Last updated Feb 25, 2019
Further background information, including notes for researchers, notes about health record linkage and notes for GPs about primary care health record linkage
In 2018, the General Data Protection Regulation (GDPR) came into force and the complementary Data Protection Act 2018 was also enacted, replacing all previous UK data protection legislation. As a consequence, we wrote to all of participants in UK Biobank to explain that the new legislation does not result in any material change in the underlying nature of their relationship with UK Biobank. (the Participant GDPR Note).This note should be read in conjunction with that guidance.
Not surprisingly, the introduction of the GDPR has given rise to a number of questions and queries from various parties, including researchers using UK Biobank data and the custodians of data related to both primary care (e.g. GP records), such as GP practices and clinical commissioning groups, and to secondary care (e.g. hospital, death and cancers records). This note aims to address those questions.
- Background and underlying definitions
- Data controller: UK Biobank was a data controller under the old legislation and it remains a data controller for the purposes of the GDPR. As such, UK Biobank has an obligation to ensure that (i) it complies with the provisions of the GDPR in the way that it manages the data within the UK Biobank resource (that it has for UK Biobank participants), and that (ii) third parties who process or use UK Biobank data do so too.
- Lawful basis: In UK Biobank’s note to participants about GDPR, we explained that we were using two lawful bases for processing their data, namely legitimate interests (which is a new category under the GDPR) and explicit consent (an updated version of consent under the previous law). As and when required, we are specific about which basis is being used for a particular activity; for example, when UK Biobank currently links to secondary health care data (such as hospital events and death and cancer information) through NHS Digital, it uses legitimate interests as the appropriate lawful basis.
- Consent: The explicit consent that was obtained when participants joined UK Biobank in 2006-10 remains compliant with the GDPR on the basis that:
- the form and text of the consent obtained from every participant (it was not possible to join UK Biobank without completing the consent form);
- the information provided to participants prior to them joining UK Biobank (which has been reinforced subsequently) about the collection and use of information about them; and
- the right of each participant to unilaterally withdraw from UK Biobank at any time.
In light of the above, UK Biobank has no current plans to seek further or additional consent from participants.
- Data Protection Impact Assessments: Such assessments are only required when an organisation undertakes a new form of processing. As UK Biobank’s processing activities remain the same as they were prior to the introduction of the GDPR, UK Biobank is not required (under the GDPR) to conduct formal Data Protection Impact Assessments for these activities. That said, UK Biobank does keep UK Biobank’s processes and systems under regular and systematic review using criteria which are at least as exacting as those required under a formal Data Protection Impact Assessment.
- GDPR and research uses
- De-identified data: UK Biobank goes to considerable lengths to ensure that, as far as is practically possible, it only uses de-identified data in all its internal and external processes. Identifying data is only used when we contact UK Biobank participants directly.
- Research uses: All data provided by UK Biobank to approved researchers for their research are de-identified as researchers do not need to know the identity of participants in order to conduct their research (see UK Biobank’s de-identification protocol).
- Not personal data: as a consequence, researchers are not provided with data about participants that would be defined as “personal data” under the GDPR (the provisions of the GDPR, and data protection generally, only address data which is personal data). In addition, UK Biobank’s Material Transfer Agreement (MTA) prohibits researchers from trying to re-identify participants.
- Data security: UK Biobank expects researchers who use its data to adhere to very high standards of data security in terms of storing and processing UK Biobank data. Again, they are required to commit to doing so by the MTA and, to date, we are not aware of any such breach. A breach of these requirements would be taken very seriously by UK Biobank, including implementation of a prohibition on the defaulting organisation receiving any further access to UK Biobank data.
- GDPR and primary care linkage
- UK Biobank letter to GPs: In October 2018, UK Biobank sent a letter, endorsed by the Royal College of General Practitioners, to all GP Practices in England that use the EMIS Health and TPP SystmOne practice management systems (GP Practice page). This letter sets out the basis for UK Biobank’s linkage to the primary care health record data of UK Biobank participants and sought agreement from GP Practices to make primary care data available to UK Biobank in accordance with the explicit consent that participants had given when they joined the project.
- Questions: In response to questions that arose, UK Biobank sent a follow-up letter (EMIS letter, TPP letter) with additional:
- Confirmation that the process complies with the GDPR (attaching a copy of a letter from the Information Commissioner’s Office, following UK Biobank’s discussions with the ICO Commissioner and the ICO’s most senior legal advisor) that UK Biobank is entitled to carry out this linkage activity; and
- Assurance that data would be extracted only for consented UK Biobank participants.
- Participant rights of access: As outlined to participants in the Participant GDPR Note, UK Biobank is not subject to the provisions in the GDPR which relate to requests from individuals for access to data held about them because all participants joined the project on the explicit understanding (as described in the information leaflet and the consent form) that there would be no feedback of any information discovered about them from using their data.
- National data opt out: In accordance with the explicit guidance from the NHS, UK Biobank advised participants in the Participant GDPR Note that they need to withdraw from UK Biobank itself before they can opt out of their health-related data being made available to UK Biobank as part of the “National data opt out”
 The background to the lawful bases in the GDPR is quite detailed and rather than setting it all out again please refer to the information, about both legitimate interests and explicit consent, which was provided in the note to participants http://www.ukbiobank.ac.uk/gdpr/
 In Wales, UK Biobank is accessing primary care data through the SAIL Databank (which is run by the University of Swansea) who have the consent of roughly 80% of Welsh GP Practices to provide their data to UK Biobank (and other researchers).
In Scotland, UK Biobank is working with Albasoft and proposes to write to all Scottish GP Practices in early 2019 in a process which will be similar to the approach that is being taken in England.
 For those of a legal inclination, the actual provisions which cover these exemptions are contained in the 2018 Data Protection Act, namely Schedule 2 Part 6 para 27 http://www.legislation.gov.uk/ukpga/2018/12/schedule/2/enacted and this means the situation remains the same as that which applied under the old (pre GDPR) law, that there is an (qualified) exemption for research projects.