UK Biobank Data
Debate between Lord Clement-Jones and Lord Markham(1 week, 3 days ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Markham (Con)
My Lords, I thank the Minister for the Statement. This is clearly a serious incident that goes to the heart of public trust in one of our most important research assets. I pay tribute to the hundreds of thousands of volunteers whose data underpins the success of the UK Biobank and the breakthrough it has enabled.
It is right that swift action has been taken to remove the listings and suspend access. It is also right to involve the Information Commissioner’s Office. However, the central issue before us is not just what has happened but what it reveals about our capacity to defend ourselves against cyber attacks.
First, on enforcement and accountability, we are told that the institutions involved have been banned. That is, of course, welcome, but it is sufficient? Were contractual terms breached in relation to data of this sensitivity? There must be clarity about deterrence and whether further sanctions, legal or financial, are available and will be pursued. Without that, I fear that we risk sending the wrong signal.
This incident also seems to highlight deeper weaknesses in our wider infrastructure. We continue to have a system that relies heavily on trust and contractual compliance, but without robust technical safeguards to prevent misuse; it is not enough simply to tell users not to download data—we must design systems so that they cannot do so inappropriately. This is a design issue as much as a behavioural one. From my time as Health Minister, I am aware that NHS databanks do not allow the downloading of data on to third-party servers. The data remains on our servers in a sectioned-off area to allow the customers to analyse and manipulate the data but not download it, so these types of breaches cannot take place.
There is a strong case for a clear step-by-step plan from UK Biobank, setting out exactly how data access will be reformed, including the technical controls that will be put in place, binding commitments to ensure that this cannot happen again, and the stopping of the ability to download the data directly. In addition, there is a strong case for reviewing the data storage and retention policies of all our health bodies.
During the cyber attack on the London blood testing organisation in 2024, I was amazed that the names of the people being tested were given to the companies, along with the samples, for them to perform the test results. They did not need to have those names at all; all they needed to have was a unique reference number, so that data did not need ever to be out there in the first place. What surprised me even further was to find out that this same company had data for individuals going back five, 10 or 15 years, and did not seem to have any deletion policies in place to make sure that the data was not even there to be hacked in the first place.
As the Minister responsible at the time, I proposed a review of the data storage and retention policies of all the NHS bodies and their associated contractual parties, but this was just before the election, so I am not aware whether or not that review took place in the end. I would be grateful, therefore, if the Minister could update us on whether this did in fact happen.
I turn to the point raised in Committee on the cyber security and resilience Bill currently going through the other place. The Conservatives tabled an amendment which would have required the Secretary of State to maintain a register of hostile actors targeting critical sectors, including health. Regrettably, that amendment was not accepted. In light of this incident, I ask the Minister whether the Government will now revisit that decision. If not, will he at least consider how we strengthen our understanding and monitoring of potential threats in this space?
While we must not lose sight of the immense value of UK Biobank, maintaining public confidence will be essential. That confidence depends on not only the integrity of the data but the strength of the safeguards around it. As the cyber security and resilience Bill comes to our House, we must make sure that we learn the lessons from this deeply regrettable breach. Indeed, a good test we must apply to the Bill is: if it had already been enacted, would the breach have happened in this case? This is a moment not just for a response, but for reform. I look forward to the Minister’s reply.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for coming forward in relation to this Statement and join in acknowledging unreservedly the profound scientific value of UK Biobank and the extraordinary generosity of the half a million volunteers whose participation has driven life-saving discoveries in heart disease, cancer, dementia, Parkinson’s, and Covid immunity. I emphasise that nothing I say today diminishes that contribution or our commitment to seeing UK Biobank continue to thrive at the heart of the UK’s sovereign health data strategy. But we owe those volunteers honesty, and the honest description of what has happened here, as my honourable friend Victoria Collins said in the Commons last week, is that it was
“a profound betrayal of the people who trusted this institution with some of the most intimate details of their lives”,—[Official Report, Commons, 23/4/26; col. 472.]
including their sleep patterns, mental health, genetic data and medical history.
