May the accident investigation team determining the causes of a workplace accident contact a doctor to establish the severity of the injured person's injury? Is the injured person's consent necessary to obtain their health-related personal data?

ANSWER

A data controller may submit a request to another data controller for disclosure of a natural person's personal data, provided it has a legal and factual basis for obtaining such information.

In the case described, the accident investigation team will have a legal basis to approach a doctor (i.e. a hospital, clinic or doctor running a private practice) with a request for disclosure of information on classification of the accident. The legal basis giving the accident investigation team the right to obtain such information is § 7(1)(5) of the Council of Ministers Regulation of 1 July 2009 on establishing the circumstances and causes of accidents at work. Neither the entity submitting the request nor the entity disclosing the personal data will be obliged in this respect to obtain consent from the data subject.