UK Biobank part 2
I blogged about the UK Biobank study back in January. My two main concerns were that the NHS had passed on my personal data without my consent to the UK Biobank team, and that the UK Biobank's literature described the handling of biological samples as "anonymous", when in fact it wasn't. I had other concerns too. In short, I wasn't very happy.
I now have some more to report.
At the time I last blogged, I made a Freedom of Information request to obtain the minutes of the ethics committee meeting at which the UK Biobank project was approved, as well as the application submitted to the committee. Today, I finally received the minutes of the meeting (although not yet the application). It's a bit over the statutory 20 day limit in which FOI requests are supposed to be met, but better late than never. I also contacted the office of the Information Commissioner to ask whether passing on my personal data without my consent was really in compliance with the Data Protection Act, and by a happy coincidence I also had a reply to that question this week as well.
What I have found makes me angry.
The minutes of the ethics committee meeting seem worryingly superficial. As I blogged previously, it is ethically wrong to tell participants that their biological samples will be handled anonymously if in fact it is possible to link those samples back to the identifiable individuals, which according to the UK Biobank protocol, it is. This major ethical shortcoming does not appear to have even been mentioned at the meeting, let alone given any substantive consideration.
The issue of passing on of confidential data from the NHS to UK Biobank also does not appear to be discussed, except to have noted that the process had been approved by the Department of Health Caldicott Guardian. Perhaps it was reasonable for the ethics committee to take the view that it was therefore legitimate, although I'm not sure that that would have been the attitude I would have taken had I been on the committee.
As for the reply from the Information Commissioner's office, it is hardly any more reassuring. I was told that the Information Commissioner was aware of the UK Biobank study, and that he "is not of the view that the actions of UK Biobank or the NHS are likely to be in breach of the DPA". Is it just me who find words such as "likely" a bit disturbing in that context? So it probably doesn't breach the DPA, but it just might? When I asked for more detail, I was pointed to Schedule 2 of the DPA, which does indeed allow data to be passed on without consent under some circumstances. The one I was pointed to specifically was condition 6 (1) of Schedule 2, which states "The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject."
I can see now why they said "not likely to be" rather than simply "not". That's a bit woolly, isn't it? Who is to say what counts as a legitimate interest? You could interpret that to mean that you almost never need consent to pass on someone's personal data. If the courts really did interpret it that way, then that represents a massive loophole in the DPA, which personally I find truly scary.
I have made 2 more FOI requests today. I have contacted the Department of Health to ask for more information about the decision of their Caldicott Guardian to allow my personal data to be released without my consent, and I have contacted UK Biobank to ask whether they took legal advice on whether they really were compliant with the Data Protection Act.