Even before these new revelations, UK Biobank had a very long list of unanswered questions (that PDF was published earlier this week and now needs extending). At the same time, Mr Streeting has decided to give Biobank data from GP records that was collected under a promise it would be used only for the pandemic.
What did the Minister know when he signed the Biobank direction? What did those who publicly supported the Direction know? Did Biobank tell them everything?
Why this matters even if you’re not in Biobank:
The Biobank direction means “pandemic only” dataset can now be reused however Mr Mandelson’s political protégé decides – GPs have been given no choice because NHS England already has the data and uses it however they are told. This action already destroys trust for the next pandemic, and undermines promises being constructed for Mr Streeting’s Single Patient Record plans where he’ll make political promises around becoming data controller for your medical notes. Apparently this is the acceptable approach and standards for where your data will go in the National Data Library.
Biobank data is still published on the internet
The Guardian has reported that the NHS hospital data of UK Biobank participants was repeatedly published by Biobank users, and some of it is still publicly available months after Biobank was first told that Biobank patient level data was published online. This notification was before the Direction was signed which will allow “pandemic only” GP data to flow to Biobank to be used like the rest of the Biobank data.
The statement on the Biobank website completely omits that this happened and this remains the case.
Biobank admit they don’t know who their users are
Biobank have sent many legal notices to have material taken down from the internet.
UK Biobank admits that, in every case where they send a legal notice, that is because Biobank’s attempts to identify and contact the researcher have failed. Either Biobank don’t know who the researcher is, or the researcher doesn’t care enough to reply to the Biobank email.
It is clear that Biobank does not know who their active researchers are, because if Biobank did know who the users were, Biobank would not have to resort to takedown requests for accounts they can not identify.
In any event, Biobank gave them (or someone) access to that data in the first place – the application form is short and woefully insufficient, but it does have a space for an email address. Emails from Biobank that researchers ignore alongside ignoring the Biobank rules that Biobank say protect the NHS data they share.
Since Biobank resorted to these legal means, did Biobank notify NHS England they were doing this over NHS sourced data?
That’s before we consider approved data use in Chinese undergraduate teaching – the lecturer is granted access, but the students get it too and Biobank has no way to know who they are.
Biobank blame their victims for Biobank’s failings
UK Biobank simply claims that no Biobank member has been harmed, and if they have, then it’s their own fault.
If you’re in Biobank, and if anyone knows anything about your medical history, they can potentially read it all. Apparently the bland text on page 23 of this newsletter was Biobank telling you about the risks you had chosen to take, and Biobank would allow researchers to take.
Given the nature of researcher conduct, it is not possible to guarantee that there are no further examples.
NHS England did a “consent audit” of Biobank, which Biobank says they passed. Is this victim blaming what NHS England’s audit found and approved?
To quote Biobank’s newsletter “In everything we do, we ask, what would participants expect from us?” so are the Biobank statements what one would reasonably expect?
Biobank’s [ public statements ] are incompatible with their [ redacted ]
[redacted until Biobank fix it or decide they’re willing to take that particular risk with their cohort]
The Guardian work shows how easily NHS patient data is re-identifiable
The Guardian’s efforts confirm that if you know one health event for a person, you can read off all the others through the linking pseudonym, the EID that Biobank’s response argues is so immaterial that it can be published repeatedly on the internet without consequence.
The Biobank response also argues that if data they have lost control of leaks (as it has), then that’s that if anyone knows anything about your health, and uses their lost data to find out more, then that’s your fault.
The Department of Health in England makes the same self-serving argument – they take risks with your data and will blame you when they go wrong. Everyone treated in an NHS hospital is in the hospital datasets that NHS England sells, usually without respecting the National Data Opt Out.
UK Biobank’s sole remaining defence is that it’s difficult for someone you’ve never met and who knows nothing about you to reidentify you – which doesn’t address the fact that you have met many people who know something about you and your health and can now potentially read everything; or the Department of Health in England can stop making stupid mistakes.
None of this is new, the flaws and risks were discussed at length in Chapter 4 of the 2022 Goldacre Review.
For Biobank participants who now wish to withdraw
We have heard that participants have withdrawn from Biobank because of their failings over recent years. Biobank claims privately no one has told them they’ve withdrawn for this reason, but then, participants don’t have to give Biobank a reason for withdrawing.
If you’re in Biobank and wish to withdraw, they make you email them for the form. You are required to know your Participant ID, which Biobank probably told you 20 years ago, you can find on some communications from them, or simply download it from the internet with most of your hospital record if you know where to look…
You can withdraw from Biobank, you won’t be allowed to withdraw from the National Data Library.
Biobank’s reckless disregard for personal data has infected the “National Data Library”
The HDR/Sudlow Review which argues that all public sector data should be linked (one topic in the ID cards consultation) and used like Biobank. At the Review launch, the former Chief Scientist of Biobank said Biobank has “one of the best systems” for data access, and Biobank data should be “used as widely as possible”, and has now been rewarded with a seat on the National Data Library advisory board.
Biobank’s actions exemplify Mr Mandelson culture being applied to NHS data (increasingly so via the Biobank direction), and it will cover everyone everywhere in the UK via the National Data Library
Unless DSIT agrees that the UK Biobank approach to those in their dataset as covered above will be that of the National Data Library, DSIT should remove Prof Sudlow from the advisory board. Biobank’s public response is the responsibility of the current Biobank senior leadership (most of whom should also resign in disgrace, but won’t as they blame the victims rather than accepting responsibility for their decisions; and wisely no one appointed them to an NDL seat). Responsibility is known and admitted for how Biobank ended up in the mess they have put their cohort in, the only question is whether there will be any consequences for that.
==
In addition to our annual-ish newsletter, you can also join our free substack to get emailed whenever we post some news or commentary.