The department of human services (DHS) is under scrutiny this week after the Nine papers revealed the department sent letters to 50,000 patients who were previously prescribed lithium. DHS was seeking to recruit the recipients into a non-government study on bipolar disorder.

Psychiatrists raised concerns after receiving complaints from patients who had received the letters and accused their psychiatrists of breaching patient confidentiality.

The doctors didn’t breach confidentiality. Instead, DHS, which delivers social and health payments and services, including via Medicare, used data held by Medicare to contact patients who had previously been prescribed lithium on behalf of researchers from the QIMR Berghofer Medical Research Institute.

Patients were invited to complete an online survey, and potentially provide DNA samples, to identify genetic markers associated with bipolar disorder.

Read more: After the Medicare breach, we should be cautious about moving our health records online

Research using big datasets is increasingly common. Big data, combined with genomics, is an extremely powerful research tool, offering tantalising opportunities to gain insight into major challenges to human health. It’s reliant on collection of data from many different individuals.

But in pursuing population-scale benefits, the risks to individual autonomy and privacy are easily overlooked – or worse, they’re disregarded.

Has the ethics framework been disregarded?

This week’s revelations highlight issues with the existing ethical and legal framework governing data access.

The National Health and Medical Research Council’s national statement governs the conduct of ethical research in Australia. It outlines the structure and approval process of human research ethics committees, and identifies issues that committees must consider when deciding whether to grant approval. That includes how researchers propose to recruit research participants.

Researchers often struggle to recruit sufficient participants to their research. Participants must agree to participate voluntarily, without coercion. For some research, recruitment may be particularly challenging. The requirements imposed on participants may be excessively onerous, inconvenient or just distasteful.

Why is DHS accessing this data?

Some people in the community are especially vulnerable to breaches of confidentiality and privacy due to social stigma. This might include people with a mental illness, sexually transmitted disease, criminal conviction or parenting order. Yet DHS may hold or access data on these vulnerable groups.

Datasets such as those overseen by DHS provide researchers with a goldmine of potential participants who can be approached more directly. In this case, they were approached by DHS itself on behalf of researchers. This decision to contact patients on behalf of the researchers is ethically and legally questionable.

Read more: A new model for research ethics reviews

While DHS does release statistical information from the various schemes it administers for research, DHS’s privacy policy states it will not release identifiable or identifying information for research unless the research has ethics committee approval, and the person consents. That restriction is fundamental to Australian privacy law and policy.

DHS hasn’t released identifiable patient data. Instead, it has used personal data collected through prescriptions to contact patients on behalf of a third party – in this case the researchers. Implicitly, its mail-out signals everyone on the list has a specific medical condition.

Problematically, DHS’s privacy policy does not indicate it will collect data for this purpose, or use collected data in this way.

It’s about respect, not convenience

Given the significance of privacy and the government’s supposed commitment to transparency, many questions remain unanswered:

Which committee granted ethics approval for the research? Did that committee have the necessary expertise in data access and privacy law to make that determination, as required under the national statement?

How did the researchers justify their choice of a recruitment strategy which necessarily compromises the reasonable expectations of patients about how, and for what purposes, their personal information will be used by DHS?

From shutterstock.com

Did DHS advise the relevant ethics committee that it was an agent for the researchers? How did DHS decide to use data in this way? Who made that determination? What process did they rely on to reach that decision? Are they accountable?

Who funded the mail-out? Did DHS fund the printing and distribution of the letters from its own budget? Did the researchers pay them to do so? What effect does any commercial relationship between the researchers and the department have on the independence of the research?

Can other researchers expect comparable support from DHS in future? If not, how will DHS decide between research it deems to be of merit, and research it deems to be unworthy of its assistance? And is that its role?

DHS shouldn’t just give out your data

If DHS continues acting for researchers in this way, Australians with data contained in DHS data holdings could be inundated with requests to participate in research, resulting in disengagement and research fatigue.

DHS’s reported response when questioned by journalists was that people could opt-out of further mail-outs by emailing the department. That shifts the burden of good data governance onto consumers, rather than beneficiaries of it, for the sake of bureaucratic convenience.

Read more: Why prosecutions for welfare fraud have declined in Australia

The fundamental issue here is one of trust, coercion and consent. People providing their personal information to the government, to access government services including prescribed medications, are doing so through necessity, not choice. Failure to provide the information results in denial of access to the service.

For DHS to use the information provided in a way that is outside both the reasonable expectation of those providing it, and its own privacy policy, is deeply disrespectful.