Israel’s new Privacy Protection Regulations came into effect. These regulations constitute a significant reform and turning point in the field of personal information security in Israel and in protecting the privacy of Israeli citizens.
For the first time, these regulations prescribe intra-organizational mechanisms and tools designed to turn data-security matters involving databases (depending upon the characteristics of the database) into an integral part of an organization’s management routine in general, and information management in particular. The mechanisms more clearly define organizations’ obligations and responsibilities with regard to information security.
The primary goal of the new regulations is to protect the rights of individuals whose information is contained in a database against exploitation of the information about them, either by sources outside the organization or by employees within it. The new regulations also maintain Israel’s status as a country that has enacted privacy protection regulations consistent with the corresponding European legislation (inter alia, the new European General Data Protection Regulation, the GDPR, which also came into effect recently).
The data-security reform as reflected in the new regulations is divided into several levels. These include mapping and characterization of each database; determining the requisite level of security based on the aforesaid mapping and analysis (individual database and a basic, medium, or high level of security) and according to several parameters (the organization’s identity and activity, the sensitivity of the data, the number of data subjects, and the number of people with authorized access to the database); and the adoption of a formal data-security compliance and enforcement policy based on the required level of security as prescribed in the regulations.
For example, upon the occurrence of a security incident involving a breach of the privacy of a database, an organization that implemented all of the measures and operations required of it will be in an entirely different position than an organization that failed to do so.
The obligation to report serious security breaches to the Privacy Protection Authority
One of the key innovations in the new regulations is the obligation to report serious security breaches to the Privacy Protection Authority.
In this regard, the Privacy Protection Authority has announced that it is gradually implementing an interim lenient and tolerant enforcement policy toward organizations that report incidents of security breaches to it. This will last up until January 1, 2019. After that date, the Authority will fully implement and enforce the regulations. According to the official policy, the Authority will deal harshly with organizations that fail to report security breaches occurring in their organizations as is required.
With regard to liability, a violation of some of the data-security obligations constitutes a criminal offense and is also liable to lead to the imposition of an administrative fine. Such a fine may be applied at both the organizational level and at the level of officers and members of the organization’s management.
Currently, enforcement is considered relatively sparse and lenient, and the administrative financial sanctions are also at very low sums. However, nothing lasts forever. A revised government draft bill is currently being promoted that will delegate extensive and effective supervisory and enforcement authorities to the regulatory authority (in the spirit of the GDPR). These include the imposition of heavy financial sanctions reaching up to about NIS 3 million.
Furthermore, the draft bill seeks to impose direct responsibility on organizations’ officers to supervise and exert all efforts possible to prevent their employees from committing crimes involving their databases.
Source: barlaw.co.il