We welcome the swift removal of the three listings, the co-operation of the Chinese authorities, the self-referral to the ICO, the board-led review, and the development of what UK Biobank describes as the world’s first automated checking system. These are the right steps, but they are steps taken after the fact, and this House is entitled to ask how we arrived here. UK Biobank has apologised for the concern caused—that is not sufficient. We join our Commons Liberal Democrat colleagues in calling for a full and unequivocal apology to participants, not for causing concern but for the breach of trust itself.
We also cannot accept the framing that this was simply a matter of a few bad apples breaking their agreements. The platform allowed data to be downloaded. As the Minister himself confirmed in the Commons,
“this was not … a cyber-attack. This was a legitimate download … by a legitimately accredited organisation”.—[Official Report, Commons, 23/4/26; col. 473.]
That is precisely the problem: contractual promises are not an adequate safeguard for data of this sensitivity. There must be hard, technical barriers, and we are glad that a solution is now being implemented. The question is why it was not in place from the outset.
I have a series of questions for the Minister. First, on the scale of exposure, an associate professor from the Oxford Internet Institute has stated publicly:
“This is the 198th known exposure of UK Biobank data since last summer”,
and that UK Biobank data remains available online for anyone to download today. Will the Minister confirm how many data breaches at or by UK Biobank have been notified to the Government since the original ministerial Statement, and does the Minister have any reason to believe it will not become public that Biobank data has already been used to reidentify specific participants?
Secondly, on leadership and accountability, given the series of decisions, or failures of decision, that have brought us to this point, including the dismissal of earlier warnings, does the Minister have full confidence in the current leadership of UK Biobank? The board-led review is welcome, but its credibility will depend on its independence and transparency.
Thirdly, on reidentification risk, UK Biobank itself acknowledges that it cannot guarantee absolute confidentiality. Modern AI and social media make reidentification far more feasible than was the case when this data was first collected. Crucially, do the Government have contingency plans for large-scale reidentification of Biobank participants, given that, as the Oxford Internet Institute confirms, the data has leaked on nearly 200 occasions, as I mentioned earlier, and remains accessible online?
Fourthly, on the broader lesson for data and AI policy, this incident demonstrates something important: there is no panacea in simply handing patient data to AI systems and trusting that good intentions will follow. So much NHS and Biobank data has already been used in ways that violate the rules under which it was shared. As the Minister in the Commons acknowledged, this was a legitimate download—the rules failed to prevent it. If tearing up data governance rules produced easy wins, we would have seen the evidence by now. Instead, we have received repeated failures, and the Government must reflect on that when designing the new guidance on research data controls that they have promised.
Fifthly and finally, on system-wide lessons, can the Minister confirm that other UKRI and MRC cohort studies will be required to learn from this incident and that their governance will be reviewed? Will the Secretary of State require UK Biobank to publish a full step-by-step plan for reforming its data privacy—not guidance, not reassurances, but binding commitments? The volunteers who built UK Biobank did so in a spirit of trust and public service, and they deserve nothing less than ironclad protections, genuine accountability and the knowledge that their generosity will never again be treated as a governance afterthought.
Artificial Intelligence Opportunities Action Plan
Debate between Lord Clement-Jones and Lord Markham(1 year, 3 months ago)
Lords ChamberRead Full debate Read Hansard Text Read Debate Ministerial Extracts
Lord Markham (Con)
I welcome the Secretary of State’s Statement in this space, and I start with an apology. When I agreed to speak to this, I was told it would be first business after Questions, and I am afraid I have to leave for a flight midway through, so I apologise to noble Lords and hope that they understand. My colleague will be here all the way through.
As I say, we welcome the Statement and we welcome the Matt Clifford plan, which my noble friend Lord Camrose kicked off when he was leading these efforts in government, so we see this as a positive step forward. As Health Minister during that time, I saw first-hand the potential of AI, how it can really transform our services and how the UK really does have the potential for a leadership role.
