We made an important commitment to our participants when they joined the study. We promised to protect their confidentiality while making their data available for ground-breaking health research for the benefit of current and future generations.
We uphold this commitment by implementing robust data security measures, safeguarding the identity of our participants and employing fair and proportionate data access control.
Data security
Security measures we take
Our people, policies and technology adhere to the highest industry standards for data security. We comply with the international standard for information security (ISO/IEC 27001).
We have robust firewalls and continually monitor new cyber threats and trends. Independent security consultants carry out regular testing of our systems. This means we are resilient to cyber-attacks and prepared for any new threats.
Our expectation of researchers
We share UK Biobank data only with approved researchers from academic, charity, government and commercial organisations across the world for health-related research that is in the public interest.
We have a secure, cloud-based analysis platform for data access and analysis, called the UK Biobank Research Analysis Platform (UKB-RAP). Researchers access and analyse data on this platform, except for in limited circumstances. The UKB-RAP enhances security by giving us control over our data as well as increasing accessibility to the data for approved researchers.
Monitoring
We monitor the internet, as well as the dark web (a hidden part of the internet that can only be accessed through specialised browsers), to check how our data is being used.
If there was evidence that a researcher had misused our data, we would investigate the issue, and we hold the right to revoke their access to our data and take legal action if appropriate.
Protecting participant confidentiality
Information that identifies participants – for example, their name, address and NHS number – is never shared with researchers.
Researchers enter into a legal agreement when they are approved to use UK Biobank data that prohibits them from trying to identify participants using the data they obtain from UK Biobank.
Information that identifies participants can only be accessed by a small number of the UK Biobank team on a need-to-know basis. These individuals are subject to strict confidentiality provisions and are required to undertake regular data security training.
We monitor other ways participants could be identified from the data and take steps to prevent this. For example, MRI images are ‘de-faced’ to avoid participants being recognised, and we only release full postcodes in limited circumstances (when other data is removed).
However, participants should be aware that we cannot always protect their confidentiality completely. If a participant puts information that reveals something about their health and identity, such as genealogy data, on a public website, this could make it possible for their identity to be discovered by cross-referencing UK Biobank research data.
Read our full de-identification protocol.
Complying with the law
We comply with UK data protection law (UK GDPR and the Data Protection Act 2018) in our handling of participants’ data.
Our Data Protection Officer can be contacted at:
The Data Protection Officer
[email protected]
UK Biobank
Units 1-2 Spectrum Way
Adswood
Stockport
SK3 0SA