- I. Privacy Protection (Data Security) Regulations
- II. Protection of Children’s Privacy
- III. Protection of Prisoners’ Biometric Voice Recognition
This report addresses legal developments in Israel in the area of online privacy protection from June 2012 to the present. These developments include the adoption of comprehensive Privacy Protection (Data Security) Regulations. In addition, primary legislation now provides for special procedures to protect data collected and stored information regarding children in foster care and in preschool programs. In the absence of primary legislation on the issue, an Attorney General Directive was also issued on a temporary basis to regulate procedures for the retrieval and storage of prisoners’ biometric voice recognition data obtained with prisoners’ consent for facilitation of telephone communications.
I. Privacy Protection (Data Security) Regulations
On April 5, 2017, Israel’s Minister of Justice issued the Privacy Protection (Data Security) (PPDS) Regulations, 5777-2017. The PPDS went into force on May 8, 2017. The PPDS introduce detailed requirements for data protection by databank controllers and processors in both the public and private sectors. The following are some of the PPDS’s key provisions on the operation of databanks.
A. Databank Definitions Document
The PPDS Regulations require all databank owners to define and annually update their Databank Definitions Document (DDD) to include information on types of data included in the databank; methods of data collection; the purpose of data use; data transfer or use outside of Israel; data processing activities; main security risks and ways to address them; and names of the databank owner or possessor and of the person in charge of information security, if one has been appointed.
B. Groups of Databanks
The PPDS Regulations divide databanks into four groups according to the level of information security they require: (1) databases not requiring a specific level of security, (2) databases requiring basic-level security, (3) databases requiring mid-level security, and (4) databases requiring high-level security.
1. Databases Not Requiring a Specific Level of Security
These databases are managed by an individual or by a corporation owned by an individual, and are accessible to that individual and to no more than two additional persons. Excluded from this category are databases whose primary objective is the collection of data for delivery to other entities as a business, including by targeted mail. According to a Ministry of Justice publication, “targeted mail” is mail that is directed at a person based on his/her belonging to a segment of the population, an affinity determined on the basis of one or more characteristics of persons whose names are included in a database.
Databases that contain information on 10,000 persons or more, or information that is subject to professional confidentiality under the law or professional ethics, are similarly not included among those that do not require a specific level of security.
2. Databases Requiring Basic-level Security
These are databases that are not managed by an individual, that are accessible by no more than ten persons, and that contain information that is exclusively used for administration of a business, excluding databases that contain information on a person’s private life, political or religious affiliation, or biometric or confidential genetic characteristics.
3. Databases Requiring Mid-level Security
Mid-level security is required for databases that are owned by a public body or that are principally intended “to collect data for delivery to another entity as a business, including by targeted mail,” and that generally include sensitive information, such as medical, genetic, or biometric information, information on a person’s private affairs, and information on a person’s political or religious beliefs.
4. Databases Requiring High-level Security
In general, high-level security is required for databases that would otherwise require mid-level security but include information on more than 100,000 people or are accessible by more than one hundred persons.
C. Protection Procedures
Databank owners are required to establish specific procedures for data protection. Data protection procedures will be disclosed to and must be followed by access permit holders only to the extent needed for the performance of their jobs. An access permit holder is defined as an individual who has obtained an access permit from the owner or possessor of a database to the databank’s stored information, systems, or information or to a component needed for operation of or access to the databank.
The databank owner must create a data protection procedures document that includes, among other information, instructions on the physical protection of the databank, information on access permit holders, and an identification of the possible security risks and responses that take into consideration the severity of a breach and the level of sensitivity of the data. Supplemental information must be added by owners of databanks that are subject to mid- and high-level protections, to include references to means of identification and certification of those given access to the data, control of data use, instructions for the conduct of periodic audits, and backup procedures.
D. Systems Specification and Risk Analysis
A databank owner must retain and keep updated a document that includes the databank structure and a list of its systems, including its infrastructure, telecommunications and security protection, operating system software, a diagram of the network on which the databank operates, and the connections among its different components. Special rules apply to databanks depending on their level of security. The document will be shared with access holders only to the extent needed. At least once every eighteen months owners of high-level security databanks must conduct a survey of the databank’s data security, analyze the security risks, and correct the errors identified. Such owners are also responsible for testing the susceptibility of the databank systems to internal and external security risks.
