On 22 February 2024, the Supreme Audit Office in Poland (the "NIK") published the results of inspections carried out in several local government bodies. The inspections were triggered by a growing number of media reports on inappropriate conduct by government officials related to such a basic element of security as using e-mail addresses in public domains for official purposes and processing personal data through them. NIK checked how the protection and correctness of data processing is ensured, including personal data collected electronically by local government units and their subordinate organisational units on websites, e-mail and in connection with the sessions of legislative bodies held. The results were not satisfactory, as the audit found years of negligence related to personal data protection, unawareness of risks and lack of clear guidelines. Certain elements of the personal data protection system in local government units were in poor condition. The NIK's further analysis shows a high probability of similar irregularities in several thousand public units across the country that exchange correspondence via e-mail inboxes on a daily basis, while using hosting and commercial domains. The analysis shows that 43 % of educational institutions, 32 % of public health care institutions and 28 % of social welfare centres use major e-mail providers in commercial domains on a daily basis, e.g. wp.pl, poczta.onet.pl, gmail.com. NIK has diagnosed the systemic nature of irregularities in the field of data protection and processing, including personal data in local government units. Therefore, the audit will be expanded to include all local government units in Poland.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
