Basis of your participation - Privacy Notice for UK Biobank Participants
Thank you for participating in UK Biobank, your contribution in both data and time is enabling global researchers to investigate the causes and treatment of a wide range of life-altering diseases.
The purpose of this Privacy Notice is to explain to you, our participants, how we, UK Biobank Limited ("UK Biobank") collect share and use the personal information about you which forms the UK Biobank resource. We are required to provide the information set out below in accordance with the UK GDPR.
This Privacy Notice is distinct from the notice which appears on the main UK Biobank website (available by clicking here) which covers any personal information provided to us outside of that which forms the UK Biobank resource. This includes when you visit our website www.ukbiobank.ac.uk (the “website”) regardless of where you visit it from; sign up to attend one of our events; provide us with feedback, either through the website or at an event; provide us with a testimonial; interact with us, or we interact with you, via a social media platform, telephone or in person; or if you are a researcher and make an application to access the UK Biobank resource or access the UK Biobank Access Management System ("AMS").
This Privacy Notice is updated from time to time to reflect changes in law, regulation and practice. This particular update has been done because of the adoption by HM Government of the GDPR into domestic law and to take into account the implications of the UK leaving the EU. The domestic law is set out in both the UK GDPR and the UK Data Protection Act 2018 ("DPA"). *
Fundamentally, we should like to assure you that we will only process, store and use your data in a manner that is consistent with the basis on which you joined UK Biobank (as described in the information materials and consent form). In particular, your information will continue to be made available only to bona fide researchers undertaking health research that is in the public good.
As you may recall, the format and content of this Privacy Notice is similar to the one we sent to you in 2018. As such, this Privacy Notice sets out the types of data we have collected from you and how and by whom that data is used. It also sets out the lawful basis on which we process your data, your rights as a data subject and your rights to withdraw from UK Biobank.
We would also emphasise that wherever possible your data is de-identified such that direct and indirect identifies are removed. We only use, and only permit third parties to use, identifiable data where necessary: for example when we contact you with a participant newsletter.
The types of data UK Biobank processes
What personal information does UK Biobank collect?
UK Biobank collects personal information about you from four sources (1) directly from you, (2) via the Participant Resource Centre, (3) through linkage to your health records, and (4) through data generation. These are explained in more detail below:
Data collected directly from you
When you were recruited to join UK Biobank you will have visited a UK Biobank baseline assessment centre and provided a wide variety of data about yourself - this will have included measures such as your weight, height and blood pressure and biological samples such as blood and urine.
You will also have been asked to complete a detailed questionnaire which asked for information about a wide variety of topics such as where you were born, your early life and education, the employment you had undertaken, your marital status, how many children you have had and history relating to past illness and diseases.
For more details about the initial data collection please see: Baseline Assessment
Following the original recruitment UK Biobank has continued to collect more data directly from you on a periodic basis, such as:
- data collected through the imaging project where participants attend a clinic and undergo a number of scans (brain, heart and abdomen, carotid artery and bones);
- data collected through participants wearing both cardiac monitors to measure heart rhythm and accelerometers to measure movement;
- data collected through participants completing online questionnaires;
- data collected through the involvement of participants in particular studies: such as the coronavirus serology study and the coronavirus self-test antibody study.
For more details about the ongoing data collection please see: About our data
Data collected by the Participant Resource Centre
The Participant Resource Centre (“PRC”), which is based at Cardiff University, is UK Biobank’s primary contact point for our participants. The PRC acts as a call centre: handling inbound and outbound phone calls and participant email queries about UK Biobank. It deals with queries from participants about participation in new UK Biobank studies (such as the imaging assessment visit and the COVID related studies).
Data collected from linked healthcare data providers
UK Biobank is a prospective resource and links to your primary and secondary healthcare records. This linkage of health-record data enables UK Biobank to meet the objective for which it was established, namely to study (a wide number of different) disease and the causes of such disease. This would not be possible without the health linkage records.
With the data and samples that you provide us we are able to generate further data to enhance our database, particularly from undertaking assays of the samples. This includes, by way of example, biomarkers - which include common biomarkers, such as cholesterol, infectious disease markers, proteomic and metabolomic markers - and genetic data (ranging from genotype to exome sequence to whole genome sequence). All assay work is conducted in a manner whereby the participant remains de-identified.
Further, all our approved researchers are also obliged to return the results which underpin their research at the end of their research project. In turn these results are made available for other researchers to access.
Who does UK Biobank share my data with?
Access to your data is strictly limited to:
- the PRC (as set out above) who we have appointed as a data processor in order to act as the primary contact point for our participants;
- the Clinical Trials Service Unit ("CTSU") - part of Nuffield Department of Population Health ("NDPH") at the University of Oxford, who we have appointed as a data processor in order to store the UK Biobank resource data;
- our third party services providers and partners who provide data processing services to us, or who otherwise process information for purposes that are described in this Privacy Notice; and
- Approved researchers whose research project has been approved under our Access Procedures, which means that the researcher has to be a bona fide researcher and has to undertake health research that is in the public good. If you would like more information about the approved research projects which have access to UK Biobank data, please click the link below.
