing'.
Data is defined under the Privacy Law as 'information about an individual's personality, personal status, intimate affairs, health condition, financial condition, professional qualifications, opinions or beliefs'.
Under the Privacy Law, it is necessary to register a database if, inter alia, it:
- contains information on more than 10,000 individuals;
- contains sensitive information (see subsection iii);
- contains information about persons that was not provided by them, on their behalf or with their consent; or
- is used for direct mailing.
Human resource databases in workplaces are generally considered to include sensitive information and, consequently, should be registered according to the Privacy Law. In addition, no person may use the information in a registered database except for the purposes for which it was established.
Under the Privacy Law, the owner of a database, the holder of a database and the manager of a database are each individually responsible for the protection of the data in the database. The Privacy Law defines data protection as protection of the integrity of the data, or protection of the data against exposure, use or copying, all when done without due permission. It is customary to limit access to a database to individuals who have reasonable needs to use the information included in the database. On 8 May 2018, the Protection of Privacy Regulations (Data Security) 5777-2017 came into force. These Regulations establish a broad and comprehensive arrangement regarding the physical and logical protection of databases and their management.ii Cross-border data transfers
The export of data outside Israel from a database within Israel is regulated by the Protection of Privacy Regulations (Transfer of Information to a Database Outside the State Borders) 5761-2001. The regulations prohibit the transfer of data from a database in Israel to a database located abroad, unless the receiving country ensures a level of protection of data that is not lower than the protection provided for under Israeli law.
In addition, the regulations lay down conditions that enable the transfer of data from a database in Israel to a database abroad, even when the overseas law provides a level of protection that falls below that which is provided under Israeli law. The conditions include, for example, obtaining the individual's consent to the transfer of the data and that the data is transferred to someone who has agreed to fulfil the conditions laid down in Israel.
In addition to the conditions, the regulations state that the owner of the database must ensure (by way of written obligation), that the recipient takes steps to ensure privacy of data subjects, and that the data shall not be transferred to any other person. Accordingly, onward transfer of information to a third party is not permitted, unless the owner of the database entered into a direct agreement with such third party, which includes, inter alia, the above requirements.iii Sensitive data
Under the Privacy Law, sensitive data is defined as 'data on a person's personality, intimate (i.e., private) affairs, state of health, financial conditions, opinions and beliefs'. Sensitive data is interpreted very broadly by the Israeli courts, as encompassing types of personal information that are not specifically mentioned in the definition of data or sensitive data, all depending on the specific circumstances of the matter.
If the company maintains sensitive data by electronic means for processing, it is required to register a database.iv Background checks
Candidate background checks must respect the individual's right to privacy, and be reasonable, relevant, proportionate and carried out in good faith.
For publicly available information, there is no specific requirement for obtaining an individual's consent. For non-public information, the need for prior written notice and informed consent depends on the circumstances.
Requesting information with respect to protected criteria under the Employment Equal Opportunities Law 5848-1988 (e.g., regarding race, gender, age, religion) will usually shift the burden of proof to the company in the event of a discrimination claim, to show that it did not unlawfully take into account any such protected criteria in making the employment decision.
Criminal background checks are generally not permitted. Even requesting a candidate to provide a declaration about his or her criminal history is regarded as unlawfully circumventing the legislation, unless the employer specifies which types of offences or investigations it requires information on, and demonstrates that this is relevant for the position in the circumstances.
According to the Credit Information Services Law 5762-2002, an employer is entitled to receive a report regarding a candidate's credit information from a licensed authority, for employment purposes where relevant to the position. There is only a need to notify the candidate if the employer decides, based on the credit report, not to hire him or her. However, it is expected that, on 12 April 2019, a new Credit Data Law (which was enacted in 2016) will come into force (the New Credit Law), which completely prohibits the employer from requesting or obtaining information regarding credit data and credit rating for purposes of employment, including through a questionnaire or declaration from the candidate. The New Credit Law also provides that the courts will have the power to oblige a person who requested or received credit data information in violation of the provisions, to pay the candidate compensation without proof of damage. The New Credit Law is expected to replace the 2002 law.
It is forbidden to request information regarding military and genetic profiles.