Prior to the entry into force of the Israel Protection of Privacy Regulations (Information Security) in May 2018, the relevant issues are summarized:
Who do the regulations apply to?
The regulations apply to the entire Israeli economy, and they seek to protect the persons whose information exists in the database.
The regulations set three levels of databases, which are subject to different levels of security depending on the security risks they generate. Basic, medium and high.
You, as a public body, enter under the category of medium or high.
On which repositories is there a medium level of security?
A database whose main function is to collect information for the purpose of delivering it to another party as a way of marketing sales leads, including direct mail services;
A database whose owner is a public body (government ministries, local authorities, etc.);
A database containing information about a person’s private personal life: medical information, genetic information, information on political opinions, information on criminal history, data on communication activity, biometric information, information about a person’s assets, consumption habits, etc.
On which repositories is there a high level of security?
These are databases of medium-level security (see above), which contain information on about 100,000 or more people or the number of those whose authorization exceeds 100.
After examining the security level that applies to the database, we can apply procedures and controls in order to preserve the database.
The first step in the process is:
Manage a “Buffer Settings” document, and update it at least once a year.
In the definition of the database, one must define, among other things, what information is being done and why, what types of information are included in the database, whether the information is being transmitted by you abroad, and whether information processing is being performed by others.
In addition, the document must include the name of the Database Administrator, the Database Holder and the Data Security Officer. The configuration document must be updated once a year – if there is a significant change in any of the above, or if technological changes, organizational changes, or security events occur. In addition, once a year it is necessary to make sure the database isn’t too large for the purpose.
Document preparation can provide an infrastructure for the classification of databases in the organization as required by regulations, and as a result, the establishment of a plan for the organization.