The Israeli Law Information and Technology Authority (ILITA) has published new guidelines on privacy principles related to the processing of personal information by outsourcing entities.
The guidelines are not obligatory. However, they reflect ILITA's opinion and serve as legal basis for their inspections and enforcement activities. The failure of a database owner to comply with the guidelines may be regarded as a breach of the Privacy Protection Act, and ILITA may use its powers to impose monetary sanctions. Certain activities may also be regarded as offences under the act and may lead to criminal prosecution.
Overview of the guidelines
Overview of the guidelines
The guidelines propose a set of principles for the lawful processing of personal information by outsourcing services, both in the private and public sectors -
- Before engaging with an outsourcing service provider, the database owner must make sure that the data transfer to the provider is legitimate and backed up with the necessary notices and consents from the data subjects.
- The database owner must conduct a background check about the provider, and inquire about the provider's prior experience with handling personal information. The provider's employees must also undergo relevant privacy-related training before processing the information.
- The guidelines further require that the outsourcing agreement will define the scope of the outsourced service and the purpose of processing the information in a clear and accurate way, in order to reduce the risk of unlawful processing.
- The database owner should require the outsourcing service provider to implement information security measures and confidentiality arrangements, and should monitor the provider's compliance with these requirements.
- The right to view and amend personal information must be maintained and the database owner should instruct the provider to permanently remove any data after completion of the processing work.
The guidelines introduce a checklist to make it easier for databases owners review their compliance with the principles laid down in the guidelines.
ILITA intends to release complementary guidelines on the use of cloud computing services.
Implications
Implications
The guidelines set a considerable burden on outsourcing transactions. Privacy-related background checks, review of the outsourcing service provider's information security arrangements, and monitoring the provider's compliance may require bringing in costly professional service providers. Additional potential liability may require wider coverage by professional liability insurance policies for the company and its officers. Therefore outsourcing agreements are likely to be more expensive and potentially less cost-effective.
The guidelines do not provide any "discounts" for small and medium businesses, and they ignore the fact that these types of businesses may not have enough resources or negotiation power to compel large international outsourcing providers to comply with the guidelines.
Furthermore, the guidelines do not define the term "outsourcing services." This is a serious flaw because the scope of the services covered by the guidelines is unclear. For example, would ILITA view simple storage services as outsourcing services?
Consequently, we are likely to witness more outsourcing transactions cancelled, even if the outsourcing service provider has a better ability to lawfully process and secure personal information.
Companies that use outsourcing services should carefully read the guidelines and understand their impact on their activities. Without a doubt, adherence to these guidelines requires a new approach to outsourcing the processing of personal information.
A copy of the guideline (in Hebrew) is available on ILITA's website.
A copy of the guideline (in Hebrew) is available on ILITA's website.
For further details contact Dan Or-Hof, CIPP, at Pearl Cohen Zedek Latzer.