Our friends at Herzog, Fox & Neeman in Tel Aviv have contributed a detailed explanation of the new --- and controversial --- privacy code published by the Israeli Information, Law and Technology Authority.
Written by Maya Racine-Netser and Dan Sharot
The Israeli Law, Information and Technology Authority (ILITA), the authority in charge of enforcing privacy laws in Israel, has recently published guidelines on the use of outsourcing services for the purpose of managing and processing private information.
Any company that holds information or manages private information of Israeli citizens and outsources any aspect that requires the transfer of private information should be aware of these guidelines and should review its agreements to see whether it complies with them. Likewise, any company providing outsourcing services which include handling private information of Israeli citizens should be aware of these guidelines, as they will also need to comply with them. The Israeli Protection of Privacy Law defines the term private information, and any company which handles information of Israeli citizens should seek legal advice if it has any doubt whether the law applies in their case.
The guidelines are bound to come up in future negotiations when companies will need to justify stringent provisions on matters such as audit rights or requirements to adhere to certain security measures. As a side note, if the outsourcing is off-shored the parties also need to comply with the relevant regulation from 2001 that deals with the transfer of data out of Israel (the Protection of Privacy (Transfer of Data Abroad) Regulations). The guidelines deal with all the aspects of the outsourcing project, from the decision as to which services to outsource, choosing the contractor, drafting the agreement, and dealing with the ongoing relationship during the provisions of the services, in particular the auditing and supervision of the service provider, and the conduct of the parties following the termination of the relationship. The following is a brief overview of these guidelines.
As a general rule, an organization outsourcing activities relating to the processing and managing of private information, should opt for a limited contract in which the contractor only has limited access to the information that is necessary for the specific service provided. The contractor should not be provided access to all the data which that organization holds unless there is a good reason for this practice. Outsourcing any service that requires transferring an entire database or outsourcing a service that requires handling private information, from the stage in which the information is gathered to the processing of information, should be justified, and the reason for such decision should be documented.
When electing to outsource to a contractor the contractor's prior experience in processing private information, background, and reputation should be considered, as well as whether there is any risk of a conflict of interest.
The outsourcing contract should define explicitly the permitted purposes for which the data may be used and the people who will have access to the data. Although they do not have to be named specifically a description of their position should be included. The contract should include provisions requiring the contractor to have in place a professional indemnity insurance policy and it needs to include sufficient remedies and auditing tools that will enable swift action if the contractor is in violation of the law or of the contract. One of the more vague requirements in the guidelines states that in certain circumstances there should be a structural separation between the contractor and other entities that deal with the data. It is not entirely clear how the structural separation should work or in which cases this would be relevant.
Before embarking on the negotiation process, or indeed the RFP/RFQ process, the company should examine and clearly define the type of data that will be transferred to the contractor, the risk involved in such transfer, and the security measures that should be taken to deal with these risks. Accordingly the company should have a binding security schedule, which will form an integral part of the agreement with the contractor. If the data transferred is very sensitive it is suggested that the contractor will comply with ISO 27001 or a similar standard. The contractor should be strictly prohibited from transferring the data to any third party or to use the information it received for any purpose that is not inherent to the services provided. If the contractor provides services to a number of companies it should separate the activities provided to each company. It is also recommended that a data protection officer will be appointed both at the contractor’s end and for the company.
The company is expected to continuously monitor and audit the contractor. This includes implementing standard technology measures that allow supervision of the contractor and its employees. The guidelines do not give examples of such technology measures as these will probably change as the technology progresses. The company should conduct site inspections, and if the data is sensitive it should be authorized to conduct site inspections with no prior notice. It should also be able to remotely access the IT systems of the contractor for auditing and supervision purposes. Another option is to appoint a third party independent firm for such purposes.
The contractor may save the data only for such time as it is necessary to perform its services. When the agreement with the contractor is terminated the company should verify that all information provided to the contractor will be deleted from any digital or optical media. If the contractor requires access to the information after termination for defending claims connected to the services it provided, a copy of the data may be kept with an escrow that will permit access to the data for limited purposes. The company should require from the contractor an affidavit confirming the deleting and destruction of all information it received within the framework of the outsourcing agreement.
Further guidelines are expected to be published, most importantly guidelines on cloud computing. Companies should review their outsourcing policy as it relates to sensitive data, and in particular should make an effort in determining the access granted to any service provider handling sensitive data falling under the relevant privacy laws in Israel. Any non-Israeli companies should examine whether they are holding, managing or processing private information of Israeli citizens, either on their own behalf or as part of services provided to companies holding such information. If these cases apply to those companies, they should further review their compliance with the relevant legislation, including the Protection of Privacy (Transfer of Data Abroad) Regulations if any data is transferred or is processed or managed outside of Israel. If such company outsources services in which the service provider will deal with private information of Israeli citizens, then they will also need to take into account the new guidelines on outsourcing. If a non-Israeli company is providing such outsourcing services it will need to be aware of the guidelines to understand the expectations and the requirements of the Israeli authorities.
A link to the ILITA guidelines (can be found on the ILITA website.