Biobank’s Chief Executive told their participants in a personally signed note that UK Biobank “will conduct a comprehensive and forensic Board-led investigation of this incident”, this report is that Review – and it is neither comprehensive nor forensic. Lord Vallance told the House of Lords that “importantly, this needs a complete and robust response”. What follows shows why the report is none of those things. 

The Biobank breaches, and the response to them, matter because of the plans for the Single Patient Record – and the recent precedent of breaking the promise that “pandemic only” data was for pandemic-only uses, which means the data can now be reused however Biobank and other “Approved Research Studies” choose.

What the Biobank Direction started will continue for the euphemistically named “unconsented cohorts” – i.e. uses of data of patients who have not explicitly volunteered for research – that remain under discussion. An “unconsented cohort” when Biobank cultural architects argue non-communicable chronic illnesses are “global pandemics” with a pandemic style response for ‘people who breathe’ or ‘people with hearts’.

Is this superficial report what we should expect from NHS data abuses in the future? 

The Review’s Terms of Reference excluded 500+ incidents of personal data loss

If you were to read the UK Biobank Board internal review of why their data service is currently closed, you’d have to read between the lines to find that their volunteers’ sensitive personal data had been posted to the internet 500+ times – and that much of it is still loose and uncontrolled. The reason you’d have to go elsewhere to find out the details is because the Terms of Reference of this Review specifically excluded other losses, and the “indirect” causes were read equally narrowly. It is unclear whether there will need to be another independent Review of different Incidents into confirmed losses of NHS personal data via UK Biobank. 

The current internal Review – with Biobank’s in-house lawyer acting as Secretary (or chaperone?) – was into the actions of only three research teams in China, which became four as they found another one. It is unclear whether the Secretary to the Committee was paid by UK Biobank while writing the report into UK Biobank. (We presume he continued to draw his pay and pension, etc. – likely one of those earning over £0.2m).  

The Review may have excluded the 500+ data breaches that UK Biobank has separately admitted happened, but those breaches happened. 

Numbers games

UK Biobank has around 7000 projects, which the Report (page 39) says were from “~1,500” institutions, adding “a number of institutions who have failed to confirm (~700) that they have deleted the data”. So about half of Biobank’s customers never confirm deletion – and on average an institution had around five official projects, and who knows how many unofficial ones. 

More damningly, when UKB said their data was only available via their online service, UKB granted “~200” institutional exceptions – plus however many downloaded the data anyway, which UKB facilitated them doing. The report is silent on which institutions those were and what data they got, and whether that was compliant with the agreement they made with the NHS.

The Report was also published without the analysis of how many users had used the download function, and for what data. One presumes that the supposed download fee of “£1.5m” is as flimsy and fictional as other UK Biobank leadership pretences. 

Word games

The Report goes out of its way to emphasise that the data was on a website of Alibaba group, not Alibaba itself; no idea why. 

The exact terms of UK Biobank’s agreement with the NHS is not public, strangely, but it is unclear how this audit can be compatible with what Biobank told AGD / predecessors and the Audit process. Or rather, it is clearly incompatible  – but without enough information in the public domain to know how, which shows this process is incomplete. 

Biobank continues to play word games and deceive their cohort, their oversight committee, and themselves. Reading page 45, the Five Safes are described as “Safe outputs: all researchers’ publications are reviewed” or “Safe settings: data were provided under an MTA with strict requirements for data security” – which are not the definitions that the report itself links to. (The official definitions are “Safe outputs: screened and approved outputs that are non-disclosive” and “Safe settings: a SecureLab environment prevents unauthorised use”.)

DHSC insists this event is Being Taken Very Seriously. We await evidence of that. One could compare this document with the 2014 Partridge Review, where concerns and risks were taken seriously, and meaningful changes resulted in use of NHS patients’ data. Differences in the coverage of the two reports are stark. Which is the model that patients should expect from future uses of data as the Single Patient Record and Health Data Research Service are given ever more patient data?

It’s all personal data

We welcome the implicit admission that Biobank has lost the personal data of participants, even if the legally defined term “personal data” never appears once in the report due to skillful legal drafting by the Secretary to the Committee, who was graciously loaned from his usual role as “General Counsel and Secretary” to UK Biobank. 

UK Biobank declares (page 14) that the ICO has opened a criminal investigation into the data breaches “noting this is not an investigation into UK Biobank”. The entire paragraph is a declaration, the accuracy of which the ICO seems curiously reluctant to confirm. The offences in that Section of the DPA are only applicable to personal data, so if Biobank knew it wasn’t personal data, then the conversation would be very, very short. Yet “UK Biobank’s external counsel is supporting their enquiry.”

