Are there Rules for Owning, Holding or Managing a Database?

Section 17 of the Protection of Privacy Law, 5741-1981 (the “Protection of Privacy Law”) sets a general obligation to secure the database by the database owner, holder, and manager. The Protection of Privacy Regulations (Data Security) 5777-2017, were enacted, by the virtue of the Protection of Privacy Law, adding context to this general obligation under the law, by providing a set of security controls that must be implemented and reviewed by the database owner, holder, and manager. 

The set of security controls includes provisions regarding the appointment of an Information security officer (See: “Do You Need to Appoint an Information Security Officer?”), physical security, logical security, mobile devices, access control, required internal documents and procedures (See: “What is the Information Security Procedure?”), engagement with outsourcing service providers (See: “Are there Rules for Engaging Outsourcing Services?”), the management of a security incident and data breach notification obligation (See: “Do you have to Manage Security Incidents and Report Data Breaches?”), and other information security controls.

Additional requirements in relation to personal data management and protection include the provision of a privacy notice (See: “What Must a Privacy Notice Include?”), Exercising data subjects’ rights (see “What Data Subjects Rights are Protected Under Israeli Privacy Laws?”), registering databases (See: “Are their Registration Requirements?”) and direct mailing management (see: “Are there Rules for Direct Marketing?”).