UK Biobank’s lawful basis for processing your data
A legal requirement of the UK GDPR is that we tell you about the legal basis on which UK Biobank will process your personal data.
As UK Biobank is a research project, consent was sought from all participants for their participation in UK Biobank. Through the information materials and consent form UK Biobank set out to explain the basis of such participation and a summary of the scope to which participant data would be used by UK Biobank and the research community.
Although you needed to provide your “consent” in order to participate in the UK Biobank research project, and UK Biobank would not act in a way which was in any manner inconsistent with that consent, “consent” for data protection purposes is a distinct concept.
One of the – perhaps unintended – consequences of the GDPR was that using “consent” for GDPR purposes has become less appropriate for medical research resources and UK Biobank uses “legitimate interests” as the primary lawful basis on which to process your personal data under the UK GDPR as follows:
- basic data (such as your name and address) is processed for UK Biobank's legitimate interests to improve health care (as detailed below);
- processing of health data (such as health records) is processed by UK Biobank for necessary reasons of public interest in the area of public health and for scientific research purposes.
Legitimate interests are defined in the UK GDPR as “processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
UK Biobank is the “data controller” and in the UK GDPR (as there was in the GDPR), there is a 3-step test to demonstrate “legitimate interests”. This is set out as a series of questions and answers:
Legitimate interest purpose test: what are UK Biobank’s legitimate interests?
- What is UK Biobank trying to achieve? Our objective is to set up and manage a major international research resource for health-related research that is in the public interest.
- Who benefits from UK Biobank’s processing? Patients and the wider public benefit from the advances made in the prevention, diagnosis and treatment of disease.
- How significant/important are these benefits? UK Biobank is now one of the largest and most used health research resources in the world.
Legitimate interest necessity test: is the processing necessary for the legitimate interests?
- Is processing personal data a reasonable way to achieve the objective? Without the personal data provided voluntarily by you and the other participants, UK Biobank would not exist.
- Is there another less obtrusive way to meet our purposes? Your data are stored in a way that makes it is extremely difficult even for UK Biobank to re-identify you. Only a very few individuals within UK Biobank are allowed to do so (and they are strictly monitored) in order that further information about you can be added. Data provided to researchers have personal identifiers removed so that an individual participant cannot be identified. Taking part in UK Biobank should not have any adverse effect on you.
Legitimate interest balancing test: UK Biobank has to weigh up the participant’s interests.
- Would participants expect UK Biobank to use their data this way? Yes; this is what we set out in the information materials provided to participants and in the study consent form each of them signed.
- How likely would a participant be to object? In our view, this is unlikely. Participants are free to withdraw from UK Biobank at any time for no reason.
As mentioned above, each person who joined UK Biobank provided their explicit consent to take part in the UK Biobank project. To re-iterate UK Biobank’s approach on consent, which is that notwithstanding UK Biobank’s reliance (for data protection purposes) on legitimate interests and for reasons of public interest as its lawful basis for processing your data, UK Biobank acts at all times in full accordance and compliance with this consent: for example it does not affect the ability of a participant to withdraw from UK Biobank for any reason at any time.
Your Data Protection Rights
Pursuant to the GDPR individuals have a number of rights:
Rights of access, correction, restriction and to object: UK Biobank participants have limited rights in this regard. This is for the following reasons. Firstly, all participants joined UK Biobank on the explicit understanding (as described in the information leaflet and consent form) that there would be no feedback of any information that was discovered about them from using their data. The reason for taking this “no feedback” approach was that it was considered likely that providing feedback would prevent or impair the research purposes of UK Biobank. Secondly, as set out above, UK Biobank processes personal data for the purpose of enabling scientific (health) related research that is in the public good. In accordance with schedule 2, Part 6, para 27 of the Data Protection Act 2018 this means that UK Biobank is exempt from certain provisions of the UK GDPR, including the requirement to respond to data subject access requests ("DSARs"), require corrections, restrictions or facilitate objections. This was explained to participants when they joined UK Biobank and re-iterated in the above mentioned 2018 GDPR note.
Rights to be forgotten, erasure and withdrawal: these rights are covered by your ability to withdraw from UK Biobank at any time for any reason (although we should add that we very much hope that you choose not to exercise that right so that your data can continue to be used to help researchers study the causes, prevention and treatment of many different diseases).
Opt-out of communications: you have the right to opt-out of communication materials that are dispatched on a periodic basis. This right can be exercised, at any time, by clicking on the “unsubscribe” or “opt-out” link in the e-mails we send you, or contacting the PRC on 0800 0276 276, or by email email@example.com.
Update your contact details: UK Biobank participants can update their contact details at any time through the main participant portal here.
