Hostname: page-component-5db6c4db9b-fdz9p Total loading time: 0 Render date: 2023-03-24T02:44:29.640Z Has data issue: true Feature Flags: { "useRatesEcommerce": false } hasContentIssue true

Biobank Report: United Kingdom

Published online by Cambridge University Press:  01 January 2021


The United Kingdom is a leader in genomics research, and the presence of numerous types of biobanks and the linking of health data and research within the UK evidences the importance of biobank-based research in the UK. There is no biobank-specific law in the UK and research on biobank materials is governed by a confusing set of statutory law, common law, regulations, and guidance documents. Several layers of applicable law, from European to local, further complicate an understanding of privacy protections. Finally, biobanks frequently contain data in addition to the samples; the legal framework in the UK generally differentiates between data and samples and the form of the data affects the applicability of legal provisions. Biobanks must be licensed by the Human Tissue Authority; certain projects must be reviewed by Research Ethics Committees, and all projects are encouraged to be reviewed by them. Data Access Committees in biobanks are also common in the UK. While this confusing array of legal provisions leaves privacy protections in biobanking somewhat unclear, changes at the EU level may contribute to harmonization of approaches to privacy.

Symposium Articles
Copyright © American Society of Law, Medicine & Ethics 2016

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)


In 2015, the World Health Organisation ranked the UK 18th of the World’s Healthcare Systems: (WHO) World Health Organization Assesses the World’s Health Systems, available at <> (last visited February 22, 2016).+(last+visited+February+22,+2016).>Google Scholar
See <> (last visited February 26, 2016).+(last+visited+February+26,+2016).>Google Scholar
Prime Minister’s Office et al., Human Genome: UK to Become World Number 1 in DNA Testing, Press Release, August 1, 2014, available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
Genomics England, “The 100,000 Genomes Project,” available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
ScottisH Informatics Programme, available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
See <> (last visited February 26, 2016).+(last+visited+February+26,+2016).>Google Scholar
See <> (last visited February 26, 2016).+(last+visited+February+26,+2016).>Google Scholar
UK Biobank, available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
UK10K, “What is UK10K?” available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
NCRI Confederation of Cancer Biobanks, “Welcome to the NCRI Confederation of Cancer Biobanks,” available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
BBMRI-ERIC, “Welcome to BBMRI_ERIC,” available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
Section 2.2, Article 187 Treaty for the European Union, which allows the EU to set up international organization for researchers, in the form of ERICs. These consortia are neither EU authorities, nor a part of the Member States, but have their own international organization, established by a decision of the Commission at the request of one Member States and two other countries that are either Member States or associated countries. Through the consortia the Member State can jointly fund and operate research facilities, in addition to what each Member State is able to do itself. Council Regulation (EC) No 723/2009 on the Community Legal Framework for a European Research Infrastructure Consortium (ERIC), at 1, June 25, 2009.Google Scholar
Officially, an Act of Parliament is only enacted following Royal Assent. The devolution of powers to the Scottish and Northern Ireland Parliaments means that legally the concept of the United Kingdom is becoming increasingly complex. Over time, the law in these countries will start to deviate from that of England and Wales.Google Scholar
