The nursing company sector has unique characteristics in terms of privacy, which include sensitive medical-nursing information of hundreds of thousands of patients, as well as thousands of records containing personal data about caregivers employed through those nursing companies.

Also, significant power gaps between the owners of the databases and the patients, resulting from the fact that some of the subjects of the information have low physical or cognitive function, which may also be characterised by a low awareness of privacy, of the risks arising from the use of information about them, or of the rights granted to them.

The findings of the cross-sectional inspection show that the nursing companies manage and hold a variety of types of information, with over half of it being patient information, which is usually managed by two main off-the-shelf software.

The rest of the information included information about employees, salary conditions, organisational resource planning systems ('ERP') and business intelligence ('BI'), and even information that includes recordings and photographs.

The findings of the cross-oversight procedure in the sector of nursing companies brought up alarming findings that point to deficiencies mainly regarding compliance with the provisions of the Protection of Privacy Law, 5741-1981 (unofficial translation) ('PPL') in the field of processing personal information through outsourcing, and partial compliance with the provisions of the Protection of Privacy (Information Security) Regulations, 5777 - 2017 ('the Regulations').

In addition, it was found that some of the entities that belong to this sector are not careful enough to inform the patient public of their rights according to the PPL and in view of the disparity of powers in this sector, they must be even more careful with regard to the method of obtaining consent when collecting information, in accordance with what is stipulated in Section 11 of the PPL.

Background on the sector

In terms of the types of entities operating in this sector, the PPA identified a division of four types of organisations:

• large staffing companies;
• large nursing companies;
• medium nursing; and
• small nursing organisations.

The process of work

In the supervision procedure, the PPA requested the filling out of an audit questionnaire to 40 entities that manage nursing companies. As part of the selection of the bodies, the scope of the information and the number of customers were taken into account, as well as the sensitivity of the information as part of the services provided to the customers.

In order to examine the level of sectoral compliance with the provisions of the PPL and the Regulations, the PPA requested the completion of audit questionnaires examining four main criteria in the field of privacy protection:

• Organisational control - this criterion examines the existence of an annual plan in the field of information security and privacy protection and the appointments of responsible parties in the field.
• Management of databases - this criterion examines the method of obtaining consent for the use of personal information, the level of suitability of the use of the information for the purpose for which it was collected, granting the right to consult the information, compliance with the provisions of the law regarding direct mail, and the collection of biometric information.
• Outsourced processing of personal information - including examining the contracts of the owners of the databases with third parties who hold the information and process it, and the manner in which they guarantee the protection of the information.
• Information security - examination of the entities' compliance with the provisions of the privacy protection regulations (information security), with reference to the management of the personal information owned and held by them.

The levels of compliance with respect to the provisions of the PPL and the Regulations pursuant thereto were determined in accordance with the weighting of the scores received by the nursing companies, based on the PPA's examination of their answers to the audit questionnaires and the information collected as part of the procedure:

• compliance of between 80% to 100% of the criteria is defined as a high level of compliance;
• compliance between 50% to 80% is defined as a medium/partial compliance level; and
• compliance below 50% is defined as a low compliance level.

The findings - major deficiencies based on criteria and a comparative analysis

In an aggregate calculation of all the entities, it was found that most of the nursing companies have a medium to high level of compliance with the requirements of the PPL and the Regulations.

However, it was found that less than half (48%) of the supervisors fully complied with the requirements of the PPL and the Regulations.

A particularly low level of compliance was identified in the outsourcing of databases by an external party. In this regard, only 21% of the supervisors fully complied with the requirements of the law regarding information processing.

In addition, a low level of compliance was also found in the field of organisational control, where 57% of the supervisors met the requirements of the PPL partially or did not meet them at all.

In the field of information security, it was found that only 54% of the companies fully complied with the requirements of the PPL.

Summary

It is evident that the very existence of the horizontal inspection procedure triggered a process of self-examination in the entities that were inspected and a motivation for self-improvement in the manner of compliance with the PPL and the Regulations, when at the end of the aforementioned procedure, the entities in whose conduct deficiencies were discovered, were required to present to the PPA a commitment from an official and an orderly plan for correcting the deficiencies.

The PPA will continue to work to enforce its policy among owners and holders of personal information databases through the horizontal inspection procedure, including through repeated audits of entities that have been instructed to correct deficiencies, in order to increase their compliance with the provisions of the Law and the Regulations, and in order to strengthen the protection of the public's right to privacy.

As part of the PPA work plan and in order to examine the impact created by the activity of the cross inspection on the inspected sectors, the PPA will consider examining the relative change in the level of compliance with the provisions of the PPL in the nursing sector, by examining additional and other entities in this sector, at a date to be determined after the publication of the sectoral report.

Dan Or-Hof Founder
[email protected]
Or-Hof Law, Tel Aviv

1. See: https://www.gov.il/he/departments/news/nursing_supervision_report (only available in Hebrew)