Israel

Privacy Protection Law of 1981

Section 17 of the Law specifies that the owner, possessor and manager of a database are "each individually responsible for the protection of the information in the data base". Section 17A mandates that the possessor of data bases of different owners must ensure that only persons "explicitly authorized therefore in a written agreement between him and the owner of the data base be allowed to access each data base".

Section 17B of the Law mandates that certain owners must "appoint suitable trained persons to be in charge of information security (hereinafter: security officer)". Those required to appoint a security officer include a person who holds five data bases that require registration; a public body; and banks, insurance companies and companies engaged in ranking or evaluating credit ratings. Section 17B(b) specifies that the security officer "shall be responsible for the security of information in data bases".

All holders of data banks containing more than 10,000 names or various confidential information must register with the Registrar of Databases and report their purpose, use, means of data collection, and data security measures implemented.

The Protection of Privacy Law prohibits the possession or use of a database unless it is properly registered. Additionally, no person may use a database for any purpose other than that purpose for which it was set up. Not all databases must be registered. According to the Protection of Privacy Law, the owner of a database must register if one of the following applies

1. The database includes information about more than 10,000 persons;
2. The database includes sensitive information;
3. The database includes information about persons and the information was not provided to the data base by them or on their behalf or with their consent;
4. The database belongs to a public body; or
5. The database is used for direct mail.

An Israeli worker’s right to privacy in his or her email is not absolute. A Ruling by the Israeli Labor Tribunal held that such a right exists only where the employee had an “expectation of privacy.” The Tribunal said that courts should look at a number of factors to answer this question:

1. Does the employee know that emails will be monitored?
2. What is the employer’s policy?
3. Did the employee agree to the policy in writing or verbally?
4. Are the email boxes protected by the employee’s personal password?
5. Are the computer and inboxes intended only for the employee or are they shared?

See the Tribunal’s ruling for additional factors that should be considered.

Privacy Protection (Transfer of Databases Abroad) Regulation of 17 June 2001

Data cannot be transferred to a third country that does not provide adequate protection for privacy of data.

The Protection of Privacy Law provides for civil and criminal penalties for infringements of privacy.

A violation of privacy is a civil wrong pursuant to § 4 of the Privacy Protection Act.

Section 31A of the Protection of Privacy Act sets a list of offenses that can lead to a punishment of one year in prison. Section 31A provides that if a person does any of the following, he may be liable for imprisonment:

1. If he operates, keeps or uses a data base in violation of the Law;
2. He delivers false particulars in an application for the registration of a data base;
3. He does not deliver particulars or delivers false particulars in a notice attached to a request for information;
4. He does not comply with the requirements concerning the right to inspect information kept in a data base, or he does not correct a data base according to the law;
5. He improperly grants access to the data base;
6. He fails to appoint a security officer for the protection of the information;
7. He operates or keeps a data base used for direct mail services in violation of the Law;
8. He delivers information in violation of the Law.