Biobank data incident caused by 'a few bad apples', boss says
Source: BBC Technology
Professor Sir Rory Collins told the BBC that, as Biobank’s boss and also a participant, he is angry and upset about the data breach.
Datasets containing de‑identified information about its volunteers, made available to researchers at three academic institutions, were found to have been posted for sale on Alibaba last week, the government said on Thursday. The listings were removed “swiftly” before any purchase took place, but the charity is now facing scrutiny over how the incident occurred.
Sir Rory said the organisation was “essentially putting science on hold” by temporarily suspending all access to its online research platform while additional controls are put in place “to prevent anything like this happening again”.
The Biobank is a collection of health data offered by UK volunteers that has helped improve detection and treatment of dementia, some cancers and Parkinson’s disease. Its online research platform allows scientists at approved academic institutions worldwide to access de‑identified medical information for their own research.
“In this case, a few bad apples have taken those data off the platform and they have listed the data for sale,” Sir Rory told BBC Radio 4’s Today programme.
“By working swiftly with the UK government and the Chinese government, and we’re really grateful for their help, we have been able to get those listings removed before any data were sold.”
Identification concerns
Technology minister Ian Murray told MPs in the House of Commons that the data involved did not include participants’ names, addresses, contact details or telephone numbers. However, it could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.
Biobank has collected intimate details—including whole‑body scans, DNA sequences and medical records—from hundreds of thousands of volunteers over more than two decades. Participants were aged 40 to 69 when they were recruited between 2006 and 2010.
When asked if Biobank participants could potentially be identified through sharing of its datasets, Sir Rory told Today it was “impossible” to entirely rule out that people could be identified by using de‑identified data together with other information, but there was no evidence that this had occurred.
The organisation referred itself to the UK’s data watchdog, the Information Commissioner’s Office (ICO). An ICO spokesperson said it had been informed of the incident and was making enquiries.
“People’s medical data is highly sensitive information; not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” the ICO said.
Jon Baines, senior data protection specialist at Mishcon de Reya, said the regulator would likely seek to confirm that volunteer information was truly de‑identified and therefore does not constitute personal data under UK law.
Meanwhile, Biobank announced a “comprehensive and forensic board‑led investigation of this incident”. Sir Rory acknowledged “we can always do more” to prevent potential misuse, but said the organisation must balance making data available for scientific discovery with protecting it.
“UK Biobank has allowed discoveries to be made that otherwise would never have emerged about how to prevent and treat diseases like dementia,” he told Today.
“The balance then is how do you put in place safeguards to allow that to go on, while doing it in a secure way.”