Under the Protection of Privacy Regulations (Data Security) 5777-2017, database owners and holders are required to ensure that the information retained within the database does not exceed that which is required for the initial purpose of collection. The regulations establish a requirement on database owners and holders to perform an annual review and assess whether data stored in the database exceeds what is required for the purposes of collection. Excessive data should be deleted, and the annual retention assessment should be recorded and documented.
Furthermore, according to a draft policy document on data minimization published by the Privacy Protection Authority in July 2021, the principle of data minimization in Israel is derived from sections 2(9) and 8(b) of the Protection of Privacy Law, 5741-1981. These sections establish use limitations requiring data to only be used in accordance with the original purpose of collection. The draft provides details of the risks associated with the accumulation of excessive data and recommends on adopting data minimization procedures.
