Privacy Protection Obligations: Boards of Directors’ Role
The Israeli Privacy Protection Authority recently published a draft directive regarding boards of directors’ role in fulfilling obligations pursuant to the Privacy Protection (Data Security) Regulations. The directive states that a board of directors must, inter alia, implement procedures for supervising and controlling compliance with the regulations and play an active role in setting the policy governing how the company uses and manages personal information.
Pursuant to the provisions of the Privacy Protection Law, the Privacy Protection (Data Security) Regulations apply to database owners, database administrators, and database holders. The regulations prescribe provisions with regard to actions and measures that database owners, managers, and holders must take in their databases to ensure the security of the information stored in them and to create oversight and control mechanisms.
The Directive’s Applicability
The Privacy Protection Authority’s latest directive focuses on corporations whose principal activity is data processing, or corporations whose business activities may create heightened privacy risks (such as collecting information about a person’s private life, medical or psychological information, genetic information, information about political opinions, biometric information, information about a person’s financial situation, etc.). In order to ascertain if the provisions apply to a particular corporation, one must examine, inter alia, the corporation’s characteristics (private or public company), the type and sensitivity of the information collected and processed, the scope of the information collected, and the number of parties authorized to access this information. For example, corporations that collect a significant volume of economic or medical information about data subjects during the course of their business operations will be under this definition.
Boards of Directors’ Role in Implementing the Regulations
The Privacy Protection Authority recognizes that the regulations themselves do not define which specific corporate organ is responsible for implementing the regulatory requirements. It does believe, however, that an obligation is imposed on the board of directors to supervise the implementation of the requirements and take part in decision-making. The Privacy Protection Authority reached this conclusion through logical interpretations of the Privacy Protection Regulations and section 92 of the Companies Law, which prescribes that “the board of directors shall delineate the company’s policy and supervise the performance of the CEO’s functions and actions.”
Accordingly, the directive states that the board of directors is responsible for fulfilling five principal obligations, as prescribed in the regulations.
The Obligations
- To approve a database definitions document, which must include, inter alia, a description of the information’s collection and use, the purposes for using the information, the various types of information contained in the database, etc.
- To approve the key principles of the organization’s data security procedure, which must include provisions regarding the database’s physical and environmental security, the database’s access authorizations, a description of the database security measures, procedures for contending with data security incidents, etc.
- To hold quarterly or annual discussions (depending upon the database’s level of security) of data security incidents in the organization, including in order to ascertain if the organization’s data security procedure must be revised.
- To hold discussions of the results of risk surveys and penetration tests and to approve the actions needed to rectify any detected deficiencies (for databases that must maintain a high level of data security).
- To hold discussions of the results of periodic audits of compliance with the regulations (once every two years for databases with medium and high levels of security).
The directive recognizes there may be instances when the board of directors may delegate the responsibility for compliance with the requirements to another organ in the company, but clarifies that such delegation of authorities must take into account the level of privacy risks entailed in the company’s activities, its size, and the composition of its board of directors. Even under these circumstances, the board of directors must still actually supervise compliance with the regulatory requirements.
The directive further clarifies that the board of directors’ obligations are supplementary and in no way diminish the responsibilities imposed on the company’s CEO, management, or any other corporate organ responsible for implementing the company’s regulations.
The Directive’s Implications for Companies
To mitigate the risk of directors being held personally liable for fulfilling their obligations pursuant to the regulations, whether as a result of enforcement proceedings instituted by the Privacy Protection Authority or as a result of personal or derivative lawsuits, the company and its board of directors must fully comprehend the obligations imposed on them pursuant to the privacy protection laws and take measures to fulfill their obligations as directors.
Companies should take several measures to ensure they are fulfilling the data security obligations imposed on companies holding databases:
- Map all databases in their possession and classify them according to the provisions of the Privacy Protection (Data Security) Regulations.
- Map the company’s specific data security risks.
- Draft and implement data security procedures.
- Draft and implement procedures for contending with data security incidents.
- Adapt the internal control systems to the regulatory provisions.
Data security and privacy protection have become major issues in companies’ operations. This draft directive emphasizes that the law requires companies to act responsibly in safeguarding information contained in their databases. It also highlights the fact that they are to create privacy protection training and control mechanisms. Companies holding databases that meticulously comply with the regulations can substantially mitigate the risks a company and its officers faces.
***
Barnea Jaffa Lande’s Privacy and Data Protection Department is at your service if you have any questions about data security and privacy protection, drafting compliance programs, and more.
Dr. Avishay Klein is a partner and heads the department.
Adv. Masha Yudashkin is an associate in the department.