E. Physical, Environmental, and Personnel Security
Databank owners must ensure that the systems enumerated above are protected. Owners of mid- to high-level security databases must also control and document any entry to and exit from the databanks. The Regulations also require caution in the selection and placement of employees to operate databanks, with additional requirements applicable to mid- and high-level security databanks.
Databank owners may not connect databank systems to the internet or to any other public system without installing proper protection against unauthorized penetration of the system or against software capable of causing damage to hardware or other software. Moreover, the transfer of information from a databank on a public system or the internet must utilize common encryption methods. The identity of the user and his/her grant of permission to use the databank will be verified. Access to databanks at mid- and high-levels of security must be provided through a means that is subject to the exclusive control of the access permit holder.
II. Protection of Children’s Privacy
On March 6, 2016, the Knesset (Israel’s Parliament) passed the Foster Care for Children Law, 5776-2016. The Law declares that its objective is to recognize by legislation the rights of children in foster care and the obligations of the state to ensure protection of their welfare and their rights. The Law contains a special provision requiring protection of confidentiality of information regarding children subject to restrictions to the extent necessary for protecting their well-being or the well-being of other children placed in foster care.
Similar protection for privacy of children is expressed in the Council for Preschoolers Law, 5777-2017, passed by the Knesset on July 26, 2017, with effect from February 7, 2018. The Law declares its objectives as providing preschoolers (children from birth to first grade) with the care necessary to support their physical and mental health and development, addressing their educational and social needs, and offering appropriate conditions for attaining equal opportunities in their adult lives.
The Law establishes the Council for Preschoolers (CP) as a unit within the Ministry of Education tasked with collecting information and conducting research and analysis for achieving the goals prescribed by the Law. The CP is authorized to request information on issues relating to preschoolers from any public office except for information on personal character, private matters, health, economic situation, professional training, beliefs, and opinions.
III. Protection of Prisoners’ Biometric Voice Recognition
AG Directive No. 3.1103 regulates the taking and storing of voice recognition samplings retrieved from telephone conversations of prisoners utilizing the prisons’ telephone system, which is managed by a private company. The Directive states that its provisions are temporary and are applicable until the adoption of primary legislation on the subject.
The Directive provides that the phone system was designed to enable prison authorities to exercise control “for maintaining proper behavior and preventing misuse of the phone system by the prison population.” The system is based on technology that enables the use of telephones by a prisoner who has elected to provide his/her unique biometric voice recognition for identification as an alternative to using an individualized identification card.
Voice recognition identification, according to the Directive, facilitates the use and acquisition of additional time segments for phone use by prisoners and eliminates the fear of theft or loss of a card. Voice recognition may also be useful for implementation of any restrictions on phone use that are imposed on the prisoner by a court or the prison authority. It also ensures that a prisoner could not unlawfully use the identification card of another prisoner, thereby minimizing conflicts among prisoners.
Addressing the requirements under the Privacy Protection Law, 5741-1981 (PPL), which prohibits violating the privacy of a person without his/her consent, the Directive explains that the legal basis for retrieving voice recognition is the prisoner’s knowing consent to the retrieval. The prisoner has the option of not agreeing to voice recognition identification and instead using an identification card. To ensure free will the prisoner must be informed of the objectives of the voice recognition sampling and of its preservation in the databank, the alternative identification card to which the prisoner is entitled, and the ability to change his/her mind at any time and have the data erased from the databank.
The consent for biometric voice recognition of prisoners who are minors (fourteen through seventeen years) must generally be given by both the minor and his/her parent or guardian. If a prisoner does not have legal capacity consent must be given by his/her guardian, and if the prisoner can understand, by the prisoner as well.
In the absence of specific regulation by primary legislation, the general rules regarding the management of databases under the PPL apply. Considering the special characteristics of the data and the reasons for its retrieval, however, the Directive provides special provisions for data protection, access, confidentiality, security, and erasure.
Similarly to other databanks regulated under the Criminal Procedure (Enforcement Authorities- Body Search and Retrieval of Identification Measures) Law, 5756-1996 (CPEA Law), the databank for preservation of biometric identification exclusively relates to “a population of offenders or suspects under arrest.” The taking and preserving of biometric voice recognition in the context of prisoners’ phone conversations, however, is not covered by the CPEA Law.
