In Israel, like other jurisdictions, the privacy and data protection regime continues to apply during the Coronavirus pandemic crisis. It is generally flexible enough to allow private and state actors to undertake various anti-pandemic measures.
At the governmental level in Israel, the Israeli prime minister has taken the extraordinary measure of enlisting Israel’s national security agency (known as the General Security Service, or colloquially, the Shabak) in the fight against the proliferation of the Coronavirus. The government directed the national security agency to use its mobile network location data monitoring capabilities to track the whereabouts of individuals diagnosed with COVID-19 and the persons they met with and possibly infected. This measure continues after the Israeli Supreme Court weighed in and decided to generally affirm the measure so long as it is done under parliamentary oversight.
Under the National Security Agency Law, the government may direct the agency to take on missions that promote the vital interests of national security in Israel. Such missions are also subject to parliamentary approval and oversight by the Secret Services Sub-Committee of the Knesset. The Sub-Committee indeed approved the government’s directive to the national security agency, subject to certain modifications, at least until April 30th.
The national security agency cross-checks the whereabouts of individuals who tested positive for Coronavirus with individuals who were near them in the 14 days before the diagnosis. The resulting list of individuals is disclosed to the Israeli Ministry of Health. At the same time, these individuals are automatically sent a text message ordering them to remain in quarantine for 14 days from the date of their contact with the diagnosed individual.
The agency has been authorized to process 14-day lookback location data, full names, national identification number, phone number and possibly the person’s date of birth. The use of the data for any purposes other than those explicitly authorized under the emergency regulation is strictly prohibited.
The national security agency is prohibited from taking any enforcement action, including enforcement of quarantine orders. The agency may not disclose or transfer the data that it processes to any government agencies other than the Ministry of Health, although there are reasonable grounds indicating that some information is disclosed onwards to municipalities where the infected individuals reside. The Ministry of Health is tasked with monitoring those who must be quarantined with the assistance of the Israeli national police. The government also authorized the Police to process the location data of individuals who have tested positive for coronavirus to enforce quarantine orders.
By virtue of emergency regulations promulgated by the government, the Police receives a daily sample from the list of individuals who are subject to a quarantine order either because they have tested positive for Coronavirus or because they recently returned from a trip abroad. The Police will cross-check the sample with mobile network-based geo-location data. Inconsistencies in individuals’ whereabouts that suggest violations of the quarantine order will be investigated by the Police.
As it concerns the workplace, employers may collect information from my employees and business visitors about their medical condition and recent visits to foreign countries, if they provide an appropriate privacy notice and ask for their consent to provide the information. In addition, recent emergency regulations promulgated by the Israeli government mandate that every employer have its employees who arrive to work sign a statement confirming that they do had taken their own temperature and fond it to be not higher than 38 degrees Celsius, they have not been coughing and they do not have difficulty breathing.
Although an employer’s collection and use of employees’ personal information require elevated standards of transparency by the employer, the Israeli employment privacy law’s applicable principles of legitimate-purpose and proportionality are able to accommodate such data processing measures.
Personal information regarding employees may be collected and processed only for essential purposes. This includes processing necessary to safeguard the vital interests of the employer and prevent grave harm to these interests. The collection and processing of certain information relating to pandemic risks are likely legitimate.
Handling personal information regarding employees must be at the minimal scope, extent, and degree necessary for the legitimate purpose. Data minimization is key, such as collecting the least amount of information, keeping it for the shortest duration possible, disclosing it to a minimal number of people and using it for the minimal purposes necessary to achieve the legitimate purpose of managing Coronavirus pandemic risks to individuals at the workplace.
The Protection of Privacy Authority in Israel has issued guidance explaining that in appropriate circumstances, employers may also share information about a person, such as an employee or visitor, whom they know, or reasonably suspect, has been infected or is ill with Coronavirus. Even if they individual declines to give consent to disclose his or her status to co-workers, sharing their information may still be justified and defensible from a privacy law standpoint in certain circumstances. For example, if it is the only reasonable and practical way to alert those who have been in contact with the diagnosed individual at work, to protect their health and well-being.
The Authority’s guidance also addresses the issue of safeguarding data in digital environments for distant-working and distant learning. The Authority’s guidelines that focus on teleworking emphasize prudent managerial and technological measures for data security in remote work. These include measures to safeguard the terminal device and router that the teleworking employee uses, data security measures applied to the employer’s servers and IT systems and increased awareness to phishing and social engineering attempts.