Matt Clifford's plan, we believe, is right that the role of the Government in this is really to establish the foundations for growth: namely, making sure we have an AI-skilled workforce, the computing power, the energy needs to drive that computing power and the right regulatory framework. Then we use the assets we have, such as the data, to create the right datasets and use our public sector to help the rollout in many of them. I will focus my comments and questions on how we are going to make sure that those things happen.
Turning to the first one, the AI-skilled workforce, I must admit that when I read in the report that 5,000 AI jobs were being created in this, like most of us, I thought “5,000—that is great.” Then you realise that, actually, 4,500 of those are in construction and only 500 are in AI itself, and you start to get worried that maybe this is a bit style over substance. I am very keen to understand from the Minister here what we are specifically doing in this space. I am mindful, for instance, that we talk about having government develop training for the universities with a delivery or reporting date of autumn 2027. We all know how quickly AI is moving in this space, and we are saying we are just going to have the training in place for the universities to give these courses in two and a half years’ time. I think we all know that, in two and a half years’ time, the world will have moved on massively from that, and no doubt the training will be out of place. I hope the Minister can come back on that and give us some reassurances that we will actually have an accelerated process—I am afraid this will be a bit of a recurring theme.
On computing power, my noble friend Lord Camrose, when he was in government, had secured an £800 million commitment to build a supercomputer in Culham. Now I read, in the Government’s action plan, that they will
“start to develop the business case process”
for an AI computer. Unfortunately, like many noble Lords, I know what that means: a Treasury business case process, so you are talking about a year and a half to two years, at least. All I can guarantee is that, if you take that length of time to produce a business plan, whatever you were planning in terms of a supercomputer will be superseded by advancements and events. What is the Minister doing to streamline that business plan process and get action on this front so that we can get that new supercomputer fast?
On energy, we all accept there is a desperate need for energy; again, that is laid down in the action plan. The Government’s answer to that is to set up an AI energy quango. I think most of us would say that we need to set out what our energy needs require, but then surely it is up to the network or GB Energy to fulfil that. Why do we need another quango and another layer of bureaucracy? What powers is that quango going to have if it will not be commissioning these facilities, which I assume GB Energy will do?
On regulation and governance, the regulatory framework is another very important part of the foundation. I know the Government have plans for an AI Bill, but what is the timeline for it? Again—this is a recurrent theme—it needs to be quick so we can keep up with events.
Moving on to AI datasets, I know that this is something that the Minister is very keen on in the health space, as am I, being the former Health Minister responsible for this area. We have the best health data in the world; the beauty of having a National Health Service is that we have data on primary and secondary care going back to the Second World War. We have data coming in from the UK Biobank and other sources, such as retina scans from opticians which, we are hearing, can be used for stroke detection or maybe the early warning signs of dementia. There are fantastic opportunities for this, and we can already see its applications around the health service today. We have been doing the research with focus groups to bring the public with us on the use of their healthcare data. We have the potential to create the UK Silicon Valley in the life sciences on the back of the data that we have. We had in place a data for R&D programme, which was looking to utilise and create datasets in the health space. Could the Minister update us on where we are with that, and whether it is going to be his focus? As we discussed, that is something I would be very happy to work on together.
The last part of the foundations is to use the assets that we have in the public sector as a rollout plan for that and, again, health is a perfect place for this. We have seen brilliant applications already in cancer treatment and in overprescriptions; there are possibilities with the NHS app, which is really taking off, and to use AI in the 111 service to help triage; these are all fantastic opportunities. We put in place an NHS productivity plan which was very AI driven and AI heavy. Could the Minister update us on the AI productivity plan for the NHS and what progress we are making on it?
To conclude, we are very positive about the opportunities AI provides to transform the whole country’s economy and public services in ways that we cannot even imagine. However, it is businesses that need to drive this. It is the role of the Government to set the foundations to allow business to deliver; it is not the role of quangos, which are not going to deliver it. This area will need a Minister to drive it through and make it happen. Is the Minister the one who will do that? If he is, I give him all our support and wish him the best of luck with it.
Lord Clement-Jones (LD)
My Lords, I also welcome this plan, perhaps with rather less baggage than the Conservative Benches. The Prime Minister and the Secretary of State invoked Babbage, Lovelace, Turing, the pioneering age of steam and even the white heat of the technological revolution, but at its core there is an important set of proposals with great potential. However, it is a wish list rather than a plan at present.