Considering that the basis for taking voice recognition sampling and preservation is the prisoner’s consent for the purpose of receiving telephone services, and not the CPEA Law, any use of data stored in the voice recognition databank, including transfers of information for use by public bodies exercising statutory authorities, is prohibited.
The Prison Authority must consistently monitor implementation of the rules established by the PPL as well as by the Directive. It must require telephone system operators to consistently report on management of their databanks and on any irregular incidents, such as unauthorized disclosure of data, entry of unauthorized person to a place where the databank is stored, or any use in excess of authorization. The Prison Authority must also conduct entry testing of the databank every eighteen months to verify its compliance with data security.
Senior Foreign Law Specialist
 Privacy Protection Regulations (Data Security), 5777-2017 (PPDS), Kovetz Hatakanot [KT] [Subsidiary Legislation] 5777 No. 7809 p. 1022, available on the Ministry of Justice website, http://www.justice.gov.il/ Units/Reshomot/publications/Pages/Regulations.aspx?WPID=WPQ7&PN=54 (in Hebrew; scroll down to No. 7809), archived at https://perma.cc/6UH6-KD6B. For a summary of the regulations see Ruth Levush, Israel: Online Privacy Protection Regulations Adopted, Global Legal Monitor (June 14, 2017),http://www.loc.gov/ law/foreign-news/article/israel-online-privacy-protection-regulations-adopted/, archived at https://perma.cc/QCU8-TJS3.
 PPDS § 22.
 Omer Tene, Israel Enacts Landmark Data Security, Notification Regulations, International Association of Privacy Professionals (IAPP), https://iapp.org/news/a/israel-enacts-landmark-data-security-notification-regulations/, archived at https://perma.cc/WX3H-4488.
 PPDS § 2.
 Questions and Answers on Registration of Databanks, Israeli Law and Technology Authority, http://www.justice.gov.il/Units/ilita/faq/Pages/faqregistration.aspx (in Hebrew; last visited Nov. 1, 2017) (scroll down to item 3), archived athttps://perma.cc/C96G-67UK.
 PPDS § 1.
 Id., App. 1, § 2.
 Id. § 1.
 Id., App. 2.
 Id. § 4(a)–(b).
 Id. § 1.
 Id. § 4(c).
 Id. § 4(d).
 Id. § 5(a)–(b).
 Id. § 5(c)–(d).
 Id. §§ 6–7.
 Id. § 14.
 Foster Care for Children Law, 5776-2016, Sefer HaHukim [SH] [Book of Laws (official gazette)] 5776 No. 2534 p. 586, as amended.
 Id. § 1.
 Id. § 14.
 Council for Preschoolers Law, 5777-2017, SH 5777 No. 2658 p. 1129, http://fs.knesset.gov.il/20/law/20_lsr_390 426.pdf (in Hebrew), archived at https://perma.cc/2RFD-MLYH; see also Ruth Levush, Israel: Establishment of the Council for Preschoolers, Global Legal Monitor (Oct. 19, 2017), https://www.loc.gov/law/foreign-news/article/israel-establishment-of-the-council-for-preschoolers/, archived athttps://perma.cc/Q3EB-Z3BG.
 Id. § 21(a).
 Id. § 1.
 Id. §§ 3–4 & 11.
 Id. § 11(b); Protection of Privacy Law § 7.
 Protection of Privacy (Sampling of Prisoners’ Voice Recognition and its Storage in a Databank), Attorney General Directive No. 3.1103 (Dec. 22, 2014, updated Jan. 19, 2015) (hereinafter PPSPR), http://www.justice.gov.il/ Units/YoezMespati/HanchayotNew/Seven/3.1103.pdf, archived at https://perma.cc/8NSZ-XQEX.
 Id. § 1.
 Id. § 1.
 Id. §§ 1–2.
 Id. § 3.
 Privacy Protection Law, 5741-1981, SH 5741 No. 1011 p. 128.
 PPSPR §4.
 Id. §§ 5–7.
 Criminal Procedure (Enforcement Authorities- Body Search and Retrieval of Identification Measures) Law, 5756-1996, SH 5756 No. 1573 p. 136.
 PPSPR § 8.
 Id. § 9.