Shortly, new protection of privacy Regulations for securing information held on data bases, which will apply to both private and public entities, will enter into force.
By contrast with the general requirements for securing information under the Protection of Privacy Law, 5741-1981 and the Regulations promulgated pursuant thereto which seek to protect the interest of the organization, these new Regulations, which are shortly to enter into force, detail the principles for securing the information, which principles are based on standards for securing information acceptable throughout the world, adapted for the technological changes and developments with respect to computerized data bases. They include various mechanisms which each organization processing personal information is required to put in place as an integral part of the management of its business so as to protect the rights of the subjects of the information located in the data base of the organization from abusive use.
The Regulations provide for various mechanisms of protection.
At the first layer, the owner of the data base is to determine what constitutes protected information, the purposes for its use and processing, entities to whom the information will be transferred, and the risks associated with this information. As part of this, the hardware components, software and infrastructure and telecommunications aspects of the information systems which are used as the data base are to be programed to identify weak spots and to take appropriate security measures. With respect to certain data bases it will even be necessary to have a risk evaluation carried out by a professional each 18 months, as well as inspections with intrusions simulating a computerized attack on the systems and internal audits once every two years, for the purposes of checking compliance with security procedures and regulations.
At the second layer, the organization will establish an information security procedure which will determine a clear and uniform organizational policy for the protection of information within the organization, and which will apply to all the employees of the organization. This will include, inter alia, guidelines for determining rights of access to the employees, physical security requirements, handling security incidents, etc. It will be updated on a regular basis according to changes applicable to the information systems on which the information is located, to the processing of the information and new technological risks concerning the same. This procedure can be presented to third parties so as to assist the organization to demonstrate its compliance with the procedure and the Regulations in the event of an intrusion into the data base.
The third layer includes substantive instructions in the field of the management of the information. These include: the definition of the positions of the information security officer, and his subordination to a senior officer of the organization, the establishment of instructions concerning the processing of personal information from an outside source (part of which was already handled in Directive Number 2/2011 of the Registrar of Data Bases), the obligation to conduction periodic checks, the obligation to report to the Registrar of Data Bases on any severe security event and the obligation to give notification of the same - should the Registrar so order – the same to the subject of the information who is likely to be harmed, the taking of physical and environmental measures for the security of the information, and also require the documentation of a security event and the lessons learned therefrom as well as establishing procedures for the backup and reconstruction of details and the maintenance of details in mobile devices such as laptops or flash drives.
In a manner similar to the Protection of Privacy Law, the new Regulations impose the responsibility for compliance with them on the owner of the data base, namely the public or private entity which received the details from the subjects of the information and which processed such details, as well as on the manager of the data base (the CEO or other officer who is empowered by the CEO) and also the holder of the data base (the person who has in its or his possession a data base on a regular basis and is entitled to use such data base for the owner thereof). The Regulations adopt the principle of proportionality, such that where the data base is larger (whether with respect to the scope of details on it or of those with authorized access) and holds more sensitive details, the obligations with respect to information security imposed on the owners, holders and managers thereof are more significant.
The Registrar of Data Bases is empowered to exempt certain data bases from the information security obligations or to impose more severe obligations, according to the nature of the data base and the organization in question. So, for example, an individual person who is the sole owner of a data base is exempted from many of the obligations under the Regulations.
The new Regulations will not all enter into force at the same time rather parts of them will enter into force on different dates in order to give organizations the opportunity to prepare for their implementation.
Reference: Draft Regulations for the Protection of Privacy (Data Security), 5776-2016 (presented to the Constitution, Law and Justice Committee for its approval)
