UK Biobank Data Debate
Full Debate: Read Full DebateDepartment: Department for Digital, Culture, Media & Sport
Lincoln Jopp
Main Page: Lincoln Jopp (Conservative - Spelthorne)Department Debates - View all Lincoln Jopp's debates with the Department for Digital, Culture, Media & Sport
(1 day, 13 hours ago)
Commons ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lincoln Jopp (Spelthorne) (Con)
I thank the Minister for his statement and for prior sight of it. This is indeed a serious breach. In another life, I was the chief operating officer of a tech company and we, too, had data breaches. We found that the best way to deal with them was to have developed a culture of openness and honesty in the organisation, not to flap or panic, to plug the leak and to limit the damage. Ideally that is all rehearsed, because it is too late to learn to swim when the ship starts sinking.
A couple of things in the Minister’s statement require clarification. The statement says what the data does not include, with the implication being that the participants could not be individually identified. What was in the data? Could it be used to identify participants, even if only mosaically?
The statement says that the research institutions identified as the source of the leak have had their access blocked. I am left thinking: is that it? Were those institutions Chinese? What sanctions are available either to the UK Biobank or to the Government on those institutions? Is their blocking permanent or temporary? How has UK Biobank reassured itself and its participants that no further copies of the data exist? What is the possibility or likelihood that the full dataset is now in the hands of the Chinese state?
I hope that the Minister will forgive me for not being an instant expert on UK Biobank. Can he tell me whether any research institutions that have access to UK Biobank data are based in Russia, Iran or North Korea? What is the Government’s risk assessment?
When I served on the Cyber Security and Resilience (Network and Information Systems) Bill Committee, I distinctly remember the Government whipping their Back Benchers to vote down a Conservative amendment to oblige the Secretary of State to maintain a register of hostile actors posing a threat to the cyber-security of critical UK industries and sectors, including health. Will the Minister commit to reviewing that in the light of this serious data breach?
This is a grave incident. UK Biobank is an amazing project with thousands of trusting volunteers. I hope that the Government will send in the relevant agencies to help UK Biobank to secure its systems for the future, including vetting the research institutions that it trusts.
Ian Murray
I thank the shadow Minister for the way in which he has approached this matter—indeed, with his expertise as a former COO of a tech company. Let me answer his questions directly.
As we understand it—this is from UK Biobank, which is not a Government organisation, but an independent charity—UK Biobank cannot be entirely sure about the data that was included, because it was taken down from the Alibaba websites. However, we do know that there is no personal data in it, in terms of identifiers. I can give an indication of some of the characteristics that are potentially in UK Biobank datasets, which include gender; age; month and year of birth; assessment centre data; attendance date; socioeconomic status; lifestyle habits; measures from biological samples such as haematology and biochemistry—this is the kind of stuff that has been detected—online questionnaires data; sleep; diet; work environment; mental health, and health outcomes data.
The shadow Minister asked whether there are identifiers for individuals. There are not, but it would be wrong for me to give 100% assurance—and UK Biobank cannot do so—that someone could not be identified from the data. However, it would have to be used in a very advanced way in order to do that.
The hon. Gentleman asked about the three institutions. They have been immediately banned from the platform, and that will be permanent. The Biobank only works with accredited organisations, institutions and individual academic researchers, and the accreditation system is there to make sure that those using it are doing so for valid purposes. It has been running since 2012 and has been used for hundreds of thousands of different analyses. It works incredibly well and will continue to do so.
Let me explain how the system works and where the problem has arisen. In 2024, the system was changed from Biobank issuing datasets to accredited organisations and academic researchers to having all the information on the Biobank platform. When people access the data, they do their analysis and then download it. The system also allows people—although, contractually, accredited organisations are not supposed to do this—to download datasets. We understand from Biobank that what has probably happened is that the three institutions have downloaded the datasets themselves. As yet, we are unclear as to how those datasets ended up on the website, but UK Biobank, along with institutions and organisations attached to the Government, is working through that at the moment.
The hon. Gentleman asked for reassurance that Russia, Iran and North Korea are not accredited, and I understand from UK Biobank that they are not. He also mentioned hostile actors. UK Biobank is very strict about who has access, because there is an accreditation process. Secondly, although the three institutions are Chinese in this particular instance, the Chinese Government and Alibaba have been very proactive in helping us, through the British embassy in Beijing, to take down and whack-a-mole anything else that comes up, and they are currently going through that process. Yale University had its accreditation suspended for a breach of data, so this is not a country-specific issue. It just so happens that, in this particular case, the three institutions were Chinese. I think that answers the shadow Minister’s questions.