top of page

Israel’s New Privacy Law: What Every Educational Institution’s Leadership Must Know

Updated: Nov 26, 2025

The new privacy law sets strict expectations -and the responsibility starts at the top

This November, Israel’s updated privacy law (Amendment 13) came into effect. For educational institutions’ leadership, this is not a minor update. It significantly raises the standards for how personal information must be collected, secured, and managed.

Educational institutions depend on a wide range of digital platforms, cloud services, and communication tools. All of these systems process personal information. Amendment 13 makes one point very clear: educational institutions are fully responsible for the protection, accuracy, and lawful use of that information.

Here is what leadership needs to understand.

Why This Law Matters

Schools manage highly sensitive information every day, including academic records, behavioral documentation, medical and well-being details, photos and videos, special education files, and family information. Families place deep trust in their institution. Amendment 13 ensures that this trust is backed by strict, enforceable legal standards.

What’s New in Amendment 13 and What You Must Know

1. Leadership holds direct legal responsibility

The responsibility for privacy compliance sits with the institution’s leadership. A vendor mistake or technical issue does not remove this responsibility.

2. You are required to appoint a Data Protection Officer (DPO)

If your institution handles large or sensitive datasets, you are required to appoint a DPO. This applies to most educational institutions today. A DPO must be independent, not part of IT, not involved in managing information systems, and free of conflicts of interest. Failing to appoint a required DPO is considered a direct violation of the law.

3. Documentation is mandatory

Institutions must be able to show what information is collected, where it is stored, who has access, how long it is kept, how it is protected, which external services receive it, and how risks are monitored. If the Privacy Protection Authority requests documentation, it must be provided immediately.

4. Families must receive clear, accurate information

Privacy notices and consent forms must clearly explain how personal information is collected and used. Many institutions will need to update their documents to meet the new requirements.

5. Sensitive information requires heightened protection

Health data, special education files, disciplinary records, photos, videos, and emotional or counseling notes require restricted access and stronger security measures.

6. Enforcement powers have expanded

The Privacy Protection Authority can issue fines, demand immediate corrections, require institutions to pause non-compliant systems, conduct inspections, and request documentation on short notice.

7. Legal claims can be filed without proving damage

Families or staff can submit claims for privacy violations even if no harm is shown. This substantially increases potential exposure.

What Educational Institutions’ Leadership Should Do Now

  1. Map all personal information Identify what you collect, where it is stored, and who has access.

  2. Appoint a DPO Institutions handling sensitive or extensive data must do so.

  3. Review every digital system and platform Ensure learning platforms, communication apps, cloud services, and attendance systems meet privacy and security requirements.

  4. Conduct a risk assessment Identify vulnerabilities before they cause incidents.

  5. Update forms, notices, and internal procedures Make sure enrollment forms, consent documents, and privacy notices reflect the legal requirements.

  6. Train your staff Most privacy incidents result from simple misunderstanding. Short training sessions significantly reduce risk.

What Happens If Institutions Don’t Comply

Fines and enforcement actions

Non-compliance, including failing to appoint a required DPO, can result in fines of ₪50,000–₪150,000 or more.

Legal claims

Claims may be filed without proving damage. Individual claims typically range from ₪10,000–₪30,000, while class-action events (such as exposure of 100 students) can reach hundreds of thousands of shekels.

Operational disruption

The Authority may require institutions to temporarily halt the use of non-compliant systems, affecting learning, communication, and administration.

Reputational harm

A privacy incident can significantly damage trust within the school community.

High incident-response costs

Investigations, legal fees, and cybersecurity support often cost ₪20,000–₪70,000, and may exceed ₪100,000 in complex cases.

Moving Forward

Amendment 13 introduces serious, enforceable requirements for every educational institution. With the right preparation, full compliance is achievable and strengthens your institution’s protection, transparency, and trust.

 
 
 

Ready to Strengthen Your Security? Get in Touch with Our Team!

Tel-Arm logo transparent dark.png
  • Whatsapp
  • Facebook
  • LinkedIn
  • YouTube

Join our mailing list

Get the latest cybersecurity insights, expert tips, and exclusive invites to our webinars - straight to your inbox!

For our US office | +1-305-980-5918

For our Yerushalayim office | 058-791-3481 

©2025 Tel-Arm Cyber Solutions

bottom of page