Israel’s New Privacy Law: What Every Educational Institution’s Leadership Must Know
- Chaya Aliza Gelb
- Nov 18, 2025
- 3 min read
Updated: Nov 26, 2025
The new privacy law sets strict expectations -and the responsibility starts at the top
This November, Israel’s updated privacy law (Amendment 13) came into effect. For educational institutions’ leadership, this is not a minor update. It significantly raises the standards for how personal information must be collected, secured, and managed.
Educational institutions depend on a wide range of digital platforms, cloud services, and communication tools. All of these systems process personal information. Amendment 13 makes one point very clear: educational institutions are fully responsible for the protection, accuracy, and lawful use of that information.
Here is what leadership needs to understand.
Why This Law Matters
Schools manage highly sensitive information every day, including academic records, behavioral documentation, medical and well-being details, photos and videos, special education files, and family information. Families place deep trust in their institution. Amendment 13 ensures that this trust is backed by strict, enforceable legal standards.
What’s New in Amendment 13 and What You Must Know
1. Leadership holds direct legal responsibility
The responsibility for privacy compliance sits with the institution’s leadership. A vendor mistake or technical issue does not remove this responsibility.
2. You are required to appoint a Data Protection Officer (DPO)
If your institution handles large or sensitive datasets, you are required to appoint a DPO. This applies to most educational institutions today. A DPO must be independent, not part of IT, not involved in managing information systems, and free of conflicts of interest. Failing to appoint a required DPO is considered a direct violation of the law.
3. Documentation is mandatory
Institutions must be able to show what information is collected, where it is stored, who has access, how long it is kept, how it is protected, which external services receive it, and how risks are monitored. If the Privacy Protection Authority requests documentation, it must be provided immediately.
4. Families must receive clear, accurate information
Privacy notices and consent forms must clearly explain how personal information is collected and used. Many institutions will need to update their documents to meet the new requirements.
5. Sensitive information requires heightened protection
Health data, special education files, disciplinary records, photos, videos, and emotional or counseling notes require restricted access and stronger security measures.
6. Enforcement powers have expanded
The Privacy Protection Authority can issue fines, demand immediate corrections, require institutions to pause non-compliant systems, conduct inspections, and request documentation on short notice.
7. Legal claims can be filed without proving damage
Families or staff can submit claims for privacy violations even if no harm is shown. This substantially increases potential exposure.
What Educational Institutions’ Leadership Should Do Now
Map all personal information Identify what you collect, where it is stored, and who has access.
Appoint a DPO Institutions handling sensitive or extensive data must do so.
Review every digital system and platform Ensure learning platforms, communication apps, cloud services, and attendance systems meet privacy and security requirements.
Conduct a risk assessment Identify vulnerabilities before they cause incidents.
Update forms, notices, and internal procedures Make sure enrollment forms, consent documents, and privacy notices reflect the legal requirements.
Train your staff Most privacy incidents result from simple misunderstanding. Short training sessions significantly reduce risk.
What Happens If Institutions Don’t Comply
Fines and enforcement actions
Non-compliance, including failing to appoint a required DPO, can result in fines of ₪50,000–₪150,000 or more.
Legal claims
Claims may be filed without proving damage. Individual claims typically range from ₪10,000–₪30,000, while class-action events (such as exposure of 100 students) can reach hundreds of thousands of shekels.
Operational disruption
The Authority may require institutions to temporarily halt the use of non-compliant systems, affecting learning, communication, and administration.
Reputational harm
A privacy incident can significantly damage trust within the school community.
High incident-response costs
Investigations, legal fees, and cybersecurity support often cost ₪20,000–₪70,000, and may exceed ₪100,000 in complex cases.
Moving Forward
Amendment 13 introduces serious, enforceable requirements for every educational institution. With the right preparation, full compliance is achievable and strengthens your institution’s protection, transparency, and trust.
