The Polish Constitution recognizes the rights of privacy and data protection. Article 47 states, "Everyone shall have the right to legal protection of his private and family life, of his honor and good reputation and to make decisions about his personal life." Article 49 States, "The freedom and privacy of communication shall be ensured. Any limitations thereon may be imposed only in cases and in a manner specified by statute." Article 51 states, "(1) No one may be obliged, except on the basis of statute, to disclose information concerning his person. (2) Public authorities shall not acquire, collect nor make accessible information on citizens other than that which is necessary in a democratic state ruled by law. (3) Everyone shall have a right of access to official documents and data collections concerning himself. Limitations upon such rights may be established by statute. (4) Everyone shall have the right to demand the correction or deletion of untrue or incomplete information, or information acquired by means contrary to statute. (5) Principles and procedures for collection of and access to information shall be specified by statute."[2108]
The Law on the Protection of Personal Data Protection (LPPDP) was approved in October 1997 and took effect in April 1998.[2109] The law is based on the European Union (EU) Data Protection Directive. Under the Law, personal information relating to identity may only be processed with the consent of the individual. Special rules are provided for the processing of sensitive data, which is defined as data relating to race, ethnic origin, religion, political opinions, union membership, genetic code, sexual preferences, and medical history including addictions. Everyone has the right to verify his or her personal records held by government agencies or private companies. Every citizen has the right to be informed whether such databases exist and who administers them; queries should be answered within thirty days. Upon finding out that data is incorrect, inaccurate, outdated or collected in a way that constitutes a violation of the Act, citizens have the right to request that the data be corrected, filled in or withheld from processing.[2110] Personal information cannot generally be transferred outside of Poland unless the country has 'comparable' protections. The law sets out civil and criminal sanctions for violations. A 1998 regulation from the Minister of Internal Affairs and Administration sets out standards for the security of information systems that contain personal information.[2111] In August 2001, the Act was amended in order to bring it into full compliance with the EU Data Protection Directive (95/46/EC).[2112] Among other changes, the amendment redefined the term 'personal data'; introduced a new provision relating to final decisions issued solely on the basis of automated processing of personal data; introduced a new provision on data processing in relation to performance of a contract; adjusted the lawful processing provision; and inserted a scientific research clause. The Inspector General for Personal Data Protection (the Inspector General) recently submitted to the Polish government the draft of the amendment of the LPPDP. The amendments proposed in this draft are intended to better adjust the Polish provisions to the requirements of the EU Data Protection Directive.[2113]
The Bureau of Inspector General (the Bureau) enforces the LPPDP.[2114] Ewa Kulesza was appointed as the first Inspector General for the Protection of Personal Data by the Polish Parliament in April 1998. The Bureau has four central duties: to supervise compliance with the Act; to investigate complaints and issue administrative decisions; to comment on proposed new laws and regulations that impact upon data protection; and to maintain a central registry of databases. Registration details must include the name and address of the data controller, the scope and purpose of the data processing, methods of collection and disclosure, and the security measures.[2115] An inspector has the right to access data, check data transfer and security systems, and determine whether the information gathered is appropriate for the purpose that it is supposed to serve.[2116] The office monitors the activities of all central government, local government and private institutions, individuals and corporations. As of June 2003, the Bureau had 112 staff members.[2117] The Bureau is structured into several departments.[2118]
In 2002, the Bureau answered 1,324 enquiries concerning the binding provisions on data protection and the interpretation of the Act, considered 830 complaints, gave 351 legal opinions on bills, in particular as regards compliance with the provisions of the Constitution of the Republic of Poland concerning privacy and the LPPDP, conducted 233 inspections at data controllers' facilities in order to assess the compliance of the data processing with the provisions on the personal data protection, registered 2,407 data filing systems, issued 507 decisions and addressed 61 notifications of committed offences provided for by the provisions on personal data protection.[2119] From the beginning of the Bureau's operation in 1998 through the end of June 2003, 77,842 notifications for registration of data filing systems have been received and 55,096 data filing systems have been registered.[2120]
In general, the issues which are most often raised in the complaints include the collection of excessive personal data (in particular by banks, insurance companies, employers, telecommunications operators, social assistance centers, administration of justice and law enforcement bodies); disclosure of data from medical documentation, records of criminal proceedings, or various records carried out by public bodies (e.g., motor vehicle or census records), public disclosure of debtors' data and their transfer to professional debt collectors, the legal basis of data processing for the purpose of direct marketing or political campaigns, appropriate means of ensuring the security of personal data (e.g., data contained in employees' files in case of bankruptcy), and the legal basis and scope of processing on the Internet.[2121] The Bureau has, from its inception, conducted an educational campaign in an attempt to educate citizens, government officials and the private sector with the provisions of the Act. Of the 700 complaints brought in 2000, forty percent were justified, while the rest resulted from a lack of understanding of the law.[2122]
Some of the more significant decisions issued by the Inspector General in 2001 were to prohibit: telecom and insurance companies from making photocopies of identity cards at the time of entering into a contract to provide their services; banks from using their former clients' personal data for marketing purposes; and employers from processing data on employees' sexual life during recruitment. The Inspector has also opened an investigation into a brokerage house that accidentally disclosed clients' personal data on the Internet.[2123] In November 2001 the Bureau, in conjunction with the Council of Europe, hosted a major conference on data protection.[2124]
The Bureau also maintains close relations with the data protection authorities in other central and eastern European countries. In December 2001, the Data Protection Commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia and Poland signed a joint declaration agreeing to closer cooperation and assistance. The Commissioners have been meeting twice a year. The fourth meeting took place at the end of April 2003 in Budapest.[2125]
