What Big Brother can't do with your personal data

During the process of issuing the Rav-Kav card you were asked to give your first name, phone number and ID card, and even to have your picture taken. The information was filed in a database that can identify when you boarded the bus, know where you were, which bus you took afterwards and in which direction. And it also knows whether you do so every day - and can make inferences from that about your habits. Communications firms, banks and in effect almost every company has a database of its clients, which can classify the client according to categories such as age, place of residence and areas of interest, and accordingly be used for direct-mail marketing, offering services on behalf of the company.

The Israel Law, Information and Technology Authority is the body responsible for checking public complaints regarding violations of the law regarding privacy protection for databases. A survey conducted by the Shiluv Millward Brown institute in September 2009 indicates that 70 percent of the public believe that personal data is not properly protected in Israel, and 58 percent think that Israeli legislation is not capable of dealing with the increasing transfer of personal data among various bodies. In spite of the fears indicated by the survey, only about half of those polled claimed that when they give personal data to any company they always ask why this information is necessary.

In order to prevent improper use of your personal data, we checked which legal violations are common, and have brought examples of fines imposed by the authority. Although in the cases we mention the authority conducted the proceedings, a rank-and-file citizen is also allowed to sue a company, and if it is proved that his privacy was in fact violated, a court can order the offending company to pay him compensation of up to NIS 50,000, without proof of damage. Legal proceedings of this kind are less common because of the legal complexity and the fear of losing money as a result of losing the case.

An example of law violations: The Kidum group (which offers preparatory courses for nationwide educational exams) used direct mailing to contact high school students in Ramat Gan, illegally using a database owned by the municipality. The purpose of the mailing was "to register and place children who are residents of Ramat Gan studying in educational institutions."

The municipality violated the children's privacy, since they did not give their permission to transfer the information to another body, and therefore the municipality was fined NIS 5,000. A fine of NIS 1,000 was imposed on Kidum after the company sent a letter to the students without mentioning that it had used direct mailing, without including the registration number of the database, without sending a notice about the right of the recipient to be erased from the database - including the address to be used for that purpose, and without mentioning the identity and address of the database's owner and the sources from which they received it.

The law states: Section 2 (9) of the privacy protection law rules that it is forbidden to use information about a person or to transfer it to someone else for purposes other than that for which it was given. The law is divided into two sections: The first determines that if the client agreed to allow the company to save information about him for a specific purpose, it is not permitted to transfer it to a third party without his consent.

Example of law violations: The AIG Israel insurance company entered a customer's personal information into a database that is used for marketing offers from the company, without asking for the client's consent. The client contacted AIG in order to activate his travel insurance. During the conversation he gave the company representative personal information that included his phone number, ID card, credit card and state of health. Later AIG turned to the client in an attempt to sell him mortgage insurance. The company was fined NIS 2,000.

Dialcom, which deals with communications services and telemarketing, reused the national and local list of Israeli citizens that it received while providing services to political parties and candidates for local authorities, for other clients of the company. The Registrar of Databases ordered Dialcom to destroy the database it owned and imposed a fine of NIS 4,000 for its violations.

What the law says: The second part of the law governing privacy protection rules that if the client gave his personal data to a company, it is not permitted to use the information except for the purpose for which it was received.

Example of law violations: Recently Bank Hapoalim incurred two administrative fines from the authority, each for NIS 2,000. This was after a client of the bank asked several times to see data that had accumulated in the bank in the course of providing service - but did not receive a reply as legally required.

What the law says: Every citizen has a right to see listings in the database that apply to him. A person who perused the information and found it to be incorrect is allowed to apply to the owner of the database with a request to correct or erase it. If the owner of the database refuses, he must explain why.

"The company is not always obligated to erase the listing. If there was a business connection with the person, the company has a right and an obligation to save the information about him for seven years," explains Limor Schmerling-Magzanik, deputy director of the department of registration and supervision in the authority. "You can ask to have information erased when it is incorrect, when it is in a database not designated for business purposes, such as an academic or medical database, and anyway, each case has to be examined individually." If the owner of the database refused in the first place to allow the client to see the listing, the person requesting the information is allowed to file a court complaint.

Example of law violations: The Marketing Point trading company, which is involved in marketing products by means of telephone representatives, used the "Agron" file - the illegal Population Registry database disseminated on the Internet.

This database contains information about citizens that was leaked from the Population Registry. According to the authority, the company used to phone people on or close to their birthdays and offer them a "birthday benefit" in the purchase of "lotto deal," a product it markets. The authority imposed administrative fines totaling NIS 167,000 on the company.

What the law says: A database that is used for direct mailing must be properly registered with the Registrar of Databases. In addition, a database must be registered if it includes over 10,000 people, or when the information is sensitive. The direct mailing request can be in print or by phone, fax or any computerized means. When the database is registered with the Registrar of Databases there must be mention of the owner's identity, the purposes of the database, the types of data appearing on it, etc. Using sources of information that are not databases for the purpose of direct mailing is a violation of the privacy protection law.