Sensitive health information donated for medical research by half a million UK citizens has been shared with insurance companies despite a pledge that it would not be.
An Observer investigation has found that UK Biobank opened up its vast biomedical database to insurance sector firms several times between 2020 and 2023, according to The Guardian.
The data was provided to insurance consultancy and tech firms for projects to create digital tools that help insurers predict a person’s risk of getting a chronic disease.
The findings have raised concerns among geneticists, data privacy experts and campaigners over vetting and ethical checks at Biobank.
Set up in 2006 to help researchers investigating diseases, the database contains millions of blood, saliva and urine samples, collected regularly from about 500,000 adult volunteers – along with medical records, scans, wearable device data and lifestyle information.
Approved researchers around the world can pay £3,000 to £9,000 to access records ranging from medical history and lifestyle information to whole genome sequencing data. The resulting research has yielded major medical discoveries and led to Biobank being considered a “jewel in the crown” of British science.
Biobank said it strictly guarded access to its data, only allowing access by bona fide researchers for health-related projects in the public interest.
It said this included researchers of all stripes, whether employed by academic, charitable or commercial organisations – including insurance companies – and that “information about data sharing was clearly set out to participants at the point of recruitment and the initial assessment”.
But evidence gathered by the Observer suggests Biobank did not explicitly tell participants it would share data with insurance companies – and made several public commitments not to do so.
When the project was announced, in 2002, Biobank promised that data would not be given to insurance companies after concerns were raised that it could be used in a discriminatory way, such as by the exclusion of people with a particular genetic makeup from insurance.
This included leaflets and consent forms that contained a provision that anonymised Biobank data could be shared with private firms for “health-related” research, but did not explicitly mention insurance firms or correct the previous assurances.
Biobank also said commitments that “insurance companies … will not be given any individual’s information, samples or test results” – repeated in leaflets over a 17-year period – meant to refer to identifiable information, such as that which is linked to a person’s name, rather than to other data about Biobank participants.
The exact nature of the data shared with the insurance industry is not clear because Biobank does not routinely publish this and has declined so far to say. Summaries of the projects published online suggest it included de-identified, participant-level data on diseases, lifestyle and biomarkers.
One company granted access, ReMark International, is a “global insurance consultancy” that underwrites a million policies a year and lists clients including Legal & General and MetLife.
In its application to Biobank, approved in December 2022, the company said it needed data to develop an algorithm to predict diseases and death, using hospital records and smartwatch data to examine the relationship between lifestyle, mental health and biomarkers.
Biobank said it rejected any suggestion that data had ever been shared for uses that volunteers had not consented to, and said it was wrong to suggest that prior promises – which pre-dated formal enrolment at Biobank – should still apply.
It added that researchers worked for “all manner of companies”, and that provided they passed its “stringent access protocols”, they could conduct research using Biobank data. Research by insurance companies into how lifestyle behaviours can improve health or help identify health risks was “consistent with being health-related and in the public interest”, it said. It added that it had consulted independent ethicists “at length” about commercial data sharing, and that “complex” applications were referred to an expert committee.
by Shanti Das – reporter at the Observer