I particularly welcome the language in the plan around regulation, particularly where it refers to regulation assisting innovation, which is a change of tone. However, the plan and Statement raise many questions. In particular, how will the Government ensure that AI development mitigates risks beyond just safety to ensure responsible AI development and adoption, especially given the fact that a great deal of UK development will involve open-source applications?
On the question of the introduction of AI into the public sector, the Government are enormously enthusiastic. But, given their public sector digital transformation agenda, why are the Government watering down citizens’ rights in automated decision-making in the Data (Use and Access) Bill?
We welcome the recognition of the need to get the economic benefits for the UK from public sector data which may be used to develop AI models. What can the Minister tell us at this stage about what the national data library will look like? It is not clear that the Government yet know whether it will involve primary or secondary legislation or whatever. The plan and response also talk about “sovereign compute”, but what about sovereign cloud capability? The police cannot even find a supplier that guarantees its records will be stored in the UK.
While the focus on UK training is welcome, we must go beyond high-level skills. Not only are the tech companies calling out for technical skills, but AI is also shaping workplaces, services and lives. Will the Digital Inclusion Action Committee, chaired by the noble Baroness, Lady Armstrong, have a role in advising on this? Do the changes to funding and delivery expected for skills boot camps contribute to all of this?
On the question of energy requirements for the new data centres, will the new AI energy council be tasked with ensuring that they will have their own renewable energy sources? How will their location be decided, alongside that of the new AI growth centres?
The plan cannot be game-changing without public investment. It is about delivery, too, especially by the new sovereign data office; it cannot all be done with private sector investment. Where is the public money coming from, and over what timescale? An investment plan for compute is apparently to be married to the spending review; how does a 10-year timescale fit with this? I am very pleased that a clear role is identified for the Alan Turing Institute, but it is not yet clear what level of financial support it will get, alongside university research, exacompute capacity, and the British Business Bank in the spin-out/start-up pipeline support. What will the funding for the Compound Semiconductor Applications Catapult and the design and manufacturing ecosystem consist of?
The major negative in the plan for many of us, as the Minister already knows, is the failure to understand that our creative industries need to be able to derive benefits from their material used for training large language models. The plan ominously recommended reforming,
“the UK text and data mining regime so that it is at least as competitive as the EU”,
and the Government have stacked the cards in the consultation over this. We on these Benches and the creative industries will be fighting tooth and nail any new text and data mining exemption requiring opt-out.
Data (Use and Access) Bill [HL]
Debate between Lord Clement-Jones and Lord MarkhamTuesday 3rd December 2024
(1 year, 5 months ago)
Grand CommitteeRead Full debate Data (Use and Access) Act 2025 View all Data (Use and Access) Act 2025 Debates Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: HL Bill 40-I(a) Amendments for Grand Committee (Supplementary to the Marshalled List) - (3 Dec 2024)
Lord Markham (Con)
Just to follow on from that, I very much support my noble friend’s words. The only reason I can see why you would introduce new definitions is that there are new responsibilities that are different, and you would want people to be aware of the new rules that have been placed on them. I will be interested to hear the Minister’s answer. If that is the case, we can set that out and understand whether the differences are so big that you need a whole new category, as my noble friend said.
Having run lots of small businesses myself, I am aware that, with every new definition that you add, you add a whole new set of rules and complications. As a business owner, how am I going to find out what applies to me and how I am to be responsible? The terms trader, controller, data holder and processor all sound fairly similar, so how will I understand what applies to me and what does not? To the other point that my noble friend made, the more confusing it gets, the less likelihood there is that people will understand the process.
Lord Clement-Jones (LD)
My Lords, I am not sure whether I should open by saying that it is a pleasure to take part in the passage of the third iteration of this Bill, but, as I said at Second Reading, this is an improvement. Nevertheless, there are aspects of the Bill that need close scrutiny.
