Media Centre

Recommendations of the Privacy Protection Authority regarding the conduct of epidemiological investigations

3 December 2020

Dear Clients and Colleagues,

We wish to update you that on 30 November 2020 the Israeli Privacy Protection Authority (the “Privacy Authority“) issued a publication setting out recommendations for the protection of privacy of individuals participating in epidemiological investigations which are being conducted for the purposes of containing the spread of the Coronavirus (the “Publication“). The Publication describes that the very nature and purpose of these investigations, whereby personal and sensitive information is obtained, which may be leaked or incorporated with other information, risks compromising the privacy of the individuals involved, and the people in contact with them. Accordingly, any organization conducting epidemiological investigations (whether the Ministry of Health or other body supporting the Ministry of Health both acting by virtue of legislative authority or other organizations conducing independent investigations, without legislative authority, such as employers in private or public companies, who are conducting the investigation by virtue of their responsibility to ensure the operational continuity of the organization), must be aware of the rules and recommendations for the protection of personal information obtained, in order to mitigate, to the extent possible, the disclosure of such personal information.

The Publication sets out the following principle recommendations for those organizations conducting epidemiological investigations without legislative authority:

  • Training and supervision:

    Those conducting the epidemiological investigations should receive training, including with respect to privacy protection obligations, and it is recommended that supervision is put in place to monitor the epidemiological investigations, and in particular, the security of the information obtained and the steps taken to protect individual privacy.

  • Obligation to supply information:

    The individual participating in the investigation cannot be coerced to provide personal information, and any personal information provided, must be provided voluntarily. Upon commencement of the investigation, the individual must be informed that the investigation is not being conducted under the authority of the Ministry of Health and that participation is not mandatory. Further, the organization must outline to the individual relevant details concerning the investigation (for example, the purpose of the investigation, to whom their personal information will be provided and the purpose of providing such information), so the individual can make an informed decision whether it wishes to participate in the investigation. In circumstances where the investigation is being conducted at the workplace by the employer, particular attention must be placed to ensure that consent to participate is given freely, without fear of retribution should the individual decline to participate. It is recommended that consent is recorded in writing.

  • Obtaining and using personal information:

    It is prohibited for the organization to request information that is not necessary for the purposes of identifying interactions with people infected by the Coronavirus and containing its spread. The organization cannot ask any questions that are not related or connected to this purpose. Further, the organization cannot use personal information that has been obtained, for any purpose other than to trace the movements of a person infected by the Coronavirus, or to identify the time or place when contact was made with a person infected by the Coronavirus. Questioning must be limited to interactions with other employees, and no questions may be asked regarding interactions with persons outside the organization.

  • Sharing of information on the ‘Hamagen’ application or other technologies:

    The individual cannot be obligated to share information on the ‘Hamagen’ application or from other applications on their personal devices which monitor movement, without the individual’s consent. Similarly, it is recommended that any examination of workplace surveillance footage is conducted in a reasonable and measured manner, and only in circumstances where such footage is required for the purposes of maintaining operational continuity of the organization. In the event of such use, the employees should be notified beforehand that the surveillance footage will be used for this purpose as well.

    In addition, the organization should not examine any technologies or tools provided to employees by the employer, which may disclose personal information of the employee (such as electronic diaries, or email account or location tools on electronic devices provided to employees), unless it is done in the course of conducting the investigation and by the relevant individual himself/herself.

  • Publishing and transfer of information obtained from an investigation:

    Personal information obtained in the course of conducting an investigation must be kept confidential and can only be disclosed for the purposes of identifying interactions with a person infected with Coronavirus and containing its spread, and in accordance with the Israeli Ministry of Health guidelines. The investigation should be conducted in a manner that is respectful to the privacy of the individuals, and care should be taken to ensure that personal information of an individual participating in the investigation is not shared with participants in other investigations or with other persons conducting investigations for the organization. Similarly, the organization should refrain from publically disclosing information that was obtained during an investigation, particularly any information by which an individual may be identified (accordingly, in notifying a person that he was in contact with a person infected by Coronavirus, the notice should avoid providing details of the infected person, unless consent has been provided). With respect to the transfer of information for the purpose of identifying contact with people infected with Coronavirus, the transfer should be made only to authorized officials, in accordance with the Ministry of Health guidelines.

    If personal information is to be transferred electronically, care should be taken to ensure that the transfer is made on a secure and encrypted network, which is appropriate for the transfer of personal information. Free and private email addresses (such as Gmail) or message providers (such as WhatsApp) should not be used to transfer personal information obtained in the course of the investigation.

  • Data storage and security:

    The rules of the of the Privacy Protection (Data Security) Regulations 5777-2017 should be upheld with respect to personal information obtained in the course of the investigations. The Publication provides that a database which stores personal information obtained from the investigations is classified as a mid-level security database, and we are in communication with the Privacy Authority regarding this position.

  • Deletion of the information:

    Information obtained in the course of the investigations that is not relevant for the purpose of identifying whether contact was made with a person infected by Coronavirus, should be deleted at the earliest opportunity. In addition, it is recommended that all information obtained in the course of the investigations is deleted once it is no longer in use, unless it is required for an appropriate purpose to continue to retain such information. If there is a need to retain the information, it is recommended to assess whether the information can be anonymized (in part or whole) and set minimum periods to reassess whether continued retention of the information is needed (every seven days is recommended). All physical material in which the information was documented, such as written reports, marked maps and printouts, should be destroyed upon the completion of the investigation.

  • Inspection and amendment rights:

    In accordance with the Privacy Protection Law 5741-1981, the participating individuals have a right to review information relating to them that was obtained in the course of the investigation, and stored on a database, as well as the right to request the amendment of such information, if, in their opinion, the information is incorrect, incomplete, unclear or is out-of-date. This right also applies to persons who were not investigated, but whose information is stored on the database as a result of the investigation.

To read the Publication in full (Hebrew) >> click here


If you have any questions regarding the Publication or would like information, please feel free to contact us.

Kind Regards,
The Commercial Department
Herzog Fox & Neeman


Nurit Dagan | Partner
The Commercial department



Ohad Elkeslassy | Partner

The Commercial department

Search by +