This is particularly apparent in the case of the Data Protection Directive. Moraia, L. Briceño, Kaye, J. and Tasse, A.M. et al., “A Comparative Analysis of the Requirements for the Use of Data in Biobanks Based in Finland, Germany, the Netherlands, Norway, and the United Kingdom,” Medical Law International 14, no. 4 (2014): 187-212, at 191 [hereinafter cited as Briceño Moraia].CrossRefGoogle Scholar
Due to the provisions that relate to stem cell research and the assisted reproduction.Google Scholar
Kaye, J., Gibbons, S. M. C. and Heeney, C. et al., eds., Governing Biobanks: Understanding the Interplay between Law and Practice (Oxford: Hart Publishing, 2012): at 52.Google Scholar
Kaye, J., “The Regulation of Human Genomics Research,” in Kumar, D. and Eng, C., eds., Genomic Medicine: Principles and Practice (Oxford: Oxford University Press, 2015).Google Scholar
Kaye, J., Gibbons, S. M. C., Heeney, C., Parker, M., Smart, A., Governing Biobanks: Understanding the Interplay between Law and Practice (Bloomsbury Publishing, 2012): at 47.Google Scholar
See Moraia, Briceño, supra note 10.Google Scholar
Schulte in den Bäumen, T., Paci, D. and Ibarreta, D., “Data Protection and Sample Management in Biobanking — A Legal Dichotomy,” Genomics, Society and Policy 6, no. 1 (2010): 33-46, available at <> (last visited February 26, 2016).Google Scholar
There is separate legislation in Scotland - the Human Tissue (Scotland) Act 2006 - and the HTA performs certain tasks on behalf of the Scottish Executive (approval of living donation and licensing of establishments storing tissue for human application): Scottish Executive Health Department, Human Tissue (Scotland) Act 2006, asp 4, March 16, 2006.Google Scholar
This implements the Data Protection Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, October 24, 1995 [hereinafter cited as Data Protection Directive].Google Scholar
Implementing the European Convention for the Protection of Human Rights and Fundamental Freedoms as amended by Protocols No. 11 and No. 14, November 4, 1950.Google Scholar
Although privacy is not an absolute right, interference must be justified in the public interest and/or according to law — Human Rights Act 1998, c. 42, November 9, 1998, at Article 8 (2). Where privacy rights are engaged, determining whether they are violated requires balancing claims of the victim against justification offered for the infringement and assessing whether the infringement is necessary and proportionate to the achievement of those aims.Google Scholar
The Freedom of Information Act covers any recorded information that is held by a public authority in England, Wales, and Northern Ireland, and by UK-wide public authorities based in Scotland. Information held by Scottish public authorities is covered by Scotland›s own Freedom of Information (Scotland) Act 2002, asp 13, May 28, 2002.Google Scholar
Applicable in England and Wales, with a few exceptions that extend to Scotland and Northern Ireland.Google Scholar
Sterckx, S., Rakic, V., Cockbain, J. and Borry, P., ‘“You Hoped we would sleep walk into accepting the collection of our data”: controversies surrounding the UK scheme and their wider relevance for biomedical research’ Medicine, Health Care and Philosophy DOI: 10.1007/s11019-015-9661-6; “,” Nature 507, no. 7490 (2014): doi: 10.1038/507007a; Mitchell, C., Moraia, L. Briceño, and Kaye, J., “Health Database: Restore Public Trust in Project,” Nature 508, no. 7497 (2014): DOI: 10.1038/508458e.Google Scholar
Directive 2004/23/EC of the European Parliament and of the Council on setting standards of quality and safety for the donation, procurement, testing, processing, preservation, storage and distribution of human tissues and cells, at 48-58, March 31, 2004. Two technical annexes (Commission Directives 2006/17 /EC and 2006/86/EC) provide detailed rules.Google Scholar
Regulation (EU) No 536/2014 of the European Parliament and of the Council on clinical trials on medicinal products for human use, and repealing Directive 2001/20/EC, at 99, April 16, 2014.Google Scholar
See Data Protection Directive, supra note 17.Google Scholar
Such as the Medical Research Council.Google Scholar
