# Database Definition Document Israel | 2017 Security Regulations Guide

> Practical guide to the Database Definition Document required by Israel’s 2017 Information Security Regulations and Amendment 13 to the Privacy Protection Law. What it must include: database owner, purpose, data types, security level, information security manager, vendors. Template per Israeli Privacy Authority, and differences from GDPR RoPA.

**Canonical:** https://dpoisrael.com/en/learn/database-definition-document/  
**Locale:** en-IL

---
The **Database Definition Document** is the foundational document required by Israel’s 2017 Security Regulations for every database at medium or high security level. It defines the database’s "identity": owners, responsible parties, purpose, data types, security level, vendors, and retention period. Without a valid document — the organization doesn’t meet 2017 regulations, and Amendment 13 also requires this information.

## Database Definition Document in brief

- **Legal basis:** 2017 Information Security Regulations
- **Mandatory for:** Every database at Medium or High security level
- **Template:** Official from Israeli Privacy Authority
- **Required fields:** 15 minimum
- **Signatories:** Database owner, security manager, DPO
- **Validity:** Until significant change — recommended annual review
- **Difference from RoPA:** Definition Doc = Israel; RoPA = GDPR
- **Data mapping option:** Fully included in data mapping service

## 15 essential fields

| Field | Detail |
| --- | --- |
| Database name | Descriptive name + formal name as registered with Authority (if registered) |
| Database owner | Legal entity holding and maintaining the database (company, NGO, authority) |
| Database manager | Physical person directly bound to the owner — usually CEO / company manager |
| Information security manager | Person responsible for database security — usually CISO or IT Manager |
| Data Protection Officer (DPO) | If required under Amendment 13 — name, contact details |
| Database purpose | Why data is collected and used — specifically, not "business management" |
| Legal basis | Consent / contract / legal obligation / legitimate interest |
| Data types | Field details: name, ID, address, banking details, medical data, etc. |
| Data subject types | Employees, customers, vendors, volunteers, members, etc. |
| Data source | How data arrives — directly from person, vendor, government body |
| Record count | Estimate — important for determining security level |
| Security level | Basic / Medium / High — per 2017 regulations |
| Processed via | Systems, vendors, processors that touch the database |
| Retention period | How long data is retained, when deleted |
| Update date | Last document update date |

## How to determine security level

Security level drives every technical and organizational requirement. 2017 regulations define three levels, with a "minimum" per data type classification.

| Data type | Examples | Min. security level | Main requirements |
| --- | --- | --- | --- |
| Basic data | Name, address, contact file | Basic | Permissions, basic encryption, logs |
| Financial data | Salary, bank account, credit | Medium | Encryption, controlled access, audit, vendor approval |
| Medical data | Medical record, mental health, diagnoses | High | Strong encryption, minimal permissions, full logs, encrypted backups, annual audits |
| Data on minors | Students, kindergarten children, school assessments | High | Similar to medical + documented parental consent |
| Biometric data | Fingerprint, facial recognition, DNA code | High | Special requirements + mandatory DPIA |
| Opinions & identity data | Religion, political stance, gender, sexual orientation | High | Specific consent, high security level |

## Frequent questions about Database Definition Document

### Difference between Database Definition Document and RoPA?

**Database Definition Document** is a requirement of Israel’s 2017 Security Regulations. **RoPA** (Records of Processing Activities) is a GDPR Article 30 requirement. Similar content, not identical. Organization operating both in Israel and Europe — maintains both, sometimes in a single unified table.

### Which databases require a Database Definition Document?

Every database at **Medium** or **High** security level requires a formal Database Definition Document. Basic-level databases — not mandatory, but recommended. Mid-size organization usually has 5-15 databases requiring a formal document.

### How to determine security level?

2017 regulations set three levels: Basic (up to 10,000 records + non-sensitive data), Medium (10,000-100,000 + non-sensitive, or under 10,000 + sensitive), High (over 100,000 + non-sensitive, or over 10,000 + sensitive, or any medical database).

### Is there an Authority template?

Yes. The Israeli Privacy Authority published an official Database Definition Document template, available on the Authority website. We use the template, but expand per organizational structure.

### Who signs the document?

Typically: database owner (usually CEO), information security manager, sometimes DPO. In larger databases — also chair of audit committee or information security committee.

### Validity period?

No defined expiration. Required to update on significant database change: new field, new purpose, new vendor. Practically — recommended annual review of all database definition documents.

### What if we don’t have documents?

Required to prepare. We help: in [data mapping service](/en/services/data-mapping) we prepare all required Database Definition Documents, in 3-14 weeks by organization size.

### What if the database was registered with Authority years ago — does it need updating?

Yes. Authority registration does not eliminate the obligation for a full Database Definition Document. Old registration must also meet 2017 regulations and Amendment 13 requirements.

## Need Database Definition Documents?

Data mapping service prepares all required documents — professional, organized, yours to keep.

[Data mapping service](/en/services/data-mapping)