You too want to be a criminal? Manage a business database!
Articles

You too want to be a criminal? Manage a business database!

August 2, 2017
Print
PDF

How would you react if a law would require a government license and supervision for possessing a computer or a cell phone? Legislation in many cases fails to adapt itself to the technological advancement and remains far behind. Thus, in Israel, an archaic legislation legislated to ensure that businesses will not sell their database, now defines many veteran businesses as criminals.

Today, any respectable business has an internal database of customers and potential customers. Sometimes, this database includes data purchased by the business in order to increase its distribution. The database may include only names and contact information, in which case it is not deemed a database subject to the law, but in a case of a database of a business which accounting system is computerized, the database will always include (as required under law) also private confidential information, such as details of the customer's bank account (as a receipt will include details of the check that was given as payment) or the customer's private preferences. An archaic Israeli law, update of which is long due, renders the non-following of a bureaucratic redundant procedure a criminal offence with risk of imprisonment and fines.

A database may risk the privacy of a person. Therefore, among other obligations, it is obligatory to registrar any database which includes more than 10,000 records, as well as any database (regardless of the number of records therein), comprising sensitive information on the personality of a person (such as a person's opinions – and yes, we also do not know what this definition means). In practice, any business with a computerized bookkeeping will fall within such unnecessary requirement of the law, and certainly any service provider receiving a client database for the provision of the service (such as an external auditor, lawyer or business advisor).

Despite the law, understandably, many businesses choose to avoid the complicated and unnecessary bureaucratic process, which involves a prolonged process with the state authorities responsible for the registration and requires the submission of various requests based on documents designated to prove compliance with information security requirements. Among others, in the framework of submitting the application to register the database there is a requirement to disclose the identity of the owner of the database, its objectives and the type of information included in the database – confidential and private information that not every business will be eager to voluntarily disclose.

It is high time that the legislator update this legislative warp, but until then, even though the State does not currently enforce the law in cases of non-registration offenses, it is recommended to ensure, using a lawyer knowledgeable in the field, that the records in the database do not render it a database under the definition of the law or do not include any "sensitive information," as defined under law. More importantly, the purchaser of a database must demand from the seller a written statement that the database has been duly managed and that the seller has a certificate of the source of the obtained data.