Responsibility and Mechanisms for Applying the Principles
All University entities, including its units, employees, students, suppliers, visitors, and guests are subject to the instructions of this regulation. All University regulations and instructions will be implemented and interpreted according to this regulation.
Information security
- The University, data processors and controllers of databases at the University are obligated to protect information security in accordance with the level of security required by law for said database, and in accordance with Tel Aviv University’s regulations on information security and the contracts to which they are subject.
- Any party at the University which controls a database must report it to the CISO by using these forms: For research databases - the form in Appendix A1 to this regulation must be completed. For administrative databases - the form in Appendix A2 to this regulation must be completed.
- The University, by means of the CISO, will set regulations and instructions regarding information security at the appropriate level, as per the degree of sensitivity of the data saved in them, the size of the databases, and according to accepted technological standards, all subject to the requirements of the law.
Research
The University is committed to the existence and prosperity of research under principles of academic freedom, along with its commitment to data protection. Administrative units that assist researchers in their research should facilitate research while adhering to the rules of privacy protection. Nevertheless, situations may occur whereby exercise of judgment is required to find the suitable balance between research requirements and privacy requirements. In such cases, one should refer the matter to the DPO who has the authority to decide.
Commitment to research ethics: Any research of human subjects, including research that uses questionnaires and interviews, requires the permission of the University Ethics Committee, according to the binding rules of ethics with respect to experiments with human subjects. The subject of privacy is part of the requirements in submitting a request for permission for research to the Ethics Committee, and abiding by the terms of privacy protection is a condition for receiving this permission. As part of the research submission system, the requesters must relate to questions concerning the potential for violating the privacy of the research subjects, and to verify the required manner of handling information as specified in section 5.1., with the Data Protection Officer.
Commitment to privacy in funded research: Academic research activity financed or supported by an entity external to the University, from Israel or abroad, is likely to include additional obligations regarding privacy protection and information security. In the event that this activity includes collecting or processing personal data, one must contact the Research Authority to assure abidance by binding rules prior to beginning any activity related to the information.
Commitment to privacy protection in transferring data among research entities: The transfer of data among researchers and research entities outside of the University requires an arrangement as specified in section 5.5.1.
Privacy in digital University devices
The University will monitor University data stored in digital devices under its ownership, including devices in which personal data is stored, subject only to this regulation and the following principles:
- Legitimacy - limitation of tracking and use of data produced as a result of it, for purposes vital to the activity of the University;
- Proportionality - the means used should be those which will harm privacy the least; The monitoring is subject to adopting a binding instruction that will regulate, inter alia, the manner of monitoring while avoiding exposure of personal data stored in the devices.
Camera use
Generally, camera use on campus will be in accordance with the provisions of any law, and in abidance with the principles of privacy protection.
- Camera use for security purposes will be subject to that stated in the Security Cameras Regulation.
- Camera use for research purposes will be with the authorization of the Ethics Committee.
- Camera use for teaching purposes will be subject to this regulation.
- Camera use for work purposes will be subject to this regulation.
Transfer of personal data
Transfer of personal data among entities, when needed, shall comply with privacy protection. Instructions for transfer of personal data in a number of common situations are specified below:
- Transfer of personal data for research purposes - research material transfer agreements (MTA) including data transfer agreements (DTA), which include personal data, for which the Vice President for Research and Development is responsible, will be in accordance with the rules specified in: https://research-vp.tau.ac.il/import-export.
- Transfer of personal data for outsourcing - transfer of personal data to a third party and its processing requires preliminary examination of information security risks in connecting and setting explicit contractual instructions on subjects such as purposes for use of information, type of processing, duration of the contract, manner of returning the information upon concluding the agreement, etc. Every researcher or unit interested in contracting with a third party must perform the actions stated above and document the preliminary examination stated above, and confirm with the Supply Unit, and to the extent necessary with the Office of the Legal Advisor, that the agreement with the same third party will include the appropriate contractual instructions.
- Transfer of personal data between public bodies - any University entity seeking to transfer personal data to a public body or to receive personal data from such a body will apply to the Privacy Protection Committee with a formal request, with all details completed, on the request form for receiving personal data from a public body according to the Privacy Protection Act (form A) attached to this regulation. Only after the committee has approved the request, will the form be circulated for the signatures of the appropriate officials.
