Last updated May 31, 2018
Information notice for UK Biobank participants: the General Data Protection Regulation (GDPR)
The purpose of this note is to draw your attention to certain parts of the GDPR about which we are required to tell you by the legislation. (Whenever we refer to the “old law” we mean the Data Protection Act 1988, and whenever we refer to the “new law” we mean the GDPR.)
We should like to assure you that we will only process, store and use your data in a manner that is consistent with the basis on which you joined UK Biobank (as described in the information materials and consent form; available on our Resources page. In particular, your information will continue to be made available only to bona fide researchers undertaking health research that is in the public good.)
UK Biobank’s lawful basis for processing your data
A legal requirement of the GDPR is that we tell you about the legal basis on which UK Biobank will process your personal data. This includes information about you (like your name and address), the information that you told us about (such as answers to questions about your lifestyle), and information that we have received from others (such as your health records).
Because of the health-related nature of the personal information that you have provided to us, there are two lawful bases for our processing of it, which are referred to in the legislation as “legitimate interests” and “consent”. UK Biobank believes that both of these are valid reasons for processing your data and, as is required by the law, we have set our reasoning below.
Legitimate interests are defined in the GPDR as “processing which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
In this case, UK Biobank is defined as the “data controller”. In the GDPR, there is a 3-step test to demonstrate “legitimate interests” which we have set out as a series of questions and answers:
Purpose test: what are UK Biobank’s legitimate interests?
- What is UK Biobank trying to achieve? Our objective is to set up and manage a major international research resource for health-related research that is in the public interest.
- Who benefits from UK Biobank’s processing? Patients and the wider public benefit from the advances made in the prevention, diagnosis and treatment of disease.
- How significant/important are these benefits? UK Biobank is now one of the largest and most used health research resources in the world. Over 6,000 institutions are registered with us and over 1,000 health-related research applications have been approved.
Necessity test: is the processing necessary for the legitimate interests?
- Is processing personal data a reasonable way to achieve the objective? Without the personal data provided voluntarily by you and the other participants, UK Biobank would not exist.
- Is there another less obtrusive way to meet our purposes? Your data are stored in a way that makes it is extremely difficult even for UK Biobank to re-identify you. Only a very few individuals within UK Biobank are allowed to do so (and they are strictly monitored) in order that further information about you can be added. Data provided to researchers have personal identifiers removed so that an individual participant cannot be identified. There are no circumstances in which your data can be processed in a manner that could have an adverse impact on you.
Balancing test: UK Biobank has to weigh up the participant’s interests.
- Would participants expect UK Biobank to use their data this way? Yes; this is what we set out in the information materials provided to participants and in the consent form each of them signed.
- How likely would a participant be to object? In our view, this is very unlikely. During the past 10 years since participants joined UK Biobank during 2006-10, fewer than 800 of the 500,000 participants have withdrawn from the study and asked that we delete all of their information.
For completeness, we should add that there is a further requirement under the GDPR for processing “special categories of data” and this includes data concerning an individual’s health. This requirement can be satisfied if the processing is necessary “for reasons of public interest in the area of public health of for archiving purposes in the public interest, scientific or historical research purposes ….”. The GDPR specifies that “research purposes” include “studies conducted in the public interest in the area of public health”. We consider that UK Biobank’s activities fall squarely within this requirement.
Each person who joined UK Biobank provided their explicit consent for us to collect, store and make available information about them (including data from genetic and other assays of the samples that were collected) for health-related research, and for their health to be followed over many years through medical and other health-related records, as well as by being re-contacted by UK Biobank.
Under the GDPR, explicit consent needs to satisfy each of the following 6 criteria:
- Freely given: your consent was not provided as a precondition for a service or a benefit;
- Presented separately from other information: a separate consent form from the information materials was provided which all participants signed (see: Consent Form);
- Based on properly explained information: all participants were provided with the relevant information materials which described how UK Biobank would use their information to support health-related research that is in the public interest (see: Information Leaflet);
- Could be refused and easily withdrawn: all participants volunteered to join UK Biobank after having the chance to review the information materials and ask any questions that they had, and any participant can withdraw for any reason at any time (see: Withdrawal);
- Provided for specific purposes: there was a set of separate points on the consent form related to specific purposes to which participants had to agree before signing the form;
- Named third party controllers relying on the consent: UK Biobank does not provide data to researchers which can be used to identify participants. Instead, personal identifiers are removed from the data provided to researchers and UK Biobank’s legal agreement with these researchers requires them to restrict their use of the data for their approved research and not to try to identify any participant. This means that, for the purposes of the GDPR, it is no longer “personal data” and so this criterion is not relevant.
The National Data Opt Out
The national data opt out programme becomes live on 25th May 2018 (see: national data opt out programme). This enables any individual in the UK to notify the NHS that they only want their personal data to be used for their own health care purposes. However, if any UK Biobank participant elects to use the opt-out this will not exclude them from UK Biobank. In order to withdraw from UK Biobank, any participant has to withdraw by notifying UK Biobank in the normal way.
New rights under the GDPR
The GDPR introduces certain new rights for individuals which were not part of the old law, but these new rights do not change your relationship with UK Biobank. These rights fall into two categories:
- Rights of access: All participants joined UK Biobank on the explicit understanding (as described in the information leaflet and consent form) that there would be no feedback of any information that was discovered about them from using their data. The reason for taking this “no feedback” approach was that it was considered likely that providing feedback would prevent or impair the research purposes of UK Biobank. Both the old law and the GDPR have provisions which allow research projects (like UK Biobank) not to provide participants with their data.
- Rights to restrict processing, to be forgotten, erasure and withdrawal: these rights are covered by your ability to withdraw from UK Biobank at any time for any reason (although we very much hope that you choose not to exercise that right so that your data can continue to be used to help researchers study the causes, prevention and treatment of many different diseases).
Protecting your data
UK Biobank stores all your data securely and to the highest industry and professional standards. It undertakes regular testing of its IT systems to ensure that they are robust. UK Biobank also commissions external experts to test the security of our systems.
Before UK Biobank provides data to researchers, we first remove all the personal identifiers so that individual participants cannot be identified. In addition, your data are only provided to researchers on the execution of a legal agreement prohibiting the researcher from trying to identify a participant.
Only UK Biobank has access to participants’ data with the personal identifiers (which is necessary in order to allow us to add more information about each participant as it becomes available) and we restrict the number of individuals within UK Biobank who have access to these personal identifiers.
We hope that you have found this note informative and useful. If you have any questions about the way in which UK Biobank is complying with the new law, please do not hesitate to contact us.
- Phone us: UK Biobank Freephone 0800 0276 276 8am-6pm Monday-Friday, 8am-4pm Saturdays.
- Write to us: UK Biobank, Participant Resource Centre, Division of Population Medicine, Cardiff University, 5th Floor, Neuadd Meirionnydd, Heath Park, Cardiff, CF14 4YS
- Email us: email@example.com