There are sectoral laws in place to deal with the processing of medical and financial data. The 1996 Act on the Profession of a Doctor, imposes a duty of confidentiality, subject to certain exceptions, in relation to patient information on medical professionals. The Constitutional Tribunal ruled in March 1998 that requiring doctors to identify, on sick leave certificates, the disease of the patient violated the patients' right to privacy. The Banking Act 1997 imposes a requirement of secrecy on banks in relation to an individual's banking activities and identity, and limits the exchange and disclosure of personal data among banks and third parties except for the purpose of assessing credit risks or investigation fraud. Broad exemptions are granted to state entities however. In April 2000, the Constitutional Tribunal dismissed a challenge to the rights of Polish tax authorities to request confidential information about any individual's bank accounts, bonds and securities. The court held that these powers were important in the fight against bribery and money laundering.[2126]
Chapter 33 of the 1997 Penal Code, "Offences against the Protection of Information," deals with computer related offences. Unauthorized access to computer systems, computer eavesdropping, interference with data, and computer sabotage are crimes by up to eight years imprisonment. The code also prohibits telecommunications fraud, the handling of stolen software, computer espionage, causing harm from interference with automatic data processing.[2127]
The Government of Poland carries out a large number of wiretaps with limited oversight. Under the Criminal Code, the Minister of Justice and the Minister of the Interior must authorize the use of wiretaps by the police and intelligence services. The law specifies for which cases the interception of communications may be authorized.In exceptional cases, the police may initiate a wiretap at the same times as they apply for authorization. Furthermore, under the Police Code electronic surveillance may be used for the prevention of crime as well as for investigative purposes. The government does not openly release statistics on the number of wiretaps applied for and authorized, tending to view this as a state secret. In 1997 there were reports of numbers of wiretaps varied from 2000 to 4000.[2128] There are unsubstantiated reports that these numbers increased further in 1999 and 2000.[2129] The United States Department of State, in its annual Country Reports on Human Rights Practices, has been consistently critical of high number of wiretaps authorized in Poland. In its most recent report it noted that "[t]here is no independent judicial review of surveillance activities, nor is there any control over how the information derived from investigations is use. A growing number of agencies have access to wiretap information."[2130] In its 1999 report, the United Nations Human Rights Committee said it was "concerned that the Prosecutor (without judicial consent) may permit telephone tapping and that there is no independent monitoring of the use of the entire system of tapping telephones." The Committee recommended that Poland "review these matters so as to ensure compatibility with article 17 [of the International Covenant on Civil and Political Rights], introduce a system of independent monitoring, and include in its next report a full description of the system by then in operation."[2131]
A number of different proposals to expand law enforcement surveillance capabilities over the last few years have been put forward. In July 2001, amendments to the Police Act gave the police increased powers to monitor individuals in public places including through the use of video surveillance. The International Helsinki Committee noted in its 2002 report that the amendments "were dubious in terms of the right to privacy."[2132] The Ministry of Internal Affairs and Administration announced in January 2000 that it was setting up a new unit of 1,500 officers based on the United States Federal Bureau of Investigation to combat organized crime. The new unit will have the power to conduct electronic surveillance and create extensive databases.[2133] Efforts to require all service operators (including mobile phone and Internet access providers) to install equipment, to facilitate this increased monitoring, are also going forward. There are serious concerns within the Bureau about the Polish Executive Regulation of February 22, 2003 adopted pursuant to the Telecommunications Law. The provisions of this regulation impose upon telecommunications networks operators the obligation to ensure the public security bodies the access to information sent through telecommunications networks for the purpose of national defense, state security and public order.[2134]
Controversy still surrounds the expanded national identification (ID) system. The Electronic Census System (PESEL) number, which has been issued since the mid-1970s, is the biggest collection of personal data in Poland. Every identity card contains a PESEL number, which is a confirmation of the owner's date of birth and sex. The system is fully computerized. The Government began issuing the new ID cards in January 2001.
The Parliament approved the Act on Access to Public Information in September 2001. It went into effect in January 2002. The Act creates a presumption of access to information held by all public bodies, private bodies that exercise public tasks, trade unions and political parties. The bodies are also required to publish material online. There are exemptions for official or state secrets, confidential information, personal privacy and business secrets. Appeals are made to a court. Parliament is currently discussing amendments that would create an independent commission to enforce the Act.[2135]
Poland enacted the Classified Information Protection Act in January 1999 as a condition to entering North Atlantic Treaty Organization (NATO).[2136] The act covers classified information or information collected by government agencies that disclosure "might damage interests of the state, public interests, or lawfully protected interests of citizens or of an organization." There have also been efforts to deal with the files of former employees of the communist era secret police. A law creating a National Remembrance Institute (IPN) to allow victims of this secret police agency access to records was approved by the Parliament in October 1998. The files were opened to the public in February 2001.[2137] The Screening Act of 1997 created a special commission to examine the records of government officials who might have collaborated with the secret police. The Commission began work in November 1998. Under the Data Protection Act, individuals have the right to access and correct records that contain personal information about them from both public and private bodies.
Poland is a member of the Council of Europe and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. In May 2002 it ratifiedthe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[2138] In November 2001, it signed, but has not ratified, the Council of Europe Cybercrime Convention (ETS No. 185).[2139] Poland is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.