UK Biobank, UK Biobank Ethics and Governance Framework (2007), available at <> (last visited May 5 2015).+(last+visited+May+5+2015).>Google Scholar
The EGC lacks the power of veto, but can “go public” if not satisfied that Biobank is being run in the public interest in accordance with the EGF.Google Scholar
Wood v. Commissioner of Police for the Metropolis (2009) EWCA Civ 414, at §21.Google Scholar
Google Inc v. Vidal-Hall & Ors (2015) EWCA Civ 311 (EWCA (Civ)).Google Scholar
In the Google case, “personal” and “private” information are considered separate “types” of information.Google Scholar
Bolitho v. City and Hackney HA (1997) 4 All ER 771; medical opinion must be capable of withstanding logical analysis.Google Scholar
Montgomery v. Lanarkshire Health Board (2015) UKSC 11 (UKSC (2015)) [hereinafter cited as Montgomery Case].Google Scholar
NHS Health Research Authority, HRA Approval, available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
The role of CAG is to review applications and advise whether there is sufficient justification to access the requested confidential patient information: NHS Health Research Authority, Section 251 and the Confidentiality Advisory Group (CAG), available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
ico., “ICO Given New Powers to Audit NHS,” available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of a patient and service-user information and enabling appropriate information-sharing.Google Scholar
National Research Ethics Service, NHS Health Research Authority (2015) ‘Standard Operating Procedures for Research Ethics Committees’ Version 6.1: <> accessed 23 February 2016. Para 11.23 relating to Research Databases states: ‘Applicants may also seek generic approval on behalf of external researchers receiving non-identifiable data to undertake valuable scientific studies. Data sharing is encouraged in the interests of maximising the research potential of stored data, provided that adequate safeguards are in place to protect confidentiality. The REC may give generic approval that would extend to studies by external researchers subject to conditions. (see paragraph 11.27)+accessed+23+February+2016.+Para+11.23+relating+to+Research+Databases+states:+‘Applicants+may+also+seek+generic+approval+on+behalf+of+external+researchers+receiving+non-identifiable+data+to+undertake+valuable+scientific+studies.+Data+sharing+is+encouraged+in+the+interests+of+maximising+the+research+potential+of+stored+data,+provided+that+adequate+safeguards+are+in+place+to+protect+confidentiality.+The+REC+may+give+generic+approval+that+would+extend+to+studies+by+external+researchers+subject+to+conditions.+(see+paragraph+11.27)>Google Scholar
Kaye, J., Kanellopoulou, N. and Hawkins, N. et al., “Can I Access My Personal Genome? The Current Legal Position in the UK,” Medical Law Review 22, no. 1 (2014):64-86; N. Homer S. Szelinger, and M. Redman et al., “Resolving Individuals Contributing Trace Amounts of DNA to Highly Complex Mixtures Using High-Density SNP Genotyping Microarrays,” PLoS Genet 4, no. 8 (2008): e1000167.CrossRefGoogle Scholar
R (on the application of the Department of Health) v. Information Commissioner [2011] EWHC 1430.Google Scholar
See Moraia, Briceño, supra note 10.Google Scholar
In the opinion of the Art. 29 Working Party, “the application of these rules will justifiably be more flexible than if information on directly identifiable individuals were processed.” — The Working Party on the Protection of Individuals with Regard to the Processing of Personal Data, Opinion 4/2007, WP 136, June 20, 2007.Google Scholar
The latest draft of the proposed EU Data Protection Regulation contains a definition of “pseudonymous data”: under Art. 4 (2a) it means “personal data that cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution.” See European Parliament, European Parliament Legislative Resolution on the Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data (COM(2012)0010 — C7-0024/2012 — 2012/0010(COD)), March 12, 2014.Google Scholar
