Israel Privacy Protection Authority published draft a draft position paper on the privacy aspects of employers’ practice of requesting that job applicant waive their right to the confidentiality of their health information to facilitate the disclosure of their health information to the prospective employer. The draft guidelines emphasize that such requests must be proportional, specific, and relevant to the requirements of the position to which the applicant is applying. Employers must refrain from having applicants sign broad confidentiality waivers. The employer must also re-evaluate at least once a year whether the continued retention of the health information is necessary and relevant.

The Authority emphasizes that health information is an extremely sensitive type of personal information. Employers must ensure that their request for health information will not lead to an unjustified and disproportionate violation of an applicant’s right to privacy. Given the unbalanced power between the employer and the applicant, employers must justify why the information is needed to evaluate the applicant’s suitability for the position.

Click here to read the draft position paper concerning privacy aspects in job applicant confidentiality waivers and disclosures of health information.

Separately, Privacy Protection Authority drafted recommendations regarding the protection of patient privacy when practitioners transmit health information using digital devices. The recommendations address the practice that has evolved in recent years, when medical practitioners transmit health information using general-purpose software and apps (e.g., WhatsApp and Gmail), through devices owned by the medical institution or personally owned by the practitioners.

The Authority emphasizes the data breach risks in collecting and storing patient health information in devices or databases that are not sufficiently secure. A practitioner’s transmission of sensitive health information from a medical institution to another recipient, without proper approval or authorization, may, under certain circumstances, amount to a serious data security incident that must be notified.

The Authority recommends that medical institutions take steps to raise awareness of practitioners of the privacy risks in transmitting health information using general-purpose software and apps. The Authority recommends that medical institutions take steps to downscale practitioners’ use of software that is not intended for the transmission of health information and ensure that practitioners refrain from saving medical information about patients on personal devices.

Click here to read the draft paper on patient privacy in the transmission of health information using digital devices and general-purpose software.