Final of the Social Insurance Institution and Polish SA seminar series

On November 28, 2024, the last - and largest - meeting in a series of four events related to the topic of personal data protection took place, organised this year by the Social Insurance Institution in cooperation with the Personal Data Protection Office. The conference ‘Challenges related to personal data protection. A look from the perspective of 2024' provided an excellent opportunity to highlight the key changes that have taken place in legislation, in the area of personal data protection in recent times.

The inspiration for the series of meetings between the Personal Data Protection Office and the Social Insurance Institution was the numerous questions on the processing of personal data posed to both institutions. On this basis, the idea of topics which were raised during the joint events was born. The idea was also to exchange experience on the correct and safe processing of personal data, so that issues related to this area of knowledge would be understandable not only to professionals.

The lectures and discussions, organised as part of the series of meetings, were very well welcomed, both by the expert community dealing with the issue of personal data protection and by citizens, such as users of the Personal Data Protection Office helpline.

Cooperation between the Social Insurance Institution and the Personal Data Protection Office

The series of debates started on 19 June 2024 in Wrocław, with the seminar ‘Data processing by the Social Insurance Institution and insurance contribution payers in connection with the implementation of statutory obligations. Practical aspects'. The next event was ‘Implementation of the Whistleblower Act and Personal Data Protection in the Workplace’ on 16 September 2024 in Gdańsk. The third seminar ‘Time of challenges – designing AI systems and implementing NIS2 in the organisation’ took place on 9 October 2024 in Chorzów. The conference ‘Data Protection Challenges. A look from the perspective of 2024’ on 28 November 2024 in Warsaw closed the session of joint meetings between the Personal Data Protection Office and the Social Insurance Institution.

New regulations

- Today, data protection in the context of new technologies and data processing is a given. The changes are extremely numerous. The wave of new rules, which, above all in the EU legal system, has been adopted and which we, as a Member State, are starting to be bound by, requires a great deal of effort at different levels. It is a legislative effort, it is an effort of the obliged entities, it is an interpretative effort. Therefore, these views, doctrines, which shape the subsequent activity of institutions, including the supervisory authority, are extremely important - with these words, the President of the Personal Data Protection Office, Mirosław Wróblewski opened the conference ‘Challenges related to personal data protection. A look from the perspective of 2024'. As he pointed out, the changes also relate to the tasks imposed by new regulations on the Personal Data Protection Office, such as the challenges of implementing the DGA (Data Governance Act) or the AI Act.

The event focused on what tasks the Polish supervisory authority faces in relation to the ongoing technological development and the need for new European Union regulations.

A leading theme was the importance of new legislation, such as the AI Act or the NIS2 Directive, and its impact on everyday practice in public administration and the work of data protection officers (DPOs).

Key changes to the legal system in 2024 from a data protection perspective

As noted, the impact of the so-called ‘legislative tsunami’, i.e. the numerous EU regulations, on the daily practice of data protection is not negligible. It poses new interpretative challenges for authorities with significant consequences for institutions and businesses.

It was pointed out that new EU regulations, such as the Data Governance Act (DGA) or the Data Act (DA), need to be transferred into national law, which often raises questions about the balance between the protection of individual rights and the effectiveness of the rules. Such issues arise, for example, in the protection of whistleblowers or in the case of AI. Among other things, the task of the Personal Data Protection Office is to check whether draft legislation is compatible with respect for fundamental rights.

The challenges of the Act on the Protection of Whistleblowers and its impact on the labour market were highlighted. Difficulties are caused, among others, by the lack of coherent provisions on groups and the implementation of AI systems in workplaces. On the basis of labour law, the need arises to ensure that employees' rights are not violated. At the same time, AI aspects should not overshadow other issues, such as the protection of whistleblowers, e.g. with regard to external reporting, or the issue of monitoring in the workplace, where the Labour Code provisions need to be amended.

Ethics is the key

The importance of ethics in data management was emphasised and the need for Data Protection Officers (DPOs) to understand the technological aspects of AI systems was pointed out. At the same time, it was pointed out that organisational and technical issues must be based on certain ethical attitudes, framed in so-called Corporate Social Responsibility (CSR) or Economic Social Governance (ESG) systems.

Consequences of the new legislation

Speakers reflected on the potential risks associated with the use of AI in public administration, pointing out that behind every AI system there is a human who created it, and that development and innovation require the acceptance of some risk. They stressed the need for clear regulations, especially in the context of administrative decisions based on algorithms - for example, when an algorithm types in an audit or blocks access to an account. The meeting also pointed out the need to continue the discussion on when, under what rules and with what rights an algorithm can operate within state boundaries.

