On January 24, 2022, THE PRIVACY PROTECTION AUTHORITY (“The PPA”) in the Ministry of Justice of the State of Israel (the regulator responsible for enforcing privacy protection laws in Israel), published a position paper which intended to present the PPA’s position on the need to appoint a Privacy Protection Officer )”PPO“) in companies and organizations whose activities include processing[1] personal information. On this short article, we present a short summary of the PPA’s position.
What do you need to know about appointment of Privacy Protection Officer?
The main role of the Privacy Protection Officer in a company is to ensure compliance with the provisions of the Privacy Protection Act, 1981 (“Privacy Law”), and ensure the protection of personal data in the company in which he is appointed to. Unlike the role of the Data Security Officer who is responsible for implementing organizational and technological measures to prevent unauthorized use of personal data in the company, the role of the Privacy Protection Officer is to design and formulate processes and procedures in the company which applies to the processing and the use of personal data.
It is important to note that Privacy Law in Israel does not oblige companies and organizations to appoint a privacy protection officer to the company, however the PPA, whose role is to enforce privacy protection laws in Israel, clearly disclosed its position by stating that appointment of a Privacy Protection Officer is a Best Practice and recommended for organizations, companies, data base owners or data base holders which collect and process personal data[2].
Privacy Protection Officer qualifications and skills
Appointment of PPO should be made based on skills and expertise in the field of data protection and law.
The Privacy Protection Authority recommends that the person in charge of privacy protection should have academic or equivalent training in accounting, information technology, process management or regulations; in-depth knowledge on the protection of data in Israel; proper understanding of information technology and data security. Knowledge on personal data protection rules in Europe and the USA. Familiarity with the business aspect of managing an organization and knowledge in professional ethics.
The Privacy Protection Authority recommends that the PPA will be an employee of the company especially where the core of the organization’s business involves processing of personal data. Where the core of the business does not involve processing of personal data, the PPA can be external consultant.
Tasks Of The Privacy Protection Officer
- The PPO serves as the manager of all databases in the company.
- Responsible for preparing the organizations’ privacy policy.
- Examines procedures and company policy in the field of privacy.
- Ensures company’s compliance with Privacy Law and Privacy policy and updates procedures if necessary.
- Supervises and conducts privacy risks assessments, prepare recommendations for the company, and monitors the implementation of the recommendations.
- Handles complaints of data subjects against company for processing personal data and reviews request for correction of data.
- Prepares an annual work plan for the implementation and compliance with the provisions of Privacy Laws and its regulations.
- Reports on the findings and actions performed in relation to violations of a provisions the Privacy Law, and control correction of deficiencies discovered in the supervisory findings.
- Preparation of an annual report on the Commissioner’s activities regarding privacy.
- Providing instructions to the Commissioner of Information Security on matters related to compliance with the provisions of the law.
- Reporting to the Privacy Protection Authority on a material incident of invasion of privacy.
- Training of employees in matters of privacy protection.
The Status of the Privacy Protection Officer in the company
The Privacy Protection Authority recommends that the Privacy Protection Officer, will be part of the senior management of the company and that the company must use reasonable measures to maintain the PPO professional independence. For example, company should ensure that the PPO will be involved in all subjects and processes related to the processing of personal data in the company and must also provide the PPO with all the powers and resources required to fulfill his tasks. In addition, company must make sure that PPO role will not create a conflict of interest with other roles the PPO holds in the company.
Conclusion
The position paper published by the Privacy Protection Authority sees great importance in appointment of a Privacy Protection Officer in a company. The PPO serves not only as a function responsible for the implementation of personal data protection rules in the company but also as a knowledge hub in the organization for all matters related to the collection, use and processing of data in the company. We recommend every company or an organization to follow the Privacy Protection Authority recommendation and consider the appointment of a Privacy Protection Officer.
*****
The above information is not intended to constitute legal advice and cannot relied upon. One should seek specific professional advice for the application of the law in any specific situation.
Alon Saposhnik, Law Office @ all rights reserved
Tel: + 972 – (0) 72 – 250 25 12
Hamada Street 6 | Herzliya 4673340 | Israel
[1] It’s worth to note that according to a proposal to amend the Privacy Protection Act, 1981 Privacy Protection Law (amendment no. 14) which was published by the Israeli government, the definition “processing” includes actions such as use, disclosure, transfer, and delivery of data as well as storage, organization review, correction, and erasure of data.
[2] See the Privacy Protection Authority recommendation dated 24.1.2022 https://www.gov.il/he/Departments/publications/reports/dpo_doc_kit
