Activities undertaken by the Inspector General for Personal Data Protection of Poland in order to raise awareness of the law with regard to personal data protection

Educational activity leading by data protection authority is especially significant in the countries where, as in Poland, the idea of data protection has only existed for a short time. One should remember the fact that the Polish Act on the Protection of Personal Data, adopted on 29th September 1997, has only been in force for three and a half years, whereas earlier, in Poland, there were no legal rules providing for citizens' data protection. Even on the contrary, in the communistic system the legal provisions and public authority activity imposed upon citizens the obligation of providing public bodies with any information, regardless of whether those data were adequate to the purpose for which they had been collected, and whether there was a basis of requesting for such data. Filling all forms without questioning the purpose and legal basis of requested data became a habit which also affected relations between citizens and the private sector.

The idea of introducing the data protection regulation in Poland arose at the moment when the new Constitution was created in 1997. Citizens' right to protection of their personal data is guaranteed under article 51 of the Polish Constitution and developed in the Act on the Protection of Personal Data. This right is still not clear for citizens. However an understanding of regulations and a consciousness of vested rights comes together with the experience gained both by the bodies obliged to guarantee the rights and by the citizens themselves. Judicial decisions and literature influences upon this right as well. That is why, so far, and I presume, for a long time to come, there is a need to explain the provisions of the Act on the Protection of Personal Data and the constitutional right to protection of such data.

The entering into force of the Polish Act on the protection of personal data has caused some additional, negative and unexpected effect. Many people recognised that the provisions of the Act, despite the legislator's intentions, prohibit providing any information containing personal data without the data subjects' consent. According to this, referring to the Act, citizens refused to provide information even when the regulations were the basis for the requesting of data. Even public bodies refused to provide information necessary for the conduct of matters by other bodies. In many cases, citizens addressed questions to the Inspector General, whether should they disclose their data to e.g. public bodies or for the purpose of civil contracts and sometimes they refused to enter into a contract until they had received the answer from the Inspector General.

Consequently, immediately after the Act became the law, data protection authority had to initiate an educational activity addressed to both citizens and public institution officials and private sectors. The necessity of become involved in such activity resulted also from many letters, telephone questions and e-mails sent by citizens and public or private organisation, regarding the Act and it's relation to other legal acts.

In the initial period of activity, I considered the way to bring information to all these entities interested in questions linked to personal data protection. Should we print coloured leaflets with basic information about the civic right to data protection and insert them in newspapers and magazines which are available in the public offices?. However, the high cost of such action, which would not be a single but repeated and the fact that by the end of the 90's, citizens had become so insensitive to the quantities of coloured advertisements and leaflets put in the newspapers, that they no longer paid any attention to them (very often reading of the newspaper begins from throwing out all of the advertising leaflets unread), led me to resign from this action.

As a part of this educational activity, the widest range of media were employed. Citizens rights providing for personal data protection and the controllers; obligations linked to it were explained in television and radio interviews given by the Inspector General and the employees of the Bureau and during press conferences. The provision of the Act on the Protection of Personal Data were also widely explained and commented on in both the daily and professional press. Although three years have passed since the Act was passed, in the legal section of one of the leading Polish newspapers - "Rzeczpospolita", a special column devoted personal data protection is published regularly. It offers explanations regarding the application of the Act on the Protection of Personal Data and it has to be admitted that it is very popular. The national press has twice been used to publish the Inspector's announcement reminding the controllers of the necessity of fulfilling the registration obligation. It has to be admitted that these announcements, published on the front pages of all national newspapers produced an effect in the form of considerable increase of the number of file registrations.

By the end of 1998, after the organisation the Bureau of the Inspector General frequently updated web site was created which contains the binding legislation (the Act and law enforcement provisions) regarding personal data protection, up-to-date jurisdiction by the Inspector General and explanations of the provisions of the Act, the Inspector General's annual reports of her activity submitted to the Parliament (Sejm), Supreme Administrative Court jurisdiction and Supreme Court jurisdiction, bibliography regarding data protection, reports from conferences and meetings the Inspector's employees have participated, international legal acts and the documents adopted by European institutions.

Within the framework of popularising the idea of personal data protection both the Inspector General and the employees of the Bureau participated in the lectures and thematic seminars (e.g. a seminar on the protection of personal data used in social security and employment purposes), meetings (e.g. in 1999 training meetings for self-government employees regarding the Act on the Protection of Personal Data were held).

The most interesting experiences have come form contacts with the private sector. Unfortunately not all of them. Large insurance companies which have their mother company in Western Europe, reacted the most rapidly to the entering into force the Act on the Protection of Personal Data. These companies were the first to ask questions e.g. concerning the possibility of transferring personal data abroad to their mother companies to notify of the files to be registered. Contact was established with one of the first economic self-government - the Polish Chamber of Insurance in order to discuss some questions (e.g. the content of the clause concerning the consent of the insurance company's clients to the processing of their medical data). It has to be admitted that these contacts were very interesting for both sides and also were beneficial for the insurance company's clients. At present I am not in receipt of any complaints from citizens regarding insurance companies' activity.

Contacts with the banks were finally also very positive. Citizens bring many complaints concerning banking activity. These complaints are very different: from questioning bank practices of using clients' personal data without their consent to promote e.g. a pension fund, to various complaints regarding the scope of the data requested at the moment of entering into a contract for the opening of a bank account. In this case the most controversial practice is the copying of the clients' identity cards (I thought that these cases were characteristic of former countries of Eastern Europe, but in the last annual report of Berlin Commissioner I have read that such practice was also questioned by him), which is unfortunately widely used by both private and public sector. Finally, as a result of many meetings and discussions both with the banking economic representative body, as well as of meetings with wide circles of every bank's representatives (such meetings took place repeatedly), the banks have conformed to determined rules (regarding e.g. the adequacy of the processing data) and some satisfactory forms of co-operation have been established. At present for example, the complaints about banks' activity are examined by the Inspector General, who handles them on the basis of the Act on the Protection of Personal Data, but also are sent to for the attention of and for the examining, according to internal procedures by the banks economic representative organisation.

It is to be pointed out that there is no co-operation with mobile telecommunications companies which belong to the third group of the most profitable companies.

Contacts are also difficult with public sector institutions and bodies, especially with central administration bodies which do not fulfil the obligations stipulated by the Act on the Protection of Personal Data and are not inclined to co-operate with the Bureau of the Inspector General.