Participant data of the UK’s health data project, the Biobank, was advertised for sale by “several sellers” on ‘Alibaba’ e-commerce platforms in China, the Technology Minister has confirmed.
Making a statement to the House of Commons today (23 April), Ian Murray MP confirmed that 3 listings that appeared to sell UK Biobank participant data had been identified.
He said that at least one of the 3 datasets “appeared to contain data from all 500,000 UK Biobank volunteers”.
UK Biobank is a non-profit charity, bringing together data donated by its volunteer participants.
The data is shared with researchers globally to make scientific discoveries that improve patient health.
On Monday 20 April, the UK Biobank charity informed the government they had identified their data had been advertised for sale by several sellers on ‘Alibaba’ e-commerce platforms in China.
However, Biobank advised the Government that the data did not contain participants’ names, addresses, contact details, or telephone numbers.
The Technology Minister said: “The government has spoken to the vendor today and they do not believe that there were any purchases from the 3 listings before they were taken down.”
He added: “Once the government was made aware of the situation we took immediate action to protect participants’ data.
“Firstly, we worked with Biobank, the Chinese government and the vendor to ensure that those 3 listings that UK Biobank informed us included participant data had been removed.
“Secondly, we ensured that the Biobank charity revoked access to the research institutions identified as the source of the information.
“And thirdly, we have asked that the Biobank charity pause further access to its data until they have put in place a technical solution to prevent data from its current platform from being downloaded in this way again. I can confirm to the House that this pause is now in place.”
According to the Government, UK Biobank have referred themselves to the Information Commissioner’s Office.
The organisation referred itself to the UK's data watchdog, the Information Commissioner's Office (ICO). An ICO spokesperson said in a statement on Thursday it had been informed of the incident and was making enquiries. "People's medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law," they said.
Jon Baines, senior data protection specialist at law firm Mishcon de Reya, told the BBC that the regulator would likely be seeking to confirm volunteer information was truly de-identified and, as such, does not constitute personal data under UK law.
In a message to UK Biobank participants, Professor Sir Rory Collins, Chief Executive and Principal Investigator of UK Biobank said: “Last week, we found that de-identified participant data made available to researchers at three academic institutions were listed for sale on a consumer website in China, owned by Alibaba.
With support from both the UK and Chinese governments, Alibaba swiftly removed those listings before any sales were made. This is a clear breach of the contract signed by these academic institutions and they, along with the individuals involved, have had their access suspended.
“We have temporarily suspended all access to the UK Biobank research platform, while we put in place a strict limit on the size of files that can be taken off the platform. This measure will allow researchers to export the results of their research, while severely limiting their ability to take any de-identified participant data off the platform.
"In addition, all files exported from the research platform will be monitored daily for any suspicious behaviour. These security measures will further minimise the potential for misuse of UK Biobank data. In addition, we will conduct a comprehensive and forensic Board-led investigation of this incident.”
The Government announced it will soon be issuing new guidance on the control of data from research studies, and urged all businesses and charities to ensure their systems and data-sharing processes are as “secure as possible”.
The Department for Science, Innovation and Technology said: “We wrote out to businesses last week about the cyber security tools available to them, for free, from government and the steps they should take to maximise security. Ensuring the safe use of UK data is a priority for this government.”
