Israeli Privacy Regulator Says Businesses Should Minimize their Processing of National IDs

The Israeli Privacy Protection Authority (PPA) has published a draft position paper that calls on businesses in Israel to refrain from requesting that consumers provide them with a full copy of their national ID card to receive services.

The PPA’s position paper explains that the PPA has been seeing a growing trend of businesses asking for the consumers’ ID number or a full photocopy of a consumers’ national ID card, as prerequisites for receiving services from the businesses. As per the PPA, although an ID number does not fall squarely within the definition of “data” under the Israeli Privacy Protection Law, its characteristics as a “key” that can lead to additional information about the data subject warrant that it be treated as “data” governed by the Privacy Protection Law.

The position paper emphasizes that businesses should abide by the data minimization principle, and refrain from requesting a full photocopy of a consumer’s national ID card, other than in exceptional circumstances that objectively require the full scope of information depicted on the card. Consumers should be able to redact from the photocopy information that is not necessary for the service requested. Businesses must annually assess whether they have excessive data, and if so, they must delete it.

Businesses should also comply with the purpose limitation principle codified in the Privacy Protection Law, and must not use the information from the ID card for purposes other than the provision of the service requested.

The draft position paper is open for public comments until July 14, 2023.

Click here to read the Privacy Protection Authority’s draft position on the collection of ID numbers and photocopies of ID cards (in Hebrew).