On 2 June 2012 an amendment to the Act on the Supreme Audit Office concerning the audit procedure enters into force. One of new provisions is Article 29 section 1 item 2 letter i of the Act, which provides the NIK auditors with access to sensitive personal data on the condition it is indispensable for an audit to be conducted. With regard to the discussion on that provision, the President of the Supreme Audit Office Jacek Jezierski presented NIK’s standpoint on that matter at the meeting at the Commissioner for Citizens’ Rights’ office, in the presence of a representative of the Inspector General for the Protection of Personal Data (GIODO), journalists and non-governmental organisations.
The Supreme Audit Office checks on behalf of the Polish citizens how the state and local government institutions serve the citizens. Therefore, NIK should have the rights facilitating performance of these tasks. One of such right is the access to sensitive data and the possibility of their processing. NIK has had such access for many years. A new solution that will come into force on 2 June this year is the NIK auditors’ access to sensitive data.
The catalogue of sensitive data in the Personal Data Protection Act defines several groups of such data. From NIK’s point of view, they may be divided into two categories: data directly related to the citizen-country relation (e.g. data on the court and administrative decisions concerning convictions and fines) and data not pertaining to that relation, deeply touching on private and intimate spheres of the citizens’ lives. The second group comprises the data on racial or ethnic origin, political views, genetic code or sexual life.
Data on private and intimate spheres of citizens’ lives are not needed to conduct a NIK audit. The Supreme Audit Office does not conduct audits, in which the auditors would reach for some data deeply touching on private and intimate spheres of life, including the following:
- racial or ethnic origin,
- political views, religious or philosophical beliefs,
- membership in denominational groups, political parties or trade unions,
- data on genetic code, addictions or sexual life.
That is why, the Supreme Audit Office is ready to limit the NIK auditors’ access to such sensitive personal data by changing the Act provision. NIK has never reached for such data and has never intended to make use of them.
The analysis of audits conducted to date reveals that NIK will only need access to a part of sensitive data: information on the health condition, data on convictions, fines, decisions to impose a penalty and on the decisions passed in the court and administrative proceedings.
Without this type of data NIK would not be able to conduct audits, e.g. related to:
- access to health care benefits, e.g. queues in hospitals,
- observing patients’ rights,
- expenses for health care, or for medical procedures and medicines,
- helping the disabled,
- providing social welfare benefits,
- activity of penitentiaries and correctional units, including e.g. effectiveness of resocialisation,
- adequacy of imposing and recovering fines,
- settling citizens’s issues by the central and local government administration.
In all these areas personal data have already been gathered by the audited institutions. Considering the citizens’ well-being and adequacy of public money spending the Supreme Audit Office should have a possibility of verifying the audited activity in its full scope.
To provide sensitive data with special protection during audits the President of the Supreme Audit Office introduced internal provisions of law which make it impossible for auditors to abuse law to access such data. They may be obtained only if it is required for the programme or subject matter of the audit and only if it is essential for the audit objectives to be achieved. The auditor may request access to sensitive data only after acquiring prior acceptance of the Director of a Department or Regional Branch.
By the time the Act provisions are amended, the President of the Supreme Audit Office imposed a ban on preparation and conduct of audits requiring access to sensitive data outside the scope of citizen – country relationship, i.e. regarding racial or ethnic origin, political views, religious or philosophical beliefs, membership in denominational groups, political parties or trade unions, genetic code, addictions or sexual life.
The Commissioner for Citizens’ Rights’ representatives present at the meeting during Mr. Jezierski’s statement admitted that we are facing a conflict between two values: justified aspiration to reliable audit and a need for the protection of sensitive personal data. “In our opinion the amendment proposed by NIK is the best solution of that dilemma” – stated Ms. Anna Błaszczak, Deputy Director of the Constitutional and International Law Team. The Deputy of the Inspector General for the Protection of Personal Data also expressed his approval for NIK’s initiative, and stressed at the same time that further limitation of the auditors’ access to sensitive data could disturb them in performing their constitutional duties.
The Commissioner for Citizens’ Rights, prof. Irena Lipowicz, evaluated the meeting as a symptom of new, good practice. Instead of secret and long-lasting exchange of documents, three institutions - the Supreme Audit Office, the Commissioner for Citizens’ Rights and the Inspector General for the Protection of Personal Data – reached an agreement in a short time and presented their joint standpoint for consultation to the public. “The rest depends also on you” - prof. Lipowicz addressed the journalists and representatives of non-governmental organisations. And Mr. Jezierski added: “We act on behalf of the citizens and for the citizens. Their voice is most important for the Supreme Audit Office.”