“Genome data will be generated against a participant identifier. However, the association between that identifier and the name of the patient concerned will be stored in a physically and logically separated database, it will not be shared with researchers” See E. Hockings and L. Coyne, “Privacy Concerns in the Development of Personalised Medicine and the 100,000 Genome Project,” The Guardian (March 2015), available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
Wolfson, M., Wallace, S. E. and Masca, N. et al., “DataSHIELD: Resolving a Conflict in Contemporary Bioscience — Performing a Pooled Analysis of Individual-level Data Without Sharing the Data,” International Journal of Epidemiology 39, no. 5 (2010): 13721382.CrossRefGoogle Scholar
See Nuffield Council on Bioethics, The Collection, Linking and Use of Data in Biomedical Research and Health Care: Ethical Issues (2015), available at <> (last visited February 11, 2016) [hereinafter cited as Nuffield Report].+(last+visited+February+11,+2016)+[hereinafter+cited+as+Nuffield+Report].>Google Scholar
Id., at 68.Google Scholar
Id., at 34.Google Scholar
Goyal, V., Pandey, O. and Sahai, A. et al., Attribute-Based Encryption for Fine-grained Access Control of Encrypted Data ACM CCS, ACM Conference on Computer and Communications Security (2006), available at <> (last visited February 11, 2016); A. Shamir, “Identity-Based Cryptosystems and Signature Schemes,” in G. R. Blakely and D. Chaum, eds., Advances in Cryptology: Proceedings of CRYPTO 84 (Berlin: Springer-Verlag, 1985): 47-53; D. Boneh, A. Sahai, and B. Waters, “Functiona Encryption: Definitions and Challenges,” in Y. Ishai, ed., Theory of Cryptography: 8th Theory of Cryptography Conference (Providence: Springer, 2011): 253–273.+(last+visited+February+11,+2016);+A.+Shamir,+“Identity-Based+Cryptosystems+and+Signature+Schemes,”+in+G.+R.+Blakely+and+D.+Chaum,+eds.,+Advances+in+Cryptology:+Proceedings+of+CRYPTO+84+(Berlin:+Springer-Verlag,+1985):+47-53;+D.+Boneh,+A.+Sahai,+and+B.+Waters,+“Functiona+Encryption:+Definitions+and+Challenges,”+in+Y.+Ishai,+ed.,+Theory+of+Cryptography:+8th+Theory+of+Cryptography+Conference+(Providence:+Springer,+2011):+253–273.>Google Scholar
UK Biobank, “Access Sub-Committee,” available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
BioSHaRE-EU biobanks do not have a common data access policy, and researchers still need to contact each cohort individually to get access authorisation. To address some of the issues arising from not having such a “common data access policy” an internal process allowing to track cohorts having provided (or not) access authorization has been developed. The Access Coordination Committee informs the harmonization team about the approved protocols, and the central IT office develops the processing algorithms, and it grants access to registered investigators to use DataSHIELD software on variables defined in their research protocol and only for the biobanks that approved the protocol.Google Scholar
Knoppers, B. M., “Framework for Responsible Sharing of Genomic and Health-Related Data,” The HUGO Journal 8, no. 3 (2014): 16.Google Scholar
Kaye, J. et al., ‘Dynamic Consent: A Patient Interface for Twenty-First Century Research Networks,” European Journal of Human Genetics 23 (2015): 141146.CrossRefGoogle Scholar
“Effectively, broad consent is ‘consent for governance’ by others, as judgements about appropriate uses of data and samples often fall to researchers, advisory boards, or research ethics committees, who must take decisions on behalf of research participants.” See Kaye, J., “The Tension between Data Sharing and the Protection of Privacy in Genomics Research,” Annual Review of Genomics and Human Genetics 13 (2012): 415-431, at 422, DOI: 10.1146/annurev-genom-082410-101454 [herein-after cited as Kaye 2012; J. Kaye, C. Heeney, and N. Hawkins et al., “Data Sharing in Genomics: Re-shaping Scientific Practice,” Nature Reviews Genetics 10, no. 5 (2009): 331-335 [hereinafter cited as Kaye 2009]; K. S. Steinsbekk, B. Kare Myskja, and B. Solberg, “Broad Consent Versus Dynamic Consent in Biobank Research: Is Passive Participation an Ethical Problem?” European Journal of Human Genetics 21, no. 9 (2013): 897–902.Google Scholar