UK Biobank and NHS England argue that the data for which they are responsible is only personal data after they’ve lost it. Biobank may claim “consent” covers this risk, but NHS England has no such excuse – especially for people who opted out of taking that risk. But NHS England chose to expose them to it anyway.

Incidents Biobank drew attention to were excluded too 

In the House of Commons announcement, the Minister explicitly cited Yale University as having broken the rules. Biobank’s CEO named them to the BBC as an example of the steps Biobank were taking against abuses of data, using Yale to argue that this wasn’t just a China incident. That was a deliberate choice. Yet the Review is so constrained that it does not look at Yale at all.

“A comprehensive and forensic Board-led investigation of this incident” this report is not.

UK Biobank culture is to grab the most convenient line to take at the time, and Biobank’s executive leadership hoped no-one they care about would notice? Prior to publication, they appear to have been right.

Seven executive interviews, one day, no other staff

The Review “interviewed the Executive Team ([7 names]) and two participants over the course of the day on Wednesday 6 May.” Nine interviews in one day, with no input from anyone else is not a “comprehensive and forensic” anything.

Clearly the Review agreed with the executive leadership that zero members of UK Biobank staff could possibly know anything of relevance to the investigation. Or did the leadership know that staff had told leadership of the risks Biobank were running with participant data?

Biobank leadership didn’t want to know. This is a common phenomenon that Prospect Magazine strikingly illustrated as “the baboon paradox” – which similarly afflicts HDRUK in medConfidential’s assessment.

The shared culture of HDRUK and UK Biobank is that the pronouncements of the leader at the top must not be questioned. This Review accepted that unquestioningly. 

For those staff, both inside Biobank and beyond, who continue to recognise the damage that Biobank leadership is doing to trust and confidence in uses of NHS and research data, we’re sure that the various journalists who’ve written stories about Biobank would be interested in writing more. You’re also always welcome to reach out to medConfidential.

Biobank has chosen a path which will keep them closed into 2027, when they know their data has leaked uncontrolled into the Internet and friendly institutions have a local use exception. Biobank leadership has chosen terrible incentives for their researchers. Between them the NHSE and GeL data environments can accommodate Biobank data and users rapidly – but Biobank leadership have put their own pride before the work of researchers and before their promises to participants. 

Will there be meaningful consequences for playing fast and loose with participant data and promises? 

medConfidential exists to check that patients’ data is used how patients expect, and that what patients are told is true: Consensual, safe, transparent.

Those who have chosen to participate in UK Biobank – or Our Future Health, or other current and future studies – are made promises, and those promises should be kept.

Consequences should be proportionate – serious consequences are not always necessary for one small accident in a trustworthy system, but no consequences for many misrepresentations is a deliberate choice by funders and data providers, especially when those misrepresentations are made to participants and to both Houses of Parliament. They were.

All patients of the NHS were made promises about the “pandemic only” GP data, and Biobank lobbied for the former Secretary of State to tear up those promises to help Biobank. He clearly trusted what Biobank said – a trust in Biobank which has been shown to be misplaced. 

This Review did not do what Biobank told their participants it would do, and Biobank has broken their agreements with data suppliers. It is up to UKRI (MRC) and Wellcome whether there will be any consequences for such deceptions, or whether cheating both participants and data suppliers is entirely acceptable to them. Do the ends justify the means for UKRI? 

Speaking in the Lords, Lord Vallance said “we welcome the in-depth board-level review being undertaken, which needs to be comprehensive and cover technical, cultural and process issues.” Lord Vallance was right, and we have no doubt he meant what he said in giving Biobank the benefit of the doubt, but UK Biobank’s current leadership decided not to deliver it. New leadership will have to.

Does the ennobled Chair of the Biobank Board think it was right to fail to do what Lord Vallance told the House would be done? Does he believe Lord Vallance should issue a correction that Biobank refuse to do for themselves?

Most of the Board and all of the current leadership should tender their resignations to the participants to allow fresh leadership to clean up the mess. Despite passing the Oxford mandatory retirement age, it is quite clear that Rory doesn’t want to retire until he’s got the GP data by any means, so if he doesn’t want to do the decent thing for the first time in several different years–long fiascos – i.e. resign for repeatedly failing his participants – he should be fired.

UK Biobank is just one of the UKRI cohort studies, and some degree of public trust in all of those studies is now riding on what Biobank does. The shared culture of UK Biobank and HDRUK has consequences; not just for their projects, but also for the projects following their lead.

(This is a topic we’ll pick up in our reply on the Science Media Centre letters which will appear here “soon”.)

== 

Find out what happens next: Sign up for our newsletter (we don’t email often) or get small frequent updates via Substack — free to follow, and we are grateful to all those who can donate to help more of this work.