(Dec. 10, 2020) On November 25, 2020, Israel’s Privacy Protection Authority (PPA) issued clarifications regarding the protection of privacy during epidemiological investigations and the protection of personal data retrieved during COVID-19 contact tracing. The clarifications were contained in a document entitled Emphasizing Privacy Protection in Epidemiological Investigations Aimed at Cutting the Coronavirus Chain of Infection (the document).
In Israel the right to privacy is guaranteed under Basic Law: Human Dignity and Liberty and is regulated under the Privacy Protection Law 5741-1981, as amended (PPL). Among the principles enumerated by the PPL is the need to obtain the informed consent of the person whose information is requested (the data subject). Other principles restrict the use of the retrieved information to the purpose for which it was collected, and recognize the rights of data subjects to be notified of the intention to collect information about them, review the information collected, and demand that it be corrected under appropriate circumstances.
The PPA document clarifies that, similar to other rights, the right to privacy it is not absolute and may be limited to the extent necessary to protect public health. Any act that involves a violation of the right to privacy must be carried out “in accordance with the purpose of the provisions of the law and [must] meet the requirements of reasonableness and good faith, and as far as public bodies are concerned – also the requirement of proportionality.” (Document at 3.)
Scope of Application
According to the document, the epidemiological investigations are designed to help clarify the extent and distribution patterns of the coronavirus’s outbreak. They include tracing verified patients’ movements before diagnosis, as well identifying where the patients were infected and with whom they came in contact before and after the date of infection. Persons identified as having come into contact with verified patients are notified and are required to quarantine. Epidemiological investigations mainly involve questioning patients in person or by phone, but may also include retrieving data via digital tracing, both through voluntary apps and involuntary surveillance by the Israel Security Service.
The rules described in the document apply to epidemiological investigations conducted by the Ministry of Health (MOH) or other governmental authorities under the authority of the Public Law Ordinance 1940, as amended. The rules similarly apply to epidemiological investigations conducted on workers at the behest of employers that are private companies “to maintain the continued operation of their organization.” (Document at 1–2.)
Investigators’ Identity and Training
The epidemiological investigations can be performed only by a doctor or nurse authorized under the Ordinance. Such qualified medical personnel may be assisted, however, by persons who have completed MOH training and who have signed appropriate confidentiality documents. In circumstances where an epidemiological investigation is conducted outside the scope of the Public Health Ordinance, the bodies involved, such as commercial companies and local authorities, must provide training, including on protection of privacy, and provide a platform for monitoring the investigators’ conduct and the protection of the privacy of the data subjects and the data retrieved. (Document at 4–5.)
Data Collection and Use, and Data Subjects’ Rights
Investigators must inform data subjects of their right to refuse to provide information to unqualified medical personnel. Investigators are prohibited from asking for and collecting information that is not relevant to COVID-19 contact tracing and stopping the chain of transmission.
Additionally, the information requested and retrieved as part of an internal investigation in a workplace must be restricted to the data subjects’ contacts with other employees in the same organization, not with people outside the organization.
Employers may use footage from security cameras for the sake of contact tracing sparingly “for the purpose of maintaining the functional continuity of the organization.” Workers must be informed in advance that the cameras will be used for this purpose.
Information retrieved during epidemiological investigations must be forwarded to authorized MOH officials alone, in accordance with guidelines prescribed by the MOH. For example, no identifying information about a verified patient may be included without the patient’s consent when notifying persons that they had come in close contact with the patient.
Only the MOH is authorized to preserve COVID-19 tracing information, which is subject to the Privacy Protection (Data Security) Regulations, 5777-2017. In the absence of special circumstances, the PPA recommends that the information be removed from the MOH databank when it is no longer needed. (Document at 5–12.)