Does HR data processing require registration under data protection laws?
Data protection laws sometimes include conformity assessments, which help to ensure businesses follow regulations. Requirements can include registration before the Data Protection Authority and random audits. Israel’s Protection of Privacy Law, 1981 (PPL) requires the registration of databases in certain instances.
Under the PPL, a database is defined as “a collection of data, maintained by magnetic or optical mean and intended for computer processing.” Databases must be registered if it:
- contains data for more than 10,000 individuals;
- contains “sensitive data;”
- contains data about individuals and the data was not provided to the database by those individuals, on their behalf, or with their consent;
- belongs to a public body; or,
- is used for direct mailing.
Database registration should be submitted to the Registrar of Databases and include:
- the Israeli addresses and identity of the database owners, the individual who holds the database or a portion of the database on a permanent basis, and the database manager;
- the purpose(s) for which the database was established and the purpose(s) for which the data is intended;
- the types of data that will be included;
- details on the transfer of any data outside of Israel; and,
- details on receiving data on a permanent basis from a public body, the name of the public body and the nature of the data delivered, except for details delivered with the consent of the individuals to whom the data relates.
HR Best Practices: If a database meets any of the above requirements, register the database with the Registrar. Regardless of whether registration is required, build in privacy considerations and risk assessments for employee and candidate data collection processes.