Client Update – Data Minimization
11 April 2021
We would like to draw your attention that on March 25, 2021, the Israeli Privacy Protection Authority (the “PPA“) has published a draft policy document regarding data minimization, for public comments (the “Draft Policy “). The Draft Policy reviews the provisions of the Protection of Privacy Law, 1981 (the “Law“) and suggests interpretations and recommendations for minimizing excess data contained in databases.
According to the Draft Policy, “Excess Data” is personal data, which is neither relevant nor necessary to achieve the original purpose for which it was collected, or the purposes of the database in which it is stored. Excess Data can be created already at the initial data collection stage and can even transform to such, during its long-term storage in the database (e.g. after fulfilling the purpose for which it is stored) and its collection is a common practice among many organizations. According to the position of the PPA, Excess Data may increase the risk of privacy in cases in which the data may leak and/or be exposed to the public. Therefore, minimizing Excess Data is important in order to minimize and reduce the harm to privacy.
The PPA emphasizes in the Draft Policy that there are three main risks involved in the collection of Excess Data:
- Infringement of privacy due to the collection and use of Excess Data that is not required for the implementation of the purpose for which a consent has been obtained – the collection and use of data other than for the purpose for which consent was granted by an individual is prohibited and constitutes an infringement of privacy, and infringement of the material privacy principles of consent and the obligation to use the data for the purposes for which it was collected (i.e. the Close Proximity principle). The PPA notes that the infringement of privacy is even more severe in circumstances where the data collection was not based on the data subject’s consent, but on provisions of the law, or when consent was granted where there is asymmetry in the balance of powers. In these cases, special care must be used to ensure that the collected data is stored solely for achieving the purpose for which the data was collected or the purposes of the database.
- Violation of privacy as a result of storing Excess Data – the very preservation of Excess Data poses a risk to privacy, since the possibility to use the said data for other purposes, including, inter alia, while processing, cross-referencing it with additional data, and passing the data to others.
- Leakage and exposure of Excess Data – Due to the fact that databases are not immune to data leakage and disclosure of data, storing Excess Data creates an unnecessary security risk which may even be regarded as a violation of the data security obligations as set forth under the Law and the regulations enacted thereunder. The PPA further notes in this regard that since data subjects are often unaware that Excess Data has been stored about them, their ability to mitigate their damages from such collection and storage, is impaired.
Accordingly, in order to minimize Excess Data, the PPA recommends the following:
- Organizations which collect data on the basis of consent or under a legal authority must ensure that the collected data is relevant and necessary in order to achieve the purpose of collecting the data. Special attention must be given by public bodies, which are subject to administrative law principles and proportionality requirements.
- Public bodies which receive data by virtue of the Privacy Protection Regulations (Condition for holding and storing data and arrangements for the transfer of data between public bodies), 1986, are obliged to delete Excess Data immediately upon receiving the data.
- The principle of minimizing Excess Data within the framework of the organization’s activities must be implemented and any additional use of the said data, which is not necessary for the purpose for which it was collected and for the purpose of the database in which it is stored, must be avoided. Only the minimum data required for these purposes should be stored, where considerations such as the scope of the stored data, the type of data, the sensitivity of the data, etc., should be taken into account.
- The owner of the database is obliged to inspect, once a year (and in cases involving sensitive data or when there is a difficulty justifying the continuous of the storage of the data– even in shorter periods), whether the database he/she owns retains Excess Data which is not required for the purpose of the database.
- Data minimization actions must be taken as soon as possible, in accordance with the deadlines set under the Law, in specific cases in which there is a statutory obligation to minimize Excess Data, such as the obligation to correct or delete data in accordance with the provisions of the Law.
- It is recommended to conduct a privacy impact assessment, at an early stage of designing data systems, as this is the most effective and efficient way of reducing the risk of privacy infringement, which will lead to minimizing collection and storage of Excess Data.
- It is recommended to appoint a Data Protection Officer, who is the appropriate and effective factor in the organization for examining the steps taken in the organization to reduce the risk of privacy infringement.
To read the Policy Draft in its full form (in Hebrew)>> click here.
Please do not hesitate to contact us if you have any questions or require any clarification regarding the above.
Herzog Fox and Neeman