The Internet Society Poland requested the President of the Social Insurance Institution – ZUS – (in Polish: Zakład Ubezpieczeń Społecznych) to disclose public information concerning technical specification of the KSI MAIL format, that is used in Płatnik software. Płatnik computer program is a free but not open source software that can be used to fill in and send a statement of payment declarations to the Social Insurance Institution. It works only with MS Windows operating systems.
The President of ZUS ruled that the Polish Act of 13 October 1998 on the Social Insurance System, consolidated text published in Journal of Laws (Dziennik Ustaw) of 2007 No. 11, item 74 as amended, obliges payers of social insurance to prepare documents including inter alia protected data, for instance sensitive data concerning health, in the electronic format and to transmit of such documents from Płatnik to ZUS. These data are personal data protected by law. Making them available could result in significant disruption in the supply KSI MAIL system, exposing to a breach of professional secrecy of ZUS and undermine the statutory exclusivity of the software provided by ZUS. Regardless of the abovementioned arguments, ZUS stated that KSI MAIL module is subject to business confidentiality and trade secrets due to the greement conducted between ZUS and Prokom Software S.A. on the design and implementation of a comprehensive system for social security. The agreement obliged ZUS to keep confidential all information relating to the transferred technology and solutions contained in KSI MAIL. ZUS based its final decision on the provisions of Article 5 of the the Polish Act of 6 September 2001 on Access to Public Information – API – (in Polish: Ustawa o dostępie do informacji publicznej), published in Journal of Laws (Dziennik Ustaw) No. 112, item 1198, with subsequent amendments.
Article 5. 1. The right to public information is subject to limitation to the extent and on the principles defined in the provisions on the protection of confidential information and on the protection of other secrets being statutorily protected.
2. The right to public information is subject to limitation in relation to privacy of a natural person or the secret of an entrepreneur. The limitation does not relate to the information on persons performing public functions, being connected with performing these functions, including the conditions of entrusting and performing these functions and in the event when a natural person or entrepreneur resigns from the right to which he was entitled to.
3. The access to public information on matters resolved before the state authorities, in particular in the administrative, criminal or civil proceedings cannot be limited, with the stipulation of it. 1 and 2, with respect to protection of the party’s interest, if the proceedings concern the public authorities or other entities performing public functions or persons performing public functions – in the scope of these functions or tasks.
4. The limitations of access to information on cases, defined in it. 3, do not breach the right to information on organisation and work of the bodies conducting proceedings, in particular on time, mode and place and the order of investigating cases.
ISOC filed a complaint before the Voivodeship Administrative Court in Warsaw. It emphasized that the technical specification of KSI MAIL is public information. Its publication broadens the possibility of fulfilling the duties of citizens who do not wish to invest in MS Windows. ISOC further argued that ZUS can not rely on contractual provisions, as it was contrary to the mandatory provisions of the API and that they are invalid. Also, ZUS made an erroneous interpretation of the law to rely on business secrets and trade secrets, because ISOC did not request the source code of the program, or other works protected by copyright or industrial property rights/patents.
The Voivodeship Administrative Court in its order of 30 January 2004 case file II SA 3732/03 held that this request concerns matters that are not subject to the administrative jurisdiction, but the civil courts which is in accordance with the provisions of Article 22(1) of the API.
1. The entity, which was denied the access to the public information in respect to its exclusion of its openness when quoting the protection of personal data, the right to privacy and the secret other than state, official, treasury or statistical secret, is entitled to put an action to the court for making such information available.
2. The entity, to which the exclusion of public information is related, has a legal interest in commencing as an accidental intervener on the defendant’s side.
3. The competent court for resolving the cases, defined in it. 1, is the district court with respect to the seat of the entity, which refused to make the public information available.
The Supreme Administrative Court in its judgment of 3 March 2004 case file OSK 600/04 stated that the cassation complaint is unfounded and declared that, the term “when quoting” as used in Article 22(1) of the API, has such meaning that it is sufficient for the entity who posses requested information to invoke the mentioned in this provision object of protection, to exclude the possibility of control by an administrative court. The administrative court cannot control in this case the legality of the decision and investigate if the indicated condition actually occurred.