Guardian: Private UK health data donated for medical research shared with insurance companies (UK Biobank)

cassava7

cassava7

Senior Member (Voting Rights)
Observer investigation reveals UK Biobank opened its biomedical database to insurance firms despite pledge it would not do so

Sensitive health information donated for medical research by half a million UK citizens has been shared with insurance companies despite a pledge that it would not be.

An Observer investigation has found that UK Biobank opened up its vast biomedical database to insurance sector firms several times between 2020 and 2023. The data was provided to insurance consultancy and tech firms for projects to create digital tools that help insurers predict a person’s risk of getting a chronic disease. The findings have raised concerns among geneticists, data privacy experts and campaigners over vetting and ethical checks at Biobank.

https://www.theguardian.com/technol...d-medical-research-shared-insurance-companies
 
cassava7 said:
Sensitive health information donated for medical research by half a million UK citizens has been shared with insurance companies despite a pledge that it would not be.
Click to expand...
Whoa! If true in the US as well, the implications to people like me could be bad. That has to be illegal if they said it would be shared with no one.

Sid said:
I don't see how private insurance will be possible in the future given advances in genetics. Everyone is at risk of something.
Click to expand...
Tiered pricing, with some folks not allowed coverage? Folks like us?
 
The Information Commissioner’s Office, the UK’s data privacy watchdog, is considering the matter. It said: “People have the right to expect that organisations will handle their information securely and that it will only be used for the purpose they are told or agree to
Click to expand...

How will this affect research? Will anyone want to donate to such a resource in future?
 
If insurance companies discover that patient X has a 25% risk of getting disease Y it begs the question - Will they tell the patient? I think they should be obliged to if the patient wants to know.
 
As I understand it, the biobank data is anonymised, so a company buying the biobank data won't allow the company to find out an individual client's data. They will however, use the mass of data to work out probablilities they use for calculating risks their clients have of getting an illness if that client gives them their personal data. Or it could move on to situations where you can only get life insurance if you agree to have your biological data analysed so they can work out your risks.
 
Arnie Pye said:
I thought it was "pseudonymised" i.e. uses very poor methods of anonymising people. i.e. some postcodes only apply to a tiny number of people. So, someone knowing gender, age, postcode could easily identify the person whose data it is.
Click to expand...
"Keeping your data secure

We take data security seriously, as your contribution is enabling discoveries that will improve the health and day to day lives of millions of people. We separate your details from the information you provide about yourself almost as soon as those data are collected. Researchers have no interest in identifying participants since their goal is to compare large groups of people to try and understand why some people develop certain illnesses and others do not.

Nonetheless, scientists must sign a legal contract before receiving data, promising they will not try to identify participants. Our data are protected by encryption and behind secure firewalls and our storage systems are tested regularly and updated when necessary."

https://www.ukbiobank.ac.uk/explore-your-participation
 
Are insurance companies considered scientists?

If not then how is it relevant that scientists must agree to something before receiving data?

All adoptees must agree to treat any kittens that we supply well, and not to use them for cooking with...is kind of null and void if the kittens are supplied via a feeding shoot to tigers....
 
Arnie Pye said:
Promising to try... What an odd phrase to use in this context. It sounds as likely as an addict promising to give up what they are addicted to tomorrow - and they really mean it this time!
Click to expand...
Well, it doesn't say that. The phrase is actually "promising they will not try to identify participants", so they are having to promise not to "try to identify participants". And that is more encompassing than promising not to identify participants, where they would only be in trouble if they actually identify someone - instead they would be in trouble if they took steps to simply attempt to identify someone.
 
Arnie Pye said:
I thought it was "pseudonymised" i.e. uses very poor methods of anonymising people. i.e. some postcodes only apply to a tiny number of people. So, someone knowing gender, age, postcode could easily identify the person whose data it is.
Click to expand...
Depend what other databases they have access to, which is the issue

I’d assume there is a norm of not being allowed to report at all where it is five or less in ‘a group’ eg gender or age.

putting that aside they don’t need to know a name to be pretty specific to individuals- if you imagine car insurance might use proxies that seem random to whether you are a good driver, such as ‘if someone crashed into you’ actually increasing your insurance but potentially even more random things than these only have to be unpicked that they are allowed to isolate based on and they can just crunch it into an actuarial function for insurance forms.

eg How many people living in Windsor drive twenty year old Saabs and are 50m from a river and park on the street for example .

I don’t know what the equivalents applying to health insurance -that legislation and regulations both allow and properly check on to oversee - and how ‘relevant’ they have to seem but I think overseers need to be aware.

I'm struggling to see the positive applications in this tbf. The idea insurers would think ‘pay out early on adjustments and useful medical support (rather than undermining support) to prevent them getting permanently worse’ would be a heeded message seems cloud cuckoo so…
 
Last edited:
Andy said:
"Keeping your data secure

We take data security seriously, as your contribution is enabling discoveries that will improve the health and day to day lives of millions of people. We separate your details from the information you provide about yourself almost as soon as those data are collected. Researchers have no interest in identifying participants since their goal is to compare large groups of people to try and understand why some people develop certain illnesses and others do not.

Nonetheless, scientists must sign a legal contract before receiving data, promising they will not try to identify participants. Our data are protected by encryption and behind secure firewalls and our storage systems are tested regularly and updated when necessary."

https://www.ukbiobank.ac.uk/explore-your-participation
Click to expand...

I saw somewhere that there is a change in the rules in 2006 or something like that to allow that level of sharing.

Arnie Pye said:
I thought it was "pseudonymised" i.e. uses very poor methods of anonymising people. i.e. some postcodes only apply to a tiny number of people. So, someone knowing gender, age, postcode could easily identify the person whose data it is.
Click to expand...

Pseudonomized I think is fine I don't see it as being an issue - as far as I can see the main thing with pseudonymisation rather than anonymization is an ability to reverse the identifiers. So for example you split off identification info from other info and then assign a random number to an individuals other info so that it says this info belongs to a person. Then with pseudonymised data you would keep a table with the indentification info and this random number such that if necessary an appropriate authority can identify the individual. But this would not be shared.

I don't know what they are doing with things like post codes here but typically a k-anonymization method is used such that if you include data of say location and gender by grouping into wider values (say women in london or men in manchester) you would check that there are at least k people in each group which reduces the likelihood of identification of an individual.
 
You must log in or register to reply here.
Back
Top Bottom