Audit findings
Despite confirmed irregularities, NIK positively evaluated the activity of audited authorities, special services and formations in terms of procedures enabling the acquisition and processing of retention data[1]. The effective principles and procedures made it possible to acquire the data efficiently. The telecommunications data were available to authorised employees and public officers only. The scope of eligible persons was precisely specified in the audited institutions.
It needs to be stressed, though, that NIK did not check if the phone records requests were justified in individual cases as it would go beyond the scope of NIK’s statutory responsibilities
Phone records
Irregularities confirmed by NIK included among others:
- the way of obtaining data via telecommunications networks as well as phone and IT systems not always made in possible to fully identify the inquiring officer or verify the scope of the question asked (among others as a result of imprecise clauses in agreements with the telecommunications operators);
- some services requested the telecommunications data for a period going beyond the data retention deadline defined by the law (by January 2013, special services could demand the data covering the period of two years, now it is 12 months);
- the courts demanded phone records in divorce cases or other civil proceedings without the required subscriber’s consent (fortunately, the operators refused to provide such data to the courts);
- the operators provided data in a broader scope than required in the request, thus breaching the secrecy of telecommunications (NIK notified the Office of Electronic Communications [Urząd Komunikacji Elektronicznej – UKE] of those cases);
- redundant telecommunications data were not always destroyed (e.g. in entities acting as intermediaries between an operational unit and the telecommunications operator);
- data were acquired by non-eligible officers or unidentified persons (as a result of using the same name card by several public officers);
- the courts demanded the text of smses in civil proceedings. The text of smses may be made available only in case of most serious crimes, provided the court orders to capture such data. NIK resolved to notify the Minister of Justice of those irregularities;
- the courts and prosecutor’s offices did not inform the public of acquiring phone records (they are obliged to do so under Art. 218 section 2 of the Code of Criminal Proceedings not later than by the time of completing the proceedings).
The audit findings show that the data on the use of retention data by special services, prepared by the President of the Office of Electronic Communications and then presented on the EU forum, did not show the real picture of the situation. The information was incomplete and the data were incomparable. For instance, in 2012 some entrepreneurs (mainly small companies) did not send data on inquiries made by the Police and other services to UKE. Besides, the information submitted by the entrepreneurs contained evident errors and discrepancies. Despite the above, all the figures were summed up, which significantly influenced reliability of the data presented by UKE. According to NIK, the methodological errors and instances of negligence were significant. Therefore, drawing statistical conclusions based on UKE data on the collection of phone records in Poland is not authorised.
Recommendations
NIK believes that the access of special services to the telecommunications data is crucial to enable effective prevention and persecution of crimes. The data retention is a valuable tool for law enforcement bodies and the judiciary in criminal cases. NIK findings show, however, that the Polish law does not effectively protect citizens’ rights and freedoms before excessive interference of the state. Therefore, considering the existing legal and organisational conditions, projected changes to the law at the EU level, as well as the NIK audit results – the Supreme Audit Office recommends as follows:
1. The scope and purpose of the telecommunications data requested by special services should be more precise. It is necessary to create a catalogue of cases for which the telecommunications data may be acquired.
2. The process of acquiring data from phone records should be subject to external audit, also to verification if such acquisition was justified. Besides, the persons whose data were acquired should be informed of that fact.
3. The law should be changed as soon as possible so as to enable destruction of the acquired data when they are no longer needed for the proceedings in question.
4. Reporting mechanisms should be developed to assure reliable information on the scope of acquiring telecommunications data.
It is mainly the state and its services, not only the telecommunications operators, that are to account before all citizens for their activities related to the acquisition of telecommunications data. Therefore, NIK recommends that the Polish legislator implement such mechanisms.
[1] information kept by the telecommunications operators on the phone number holder, phone numbers of his or her interlocutors, location of the phone and the IP number holder
