UK Biobank Data Debate
Full Debate: Read Full DebateDepartment: Department for Energy Security & Net Zero
Lord Markham
Main Page: Lord Markham (Conservative - Life peer)Department Debates - View all Lord Markham's debates with the Department for Energy Security & Net Zero
(1 day, 11 hours ago)
Lords ChamberRead Full debate Read Hansard Text Watch Debate Read Debate Ministerial Extracts
Lord Markham (Con)
My Lords, I thank the Minister for the Statement. This is clearly a serious incident that goes to the heart of public trust in one of our most important research assets. I pay tribute to the hundreds of thousands of volunteers whose data underpins the success of the UK Biobank and the breakthrough it has enabled.
It is right that swift action has been taken to remove the listings and suspend access. It is also right to involve the Information Commissioner’s Office. However, the central issue before us is not just what has happened but what it reveals about our capacity to defend ourselves against cyber attacks.
First, on enforcement and accountability, we are told that the institutions involved have been banned. That is, of course, welcome, but it is sufficient? Were contractual terms breached in relation to data of this sensitivity? There must be clarity about deterrence and whether further sanctions, legal or financial, are available and will be pursued. Without that, I fear that we risk sending the wrong signal.
This incident also seems to highlight deeper weaknesses in our wider infrastructure. We continue to have a system that relies heavily on trust and contractual compliance, but without robust technical safeguards to prevent misuse; it is not enough simply to tell users not to download data—we must design systems so that they cannot do so inappropriately. This is a design issue as much as a behavioural one. From my time as Health Minister, I am aware that NHS databanks do not allow the downloading of data on to third-party servers. The data remains on our servers in a sectioned-off area to allow the customers to analyse and manipulate the data but not download it, so these types of breaches cannot take place.
There is a strong case for a clear step-by-step plan from UK Biobank, setting out exactly how data access will be reformed, including the technical controls that will be put in place, binding commitments to ensure that this cannot happen again, and the stopping of the ability to download the data directly. In addition, there is a strong case for reviewing the data storage and retention policies of all our health bodies.
During the cyber attack on the London blood testing organisation in 2024, I was amazed that the names of the people being tested were given to the companies, along with the samples, for them to perform the test results. They did not need to have those names at all; all they needed to have was a unique reference number, so that data did not need ever to be out there in the first place. What surprised me even further was to find out that this same company had data for individuals going back five, 10 or 15 years, and did not seem to have any deletion policies in place to make sure that the data was not even there to be hacked in the first place.
As the Minister responsible at the time, I proposed a review of the data storage and retention policies of all the NHS bodies and their associated contractual parties, but this was just before the election, so I am not aware whether or not that review took place in the end. I would be grateful, therefore, if the Minister could update us on whether this did in fact happen.
I turn to the point raised in Committee on the cyber security and resilience Bill currently going through the other place. The Conservatives tabled an amendment which would have required the Secretary of State to maintain a register of hostile actors targeting critical sectors, including health. Regrettably, that amendment was not accepted. In light of this incident, I ask the Minister whether the Government will now revisit that decision. If not, will he at least consider how we strengthen our understanding and monitoring of potential threats in this space?
While we must not lose sight of the immense value of UK Biobank, maintaining public confidence will be essential. That confidence depends on not only the integrity of the data but the strength of the safeguards around it. As the cyber security and resilience Bill comes to our House, we must make sure that we learn the lessons from this deeply regrettable breach. Indeed, a good test we must apply to the Bill is: if it had already been enacted, would the breach have happened in this case? This is a moment not just for a response, but for reform. I look forward to the Minister’s reply.
Lord Clement-Jones (LD)
My Lords, I thank the Minister for coming forward in relation to this Statement and join in acknowledging unreservedly the profound scientific value of UK Biobank and the extraordinary generosity of the half a million volunteers whose participation has driven life-saving discoveries in heart disease, cancer, dementia, Parkinson’s, and Covid immunity. I emphasise that nothing I say today diminishes that contribution or our commitment to seeing UK Biobank continue to thrive at the heart of the UK’s sovereign health data strategy. But we owe those volunteers honesty, and the honest description of what has happened here, as my honourable friend Victoria Collins said in the Commons last week, is that it was
“a profound betrayal of the people who trusted this institution with some of the most intimate details of their lives”,—[Official Report, Commons, 23/4/26; col. 472.]
including their sleep patterns, mental health, genetic data and medical history.
We welcome the swift removal of the three listings, the co-operation of the Chinese authorities, the self-referral to the ICO, the board-led review, and the development of what UK Biobank describes as the world’s first automated checking system. These are the right steps, but they are steps taken after the fact, and this House is entitled to ask how we arrived here. UK Biobank has apologised for the concern caused—that is not sufficient. We join our Commons Liberal Democrat colleagues in calling for a full and unequivocal apology to participants, not for causing concern but for the breach of trust itself.
We also cannot accept the framing that this was simply a matter of a few bad apples breaking their agreements. The platform allowed data to be downloaded. As the Minister himself confirmed in the Commons,
“this was not … a cyber-attack. This was a legitimate download … by a legitimately accredited organisation”.—[Official Report, Commons, 23/4/26; col. 473.]
That is precisely the problem: contractual promises are not an adequate safeguard for data of this sensitivity. There must be hard, technical barriers, and we are glad that a solution is now being implemented. The question is why it was not in place from the outset.
I have a series of questions for the Minister. First, on the scale of exposure, an associate professor from the Oxford Internet Institute has stated publicly:
“This is the 198th known exposure of UK Biobank data since last summer”,
and that UK Biobank data remains available online for anyone to download today. Will the Minister confirm how many data breaches at or by UK Biobank have been notified to the Government since the original ministerial Statement, and does the Minister have any reason to believe it will not become public that Biobank data has already been used to reidentify specific participants?
Secondly, on leadership and accountability, given the series of decisions, or failures of decision, that have brought us to this point, including the dismissal of earlier warnings, does the Minister have full confidence in the current leadership of UK Biobank? The board-led review is welcome, but its credibility will depend on its independence and transparency.
Thirdly, on reidentification risk, UK Biobank itself acknowledges that it cannot guarantee absolute confidentiality. Modern AI and social media make reidentification far more feasible than was the case when this data was first collected. Crucially, do the Government have contingency plans for large-scale reidentification of Biobank participants, given that, as the Oxford Internet Institute confirms, the data has leaked on nearly 200 occasions, as I mentioned earlier, and remains accessible online?
Fourthly, on the broader lesson for data and AI policy, this incident demonstrates something important: there is no panacea in simply handing patient data to AI systems and trusting that good intentions will follow. So much NHS and Biobank data has already been used in ways that violate the rules under which it was shared. As the Minister in the Commons acknowledged, this was a legitimate download—the rules failed to prevent it. If tearing up data governance rules produced easy wins, we would have seen the evidence by now. Instead, we have received repeated failures, and the Government must reflect on that when designing the new guidance on research data controls that they have promised.
Fifthly and finally, on system-wide lessons, can the Minister confirm that other UKRI and MRC cohort studies will be required to learn from this incident and that their governance will be reviewed? Will the Secretary of State require UK Biobank to publish a full step-by-step plan for reforming its data privacy—not guidance, not reassurances, but binding commitments? The volunteers who built UK Biobank did so in a spirit of trust and public service, and they deserve nothing less than ironclad protections, genuine accountability and the knowledge that their generosity will never again be treated as a governance afterthought.