The noble Viscount, Lord Camrose, explained his approach to this Bill. Our approach is that we very much support the use of data for public benefit but, at the same time, we want to make sure that this Bill does not water down individual data rights and that they are, where necessary, strengthened. In that spirit, I wish to ask the Minister about the general nature of Clause 1, rather than following up on the amendments tabled by the noble Viscount.
The definition of “business data” seems quite general. A report that came out yesterday, Data On Our Minds: Affective Computing At Work, highlighted the kinds of data that are now being collected in the workplace. It is a piece of work sponsored by the Joseph Rowntree Charitable Trust, the Trust for London and the Institute for the Future of Work. They are concerned about the definition of “business data”. The Minister probably will not have an answer on this matter at this stage but it would be useful if she could write in due course to say whether the definition of excludes emotional data and neurosurveillance data collected from employees.
This is very much a workplace question rather than a question about the customer; I could ask the same question about the customer, I suppose, except the report is about workplace data collection. I thought I would opportunistically take advantage of the rather heavy de-grouping that has taken place and ask the Minister a question.
Lord Clement-Jones (LD)
My Lords, I too am delighted that the noble Lord, Lord Lucas, came in to move his amendment. He is the expert in that whole area of education data; like the noble Lord, Lord Arbuthnot, I found what he said extremely persuasive.
I need to declare an interest as chair of the council of Queen Mary, University of London, in the context of Amendment 5 in the name of the noble Lord, Lord Lucas. I must say, if use were made of that data, it would benefit not only students but universities. I am sure that the Minister will take that seriously but, on the face of it, like the noble Earl, Lord Erroll, I cannot see any reason why this amendment should not be adopted.
I very much support Amendments 34 and 48 in the name of the noble Lord, Lord Arbuthnot. I too have read the briefing from Sex Matters. The noble Lord’s pursuit of accuracy for the records that will be part of the wallet, if you like, to be created for these digital verification services is a matter of considerable importance. In reading the Sex Matters briefing, I was quite surprised. I had not realised that it is possible to change your stated sex on your passport in the way that has taken place. The noble Lord referred to the more than 3,000 cases of this; for driving licences, there have been more than 15,000.
I agree with Sex Matters when it says that this could lead to a loss of trust in the system. However, I also agree with the noble Earl, Lord Erroll, that this is not an either/or. It could be both. It is perfectly feasible to have both on your passport, if you so choose. I do not see this as a great divide as long as the statement about sex is accurate because, for a great many reasons—not least in healthcare—it is of considerable importance that the statement about one’s sex is accurate.
I looked back at what the Minister said at Second Reading. I admit that I did not find it too clear but I hope that, even if she cannot accept these amendments, she will be able to give an assurance that, under this scheme—after all, it is pretty skeletal; we will come on to some amendments that try to flesh it out somewhat—the information on which it will be based is accurate. That must be a fundamental underlying principle. We should thank the noble Lord, Lord Arbuthnot, for tabling these two important amendments in that respect.
Lord Markham (Con)
My Lords, I want to come in on Amendment 5. Although I am very much in favour of the intent of what we are trying to do—making more use of the sharing of data—I have to remember my old Health Minister’s hat in talking about all the different terms and speaking to the different angles that we are all coming from.
Noble Lords have heard me speak many a time about the value of our health data and the tremendous possibilities that it offers for drug discovery and all the associated benefits. At the same time, I was very aware of loads of companies purporting to own it. There are GP data companies, which do the systems for GPs and, naturally, hold all the patient data in them. In terms of their business plans, some have been bought for vast sums of money because of the data that they hold. My concern is that, although it is well intended to say that the use of health data should be allowed for the general good, at the same time, I do not believe that GP companies own that data. We have been quite clear on that. I want to make it clear that it is actually the NHS that will benefit from the pulling together of all this, if that happens in those sorts of formats.
Similarly on student loans data—I shall not pretend that this is a subject I know a lot about—I can see a lot of good causes for the student loans, but I can also see that it would be very useful for financial services companies to understand customers’ creditworthiness. In all these cases, although the intent is right, we need to find a way to be clear about what they can and cannot use it for, and there lies a lot of complexity.