In May 2018, the Privacy Protection Regulations came into effect, which were published in close proximity to the European regulations GDPR – GENERAL DATA PROTECTION REGULATION.
The Israeli Privacy Protection Regulations Law:
The 1981 Privacy Protection Law and the 2018 Privacy Protection Regulations are the laws established in Israel to protect the privacy of Israeli citizens, and apply to any organization in Israel (private or public) that stores personal/sensitive data. The purpose of the laws is to make information security in the organization an integral part of its management routine.
European GDPR regulation:
GDPR is the European privacy protection law that began to apply in 2018 to any company that holds personal/sensitive data of European citizens, even if the company is not based in Europe. The purpose of the GDPR is to maintain the citizen’s privacy rights and create information security in all stages of product development.
The Israeli Information Security Privacy Protection Regulations Law
As a result of the introduction of these regulations, a leap was made in the level of personal information security in our country. The meaning of the privacy protection regulations information security is the protection of the information against its copying, use or disclosure to parties that are not defined as authorized parties. As of 2022, privacy protection regulations apply to the Israeli economy as a whole, with the main purpose of these regulations being to provide protection to people whose information appears in a database or databases.
The regulations entered into force on May 8, 2018 when the goal of these, similar to the European Union, is to protect the personal information of all Israeli citizens by imposing certain obligations and various instructions on companies and organizations that collect personal information about Israeli citizens, store it in databases and process it. The privacy protection regulations apply to database owners and/or database holders.
The privacy protection regulations regarding the collection of sensitive information
The Israeli Privacy Protection (Information Security) Law defines what sensitive information is, the wording in the law is: “data about a person’s personality, his modesty, his state of health, his financial situation, his opinions and beliefs”.
The owner of a database must register the database with the Ministry of Justice if sensitive information is stored in the database in accordance with the Privacy Protection Law.
Implementation of privacy protection regulations
An organization that owns/holds a database is obligated to plan and implement process and technological controls to protect the sensitive information.
The privacy protection regulations detail in detail the tools and processes required to protect personal information in accordance with information security, including protecting the confidentiality, integrity and availability of information, and ensuring the ability to recover in the event of a disaster:
- The owners of the database are required to report any breach to the registrar of the databases immediately
- Databases whose breach poses a high risk of breach of privacy and which are classified at a high security level are required to perform a risk survey as well as a penetration test once every 18 months.
- Organizations that handle a large amount of sensitive information are required to appoint an information security officer with appropriate training.
Who are the privacy protection regulations for?
The privacy protection regulations intended to protect every citizen whose personal information is found in this or that database are intended for all owners and managers of databases of any kind. The privacy protection regulations apply to government bodies, businesses, public companies and private companies, as well as a database that is managed by a single person.
The process of complying with privacy protection regulations?
After testing and reaching a conclusion regarding the relevant level of security of the organization / company / entity you have, all privacy protection regulations relevant to that level of security must be applied. Some of those regulations are (the process of complying with the regulations):
Mapping the organization’s databases
Preparing a gap survey based on what exists in the organization versus what is required by the regulations.
- Building a work plan according to the gap survey
- Monitoring and assistance in correcting the gaps
- Preparation of documents for the registration of the database in the Registrar of Databases – Ministry of Justice
- Appointment of an information security officer (for companies that meet the criteria) by senior management of the organization.
- Senior management responsibility
- Preparation of documents (details below)
1# – Mapping the organization’s databases
Mapping the data relevant to the regulations in the company’s information systems and databases.
You are required to register a definition document that refers to everything related to your database, such as a general description of the operations performed on the information in your database. The purpose of using the personal information in it, a one-line description of the pe rsonal information contained in it, it is important to note whether the information is transferred in full or in part to various entities or parties abroad, whether a third party uses the data in your database and for what purpose, what are the risks to which the personal information is exposed, How the organization deals with these risks and all the full details of the information security officer of the database, the manager and the owner of the database holder. This document must be updated once a year if any change is made in the organization or a security incident occurs.
2# – Preparing a survey of gaps, risks and information security
We prepare a gap survey for the client by understanding the existing situation in the organization compared to what is required by the regulations, and build an orderly work plan.
3# – Monitoring and assistance in correcting gaps
Administrative gaps – preparing a database handling procedure as required and writing a database definition document.
Technical gaps – instructing the customer what he should do according to the regulations such as collecting logs, encryption, installing anti-virus and the like.
4# – Preparation of documents for the registration of the database in the Registrar of Databases – Ministry of Justice
Preparation of a set of documents that must be submitted to the Ministry of Justice in order to register the database.
5# – Appointment of an information security officer
Another action that you are required to perform in accordance with the privacy protection regulations is to appoint an information security officer in your organization. Bam: Your organization owns five data bases / public bodies / banks / companies dealing with credit rating, credit assessment / insurance companies.
#6 – Senior management responsibility
Management implements an information security policy and allocates the resources required to manage the company in accordance with regulatory requirements, while holding periodic management survey meetings. Also, the management will appoint an information security officer. It is the representative’s responsibility to ensure that management policy is followed in an orderly manner.
#7 – Details of documents for application to the privacy protection and information security regulations
- Database handling procedure
- Repository definitions document
- Various documents for the registration of the repositories in the Ministry of Justice
- Reservoir mapping book