Participants have the right to contact, at any time, the UK’s data protection authority – the Information Commissioner's Office ("ICO") - if they have any concerns about UK Biobank’s use of personal data and/or UK Biobank’s approach to data protection and the UK GDPR.
The National Data Opt Out
The national data opt out programme became live on 25th May 2018. This enables any individual in the UK to notify the NHS that they only want their personal data to be used for their own health care purposes. However, if any UK Biobank participant elects to use the opt-out this will not exclude them from UK Biobank. In order to withdraw from UK Biobank, any participant has to withdraw by notifying UK Biobank in the normal way.
Protecting your data
UK Biobank and its appointed data processors store your data securely and to the highest industry and professional standards. It undertakes regular testing of its IT systems to ensure that they are robust. UK Biobank also commissions external experts to test the security of its systems.
Before UK Biobank provides data to researchers, we first remove all the personal identifiers so that individual participants cannot easily be identified. In addition, your data are only provided to researchers on the execution of a legal agreement prohibiting the researcher from trying to identify a participant.
Only a limited number of people working for UK Biobank or its appointed processors have access to participants’ data with the personal identifiers (which is necessary in order to allow us to interact with you and add more information about each participant as it becomes available). These individuals are subject to strict confidentiality provisions and are required to undertake regular data security training.
Retention of data
UK Biobank will store participants’ data for as long as it has a legitimate interest in doing so. The UK Biobank project is a long-term study and participants’ data will be kept for the duration of the project. However, should a participant wish to leave UK Biobank they can do so at any time (please see below).
International Data Transfers
UK Biobank's main computer storage and that of its main processor, the Clinical Trials Service Unit ("CTSU") at the University of Oxford and the PRC, are located in the UK.
Approved researchers and UK Biobank's other third party service providers operate around the world. This means that your data may be processed in these countries. Nevertheless, we take the appropriate safeguards to ensure that your personal information will remain protected in accordance with this Privacy Notice. Such safeguards include mechanisms approved by the UK GDPR such as Standard Contractual Clauses and data transfers to countries covered by an “adequacy decision”.
Data Protection Officer
We have a Data Protection Officer ("DPO") who can be contacted with any questions or concerns relating to UK Biobank’s approach to data protection and the UK GDPR. Please write to the DPO using firstname.lastname@example.org or via post: The Data Protection Officer, UK Biobank, Units 1-2 Spectrum Way, Adswood, Stockport, SK3 0SA.
Withdrawal from UK Biobank
You are free to withdraw at any time from the study without giving us a reason. You are welcome to discuss concerns with us at any time, and the various options you have for withdrawal.
Participants can withdraw at one of three levels:
No further contact
This means that UK Biobank would no longer contact the participant directly but would have permission to retain and use information and samples provided previously and to obtain and use further information from health records. This level of withdrawal leaves the resource intact and will allow researchers to study disease with the goal of improving the health of future generations. If you wish ‘No further contact’, please speak to the UK Biobank Participant Resource Centre on 0800 0 276 276 (freephone number) since there are a number of options available (for instance, you could request that UK Biobank does not contact you to ask for further help, but that you still receive the annual newsletter).
No further access
This means that UK Biobank would no longer contact the participant or obtain further information from health records in the future, but still has permission to use the information and samples provided previously. You need to contact UK Biobank by phoning the Participant Resource Centre on 0800 0276 276, email us at email@example.com, or you can send us a letter at the address on this page to request a Withdrawal Form.
No further use
In addition to no longer contacting the participant or obtaining further information, any information and samples collected previously would no longer be available to researchers. UK Biobank would destroy samples (although it may not be possible to trace all distributed sample remnants) and would only hold information for archival audit purposes. Such a withdrawal would prevent information about the participant from contributing to further research, but it would not be possible to remove data from research that had already taken place. You need to contact UK Biobank by phoning the Participant Resource Centre on 0800 0276 276, email us at firstname.lastname@example.org, or you can send us a letter at the address on this page to request a Withdrawal Form.
UK Biobank contact details
If you want to contact UK Biobank you can do so as follows:
The UK Biobank free phone Participant Resource Centre is open on 0800 0 276 276 Monday – Friday 9am – 5pm. Calls from mobile phones or from overseas may be charged.
You can write to UK Biobank at:
1-2 Spectrum Way
You can also contact the UK Biobank DPO at any time using the contact details set out in the DPO box above.
* The GDPR is the European Union’s General Data Protection Regulation (EU) 2016/679, which applies directly across the countries of the European Union. Notwithstanding that the UK has left the EU, the UK has effectively adopted the provisions of the GDPR in their entirety (the UK GDPR). The GDPR came into effect on 25 May 2018 and we wrote to you at that time to explain how the introduction of the GDPR did not result in any material change to your underlying relationship with UK Biobank (here). Notwithstanding that the UK has now left the EU, this situation remains as before, namely that this underlying relationship is fundamentally unchanged, however, there certain aspects of the UK GDPR that we would like to draw to your attention in this updated notice.