A large health research charity has referred itself to the Information Commissioner’s Office after its data was found advertised for sale on an e-commerce platform owned by Chinese giant Alibaba.
Last week, UK Biobank found that de-identified participant data downloaded by three Chinese academic institutions had been listed for sale on a consumer website in China.
The charity notified the UK government, which worked with the Chinese government and vendor to ensure that the listings were swiftly removed.
In an oral statement, minister of state Ian Murray said that while none of the datasets contained identifiable data, at least one had data from all 500,000 UK Biobank volunteers.
While no sales were made, UK Biobank said this was a clear breach of the contract signed by these institutions, which had, along with the individuals involved, had their access suspended.
The charity apologised to the participants, saying that it would conduct a comprehensive, forensic, board-led investigation of the incident.
UK Biobank was established in 2003 by Wellcome, the Medical Research Council, Department of Health and Social Care, Scottish government and Northwest Regional Development Agency.
Its data, donated by volunteer participants, is shared with accredited researchers globally to make scientific discoveries that improve patient health, including understanding covid-19 immunity.
‘We take the incident extremely seriously’
Murray told the House of Commons that once the government was made aware of the incident, it “took immediate action to protect participants’ data”.
He said the government asked UK Biobank to suspend downloads from its platform until the charity implements a new system to prevent data from being downloaded in this way again.
“I can confirm to the house that this pause is now in place. UK Biobank has also referred itself to the ICO,” he said.
“We’re still working with Biobank to ascertain from it the specific detail of what has happened.
“We’ve asked it to investigate how this data ended up for sale online as a priority, but I wanted to ensure that the house was aware of the incident and the action that the government are taking.”
He said this is “an unacceptable abuse of the UK Biobank charity’s data, and an abuse of the trust that participants rightly expect when sharing their data for research purposes”.
“The government take the incident extremely seriously, which is why we’ve acted rapidly to support the UK Biobank charity in its response and why I wanted to update the house at the earliest opportunity.”
He added that the government will soon issue new guidance on the control of data from research studies.
Additional security measures in place
In a statement, Rory Collins, chief executive and principal investigator of UK Biobank, told participants that their personal identifying information “is safe and secure”.
He said that in light of this incident, his charity is putting in place additional security measures to prevent this incident from happening again.
“We’ve temporarily suspended all access to the UK Biobank research platform, while we put in place a strict limit on the size of files that can be taken off the platform,” he said.
“This measure will allow researchers to export the results of their research, while severely limiting their ability to take any de-identified participant data off the platform.”
He said all files exported from the research platform will be monitored daily for any suspicious behaviour, and that UK Biobank will conduct a comprehensive, forensic, board-led investigation into the incident.
“We’re developing the world’s first automated checking system able to prevent de-identified participant data from being taken off the UK Biobank research platform, without preventing the important research that’s being done by thousands of scientists around the world.
“We intend to have this automated system in place around the end of this year.”
‘Another blow to public confidence’
Chi Onwurah, chair of the Science, Innovation and Technology Committee, said: “It’s deeply concerning to learn that the highly sensitive data held by the Biobank hasn’t been subject to proper controls.
“My committee has carried out extensive scrutiny of public sector information security and data hygiene, and in February Murray and government officials assured us that standards would improve, and public data would be better protected.”
She said the latest data breach shows “how little progress has been made”.
“It raises serious questions about whether lessons have been learned from repeated data breaches and leaks, and whether robust data management practices are being enforced at publicly funded bodies.
“Public trust in the handling of sensitive data is key to the government’s digital transformation ambitions. This is another blow to public confidence.”