During the discussion, a reference was made to the European Commission, which noted in the European Strategy for Data in 2020 that the entire human information environment forms an infosphere with personal and non-personal data. We already have the DGA and the DA, which deal with very different data handling issues. In addition to this, the European Commission intends to regulate industry-specific data spaces, as it did with the EHDS (European Health Data Space).Further regulations will cover financial markets, mobility, public administration, transport. The objectives of these regulations are primarily to strengthen the legal position of data subjects and to increase the circulation of data.

A complicated system

From an institutional point of view, this will be a complex system that will also bring challenges for the Personal Data Protection Office: data subjects will have to be explained their new rights and controllers how to fulfil their obligations. It has been pointed out that the draft new implementing acts will not necessarily simplify the current system.

From 2025 the effects of these legal acts will be experienced by private entities and institutions. Although the new legal regulations do not violate the GDPR, in some places they modify the constructions known from the regulation by introducing additional legal measures, supplementing them. Due to these changes, it will be necessary to upgrade the qualifications of DPOs.

The speakers demonstrated that it is necessary to reflect on the objectives of the various acts in order to clarify whether and to what extent the act applies to the entity in question.

The new role of the DPO

As the participants pointed out, it was not possible to introduce a uniform standard of control in Poland on the grounds of new acts. An important moment will be the emergence of new regulators - as in the case of most acts there will be more than one regulator in the market. Consequently, many acts will come into force and different authorities will be responsible for supervising their compliance, which will not be easy to apply.

The role of DPOs is becoming increasingly complex and their tasks will include not only compliance with GDPR, but also new responsibilities under acts such as NIS2 and the AI Act. There will be an increased need for specialised knowledge and skills, particularly in the areas of AI and cyber security risk management.

AI technology - opportunities and risks

Panellists discussed the use of AI in public institutions, ethics and compliance and the future of AI in the context of regulations. It was emphasised that AI users need to be aware of the impact of their actions on data security.

Social Insurance Institution experts indicated that the Social Insurance Institution treats AI as a support tool, not a replacement for employees. They assured that algorithms will not make decisions about work ability, but support humans in making them. They also outlined the need for AI-generated content to be flagged and for systems to be ethically compliant. As highlighted, organisations using ISO standards are more likely to implement AI in a consistent and secure manner.

Attention was also drawn to the problem of data re-identification when training AI systems. These systems should be developed with principles of data minimisation and with appropriate security measures.

It was pointed out that the development of AI is not only an economic opportunity, but also a necessity if Poland wants to be internationally competitive. However, the lack of adequate human resources and an environment supporting the development of the technology remains a problem.

So, while artificial intelligence has the potential to become a key tool for organisational development, its implementation must respect ethics, legal compliance and responsible risk assessment.

Summary

The experts stressed that personal data is now one of the most important resources from both an economic and a social perspective, which entails a huge responsibility for those who take care of it. Data security is a fundamental element in building citizens' trust in institutions.

The key challenges we face are primarily:

• development of privacy impact assessment standards;
• education in a broad sense: of the public, employees, DPOs on new technologies;
• investment in staff and continuous improvement of their competences;
• opening up cooperation between regulators to avoid duplication of competences.

2024 is a time of intense preparation for the implementation of the new regulations, and their effects will be felt in the years to come.

Other events of the series:

‘Data processing by the Social Insurance Institution and insurance contribution payers in connection with the implementation of statutory obligations. Practical aspects' , 19 June 2024, Wrocław.

The meeting dealt with issues relating to the formation of the status of public record keepers and the related consequences, as well as obligations. The topic of the use of artificial intelligence in the process of controlling contributors was discussed, as well as any dilemmas this raises relating to the protection of personal data. 

‘Implementation of the Whistleblower Act and Personal Data Protection in the Workplace’ , 16 September 2024, Gdańsk.

During the seminar, the speakers explored the topic of internal notification and follow-up procedures - in line with GDPR, talked about the risks of breaching people's rights and freedoms in the whistleblowing process, and introduced the audience to the implementation of personal data protection principles in the processing of whistleblower data. The admissibility of the use of psychometric tests by employers was also raised. There was no shortage of discussion regarding the interpretation of the provisions of the Act.

‘Time of challenges – designing AI systems and implementing NIS2 in the organisation’ , 9 October 2024, Chorzów.

The event discussed the responsibilities of data controllers in the context of the design of artificial intelligence (AI) systems and the alignment of organisations in terms of cyber security with the requirements of the NIS2 Directive. The seminar was an opportunity to present the possibilities and uses of AI in public administration and other institutions.