Kaye, J., Whitley, E. A. and Lund, D. et al., “Dynamic Consent: A Patient Interface for Twenty-First Century Research Networks,” European Journal of Human Genetics 23, no. 2 (2015): 141-146 [hereinafter cited as Kaye 2015].CrossRefGoogle Scholar
Erlich, Y. and Narayanan, A., “Routes for Breaching and Protecting Genetic Privacy,” Nature Reviews Genetics 15, no. 6 (2014): 409421.Google Scholar
National Institute for Health Research, “Rudy,” available at <> (last visited February 11, 2016); H. Williams, K. Spencer, and C. Sanders et al., “Dynamic Consent: A Possible Solution to Improve Patient Confidence and Trust in How Electronic Patient Records are Used in Medical Research,” Journal of Medical Internet Research 3, no. 1 (2015): e3; see Kaye 2015, supra note 52.+(last+visited+February+11,+2016);+H.+Williams,+K.+Spencer,+and+C.+Sanders+et+al.,+“Dynamic+Consent:+A+Possible+Solution+to+Improve+Patient+Confidence+and+Trust+in+How+Electronic+Patient+Records+are+Used+in+Medical+Research,”+Journal+of+Medical+Internet+Research+3,+no.+1+(2015):+e3;+see+Kaye+2015,+supra+note+52.>Google Scholar
EnCoRe, “EnCoRe Project,” available at <> (last visited February 11, 2016).+(last+visited+February+11,+2016).>Google Scholar
UK Biobank Ltd., “UK Biobank Ethics and Governance Framework: Version 3.0, UK Biobank 2007,” available at <> (last visited February 22, 16).+(last+visited+February+22,+16).>Google Scholar
See also Allen, N. E., Sudlow, C. and Peakman, T. et al., “UK Biobank Data: Come and Get It,” Science Translational Medicine 6, no. 224 (2014): 224ed4.CrossRefGoogle Scholar
See also Fortin, S., Pathmasiri, S. and Grintuch, R. et al., “‘Access Arrangements’ for Biobanks: A Fine Line between Facilitating and Hindering Collaboration,” Public Health Genomics 14, no. 2 (2011): 104114.Google Scholar
Joly, Y., Dove, E. S. and Knoppers, B. M. et al., “Data Sharing in the Post-genomic World: The Experience of the International Cancer Genome Consortium (ICGC) Data Access Compliance Office (DACO),” PLoS Computational Biology 8, no. 7 (2012): e1002549; see Fortin et al., id.; M. Parker, S. J. Bull, and J. De Vries et al., “Ethical Data Release in Genome-Wide Association Studies in Developing Countries,” PLoS Medicine 6, no. 11 (2009): e1000143.Google Scholar
See Nuffield Report, supra note 44, at xxii.Google Scholar
Information Governance Working Group, SHIP Guiding Principles and Best Practices (SHIP 2010), available at <> (last visited February 22, 2016).+(last+visited+February+22,+2016).>Google Scholar
See Kaye, 2012, supra note 51; Kaye 2009, supra note 51.CrossRefGoogle Scholar
Laurie, G., “Managing Access to Biobanks: How Can We Reconcile Privacy and Public Interests in Genetic Research?” Medical Law International 10 (2010): 315.Google Scholar
Data Protection Act 1998, c. 29, July 16, 1998, para 1 [hereinafter cited as Data Protection Act].Google Scholar
Data Protection (Processing of Sensitive Personal Data) Order 2000, No. 417, March 1, 2000.Google Scholar
Kennedy, I. and Grubb, A., eds., Medical Law (Oxford: Butter-worths, 2000): at 589.Google Scholar
See Montgomery Case, supra note 33.Google Scholar
Id., at 107.Google Scholar
Caparo Industries pIc v. Dickman & Ors (1990) UKHL 2 (UKHL (1990)).Google Scholar
See Data Protection Act, supra note 61.Google Scholar
Health and Social Care Act 2012, c. 7, March 27, 2012, at § 259 (10) (a).Google Scholar
National Health Service Act 2006, c. 41, November 8, 2006, at § 251 (4).Google Scholar
For example, the latest European Council draft of the EU General Data Protection Regulation is close to the standards of the UK’s Data Protection Act 1998.Google Scholar
A recent comparative analysis of the requirements for data use in biobanks in certain EU member states found that there are considerable differences in the way that the data protection principles are implemented into national law, and in particular, there are three key areas of considerable differences between the requirements in these countries. These are the definition of “personal data,” requirements for pseudonymization and rules on processing of data for medical research. See Briceño Moraia, supra note 10.Google Scholar