Since 2006, half a million people have donated their time, medical samples, and genetic information to UK Biobank, a health database. Their contributions have enabled scientific breakthroughs in areas such as dementia, obesity, and COVID-19.
But along with medical researchers, Biobank also made participants’ health information available to data analysts in the insurance sector, according to a recent Observer report.
Biobank maintains that no participant’s privacy or credit score was at risk. But did people expect their health information to be used in this way?
Biobank’s medical research database
UK Biobank operates both as a limited company and a charity, and describes itself as a “large-scale biomedical database and research resource.”
According to Biobank’s website, half a million people in the UK have contributed blood, urine, and saliva samples to the program, along with data from medical records, surveys, and wearable devices. Biobank also stores genetic information about each participant.
Biobank makes its database accessible to researchers for a fee of between £3,000 and £6,000.
Researchers have reportedly made significant medical breakthroughs using Biobank’s database. In early October, pharmaceutical researchers announced that they had created the world’s largest protein database using Biobank data, opening the door to new medications.
How Biobank allegedly gave insurance firms access to its database
On 12 November, the Observer published a report alleging that Biobank made its database available to insurance companies despite having allegedly stated that it would not do so.
Biobank’s research clients include several companies in the insurance industry, including:
- ReMark International: A consultancy that provides data analysis for insurance providers
- Lydia.ai: An insurtech firm that provides “health scores” to help insurers price their policies
- Club Vita: An analytics provider that provides data about morbidity outcomes for the insurance sector
The Observer alleges that Biobank stated ”repeatedly over four years” that it would not allow insurance companies access to its database.
Was Biobank’s data anonymous?
In its response to the Observer, Biobank calls the newspaper’s claims “highly misleading”. The company also appears to distance itself from earlier statements in which it described its data as “anonymous”.
“References in The Observer to earlier language on sharing ‘anonymized data’ are in a long-outdated document from 2003,” Biobank said. The company generally uses the term “de-identified data” to refer to the information it makes available to researchers.
The company’s De-identification Protocol describes the steps Biobank takes to remove identifiers from its dataset and ensure participants’ confidentiality, but notes that it cannot provide “a fail-safe guarantee of continuing anonymity.”
What Biobank told its participants
The Observer alleges that Biobank was misleading or insufficiently transparent about who would be given access to participants’ data.
Until February 2006, Biobank’s website allegedly stated that “insurance companies will not be allowed access to any individual results nor will they be allowed access to anonymised data”.
Biobank says that statement was based on an earlier policy, which changed before the formal recruitment of participants began in 2007.
The Observer also highlights a leaflet given to Biobank participants over a 17-year period, which advised that “commercial companies looking for new treatments” might be among those people given access to Biobank’s database.
However, the leaflet also states that “insurance companies and employers will not be given any individual’s information, samples or test results…”
Was Biobank sufficiently transparent?
Biobank says it did not intend to suggest that insurance companies would not have access to its database, only that it would not provide “identifiable information” to “anyone… including, specifically, not to insurance companies, employers, or the police.”
In mentioning insurance companies and employers specifically, Biobank might have been seeking to reassure patients that their credit score or employment status would not be affected by participating. The risk of individual identification appears to have been low.
There is no suggestion that any potentially misleading language was intentional. And even assuming that insurance companies coould access Biobank’s database on the same terms as medical researchers. the risk to any participant’s privacy or creditworthiness appears low.
Greater transparency about who could access participants’ data might have made it harder to recruit participants. But it also could have helped avoid a high-profile media investigation.