The Israeli Privacy Protection Authority (Israel’s privacy regulator) published a draft policy paper on data minimization under Israeli law for public comments. The draft paper highlights that data handlers must ensure that the personal data they collect is relevant and necessary for the purposes of the database in which the data is maintained.
Data handlers are expected to integrate the data minimization principle into their operations. Retention of excess data for purposes that exceed those it was collected for and those ancillary to it, increases the risk for privacy and data security-related violations. The draft paper also suggests that a database owner’s failure to update or correct personal data at the request of a data subject could mean that the database owner retains excessive (outdated) data.
Since 2018, the Israeli information security regulations mandate that a database owner conduct an annual review to determine whether it maintains excessive personal data that is not necessary for the purposes that the database is intended to serve. The Privacy Protection Authority now recommends that this review be conducted several times throughout the year, to prevent extended retention of unnecessary personal data.
If a database owner concludes that any of the information it retains is indeed excessive, but neglects to discard that data, the database owner may violate the information security regulations and may be exposed to liability under a civil lawsuit.
The paper is open to public comments until April 29, 2021.
CLICK HERE to read the Israeli Privacy Protection Authority’s Policy Document on Data Minimization (in Hebrew).