The Protection of Privacy Authority’s recommendations regarding disclosure of medical data in employee hiring process

Media Centre

The Protection of Privacy Authority’s recommendations regarding disclosure of medical data in employee hiring process

30 November 2022

Dear clients and colleagues,

We wish to update you that on November 20, 2022, the Protection of Privacy Authority (the “PPA“) published a draft statement for public comments, including highlights and recommendations concerning the protection of privacy of candidates with respect to the disclosure of their medical data as part of the hiring process. According to the draft statement, due to the power relations between candidates and employers, candidates’ consent to provide their medical data may not be given freely. Therefore, employers who request medical data in order to assess the candidates’ suitability for a position are required to be aware of the rules and recommendations relevant to their activities, in order to minimize the breach of privacy as much as possible. The draft statement sets out the following main recommendations:

  • Candidates’ consent to disclosure of medical data – it is recommended that employers request for the candidate’s medical data, if possible, only after the candidate is hired. In addition, when obtaining the candidate’s consent, employers should present to the candidate a detailed explanation regarding the purpose and relevance to the position of the data.
  • Relevance – employers should avoid the broad collection of medical data that is not fully compliant with the purpose of the collection, and accordingly, avoid having candidates sign broad and general confidentiality waiver forms, health questionnaires, or blanket health declarations. In cases where extensive data is relevant, it must be clarified to the candidates before granting their consent to the transfer of the data.
  • The purposes of using the data – employers should use the medical data only for the purposes of assessing the candidates’ suitability for the specific position. Any other use of the data may constitute a breach of the Protection of Privacy Law, 1981 (the “PPL“). To the extent that an employer wishes to retain and use the data for other legal and legitimate purposes, the employer should obtain the candidates’ specific consent for the additional use of the data.
  • Reduction of additional data – employers should review the relevance of retaining the medical data. In the event the data is no longer required, there is no justification to its retention.
  • Access and correction rights – according to the PPL, candidates and employees have a right to access medical data collected and retained about them within the framework of the hiring process, and the right to request correction of medical data which is incorrect, incomplete, unclear or not up-to-date.
  • Possible actions to reduce breach of privacy – examples include transfer of medical data from the health care provider to an occupational physician and not to the employer, and the employer receive only the occupational physician’s opinion regarding the candidate’s suitability for the position. Alternatively, an employer could ask candidates who are found to be suitable, to provide a summary of their medical data, an examination form, and a declaration about their medical condition.

To read the draft statement in full (in Hebrew) >> click here 

Public comments to the draft statement may be submitted to the PPA until December 20, 2022. 

Herzog, Fox & Neeman

Ohad Elkeslassy | Partner
Tel: 03-6927424


Nurit Dagan | Partner
Tel: 03-6927424



Search by +