Ben Howlett
Chief Executive, CuriaAs the former Chair of the Parliamentary Group for Data Analytics, Curia Chief Executive, Ben Howlett writes that the UK Biobank incident is a warning that our model of global data access is running ahead of the governance needed to sustain public trust.
The news that data from UK Biobank was briefly listed for sale online is unsettling not because of what was taken, but because of what it reveals.
For years, the UK has built a quiet but formidable advantage in health data. Initiatives like Biobank have shown what is possible when scale, public participation and scientific ambition align. Half a million people have volunteered deeply personal information – not for profit, not for recognition, but in the belief that it would contribute to better understanding, earlier diagnosis and ultimately improved outcomes for others.
That belief matters. It is the invisible infrastructure on which the entire system rests.
So, when that data appears, even momentarily, in a commercial marketplace – regardless of whether it is de-identified, regardless of whether it is ultimately purchased – something more profound is disrupted. The implicit contract between citizen and system is called into question.
We often talk about data as an asset. But in health, it is something more fragile. It is a proxy for human experience – illness, risk, vulnerability. And it is lent, not owned.
The illusion of anonymisation
Much of the immediate response has centred on reassurance. The data, we are told, did not include names, addresses or direct identifiers. It was “de-identified”.
Technically, this is correct. Strategically, it is insufficient.
Because anonymisation is not a binary state. It is a spectrum – and one that becomes increasingly complex as datasets grow richer and more interconnected. Age, geography, health conditions, genetic markers, lifestyle patterns – individually, these may not identify someone. Combined, they begin to form a recognisable profile.
This is not a theoretical concern. It is a known challenge in modern data science.
But more importantly, it is not how the public experiences risk. For most people, the distinction between “identified” and “identifiable” is not meaningful when their data appears in a context they did not consent to. The issue is not just whether someone can be traced back to them. It is whether the system behaved in a way that felt secure and respectful.
On that measure, reassurance alone will not be enough and this incident has undermined those of us that have been championing the benefits of patient data utilisation many years.
When legitimate access becomes the problem
What makes this incident particularly uncomfortable is what it was not.
This was not a cyberattack. There was no external breach. As confirmed by Technology Minister, Ian Murray in the House of Commons, this was data accessed legitimately by accredited researchers, operating within institutions that had passed the necessary checks.
That should shift the focus.
For years, the conversation around data security has been dominated by perimeter defence – keeping bad actors out. But in this case, the risk came from within the system, after access had already been granted.
The model we have relied on is built on layers of trust. Researchers are vetted. Institutions sign agreements. Platforms are secured. And then, at a certain point, control gives way to expectation – that those who have been granted access will behave appropriately.
As UK Biobank Chief Executive, Professor Sir Rory Collins acknowledged in his response, when that expectation is broken, the system moves quickly to containment: access is suspended, institutions are banned, data is requested to be deleted.
But that sequence reveals a deeper truth. The system is designed to respond to misuse, not to make misuse materially difficult.
In a world where data carries both scientific value and commercial potential, that is no longer a sufficient safeguard.
The fragility of a global research model
There is a tension at the heart of this story that cannot be ignored.
UK Biobank has enabled researchers from around the world to interrogate one of the richest health datasets ever assembled, leading to thousands of discoveries across cancer, dementia, cardiovascular disease and more.
To retreat from that openness would be to undermine the very model that has made the UK a leader in life sciences.
And yet, openness without continuous control creates exposure.
The globalisation of research – across institutions, jurisdictions and regulatory environments – has outpaced the evolution of the systems designed to govern it. Contracts, training and institutional accountability were once sufficient when data flows were smaller and slower. They are less robust in an era where data can be extracted, duplicated and moved at speed.
Collaboration now requires a different architecture to meet the expectations of future generations.
Public confidence is the real battleground
The long-term risk here is not scientific delay – it is an erosion of trust.
Public participation in large-scale data initiatives is not guaranteed. As seen with the 100,000 Genomes Project, it is earned, slowly, through consistency and credibility. And it can be weakened quickly.
Even a modest decline in willingness to share data can have disproportionate effects – reducing the diversity, scale and reliability of datasets that underpin research. In fields like genomics and population health, where statistical power is everything, that matters enormously.
But the issue goes beyond participation rates. It speaks to a broader question: do people feel that the systems built around their data are genuinely on their side?
When incidents like this occur, the answer becomes less certain.
And once doubt sets in, it is far harder to rebuild confidence than it is to maintain it.
From trust to assurance for UK Biobank
If there is a lesson to take from this moment, it is that trust, on its own, is no longer an adequate operating model.
We need to move towards assurance.
That means designing systems that do not simply rely on good behaviour but actively constrain bad behaviour. It means shifting from a mindset of permission to one of continuous oversight. And it means recognising that governance is not a static framework, but an evolving discipline that must keep pace with technology.
Access must be more tightly coupled with purpose. Data environments must limit what can be removed in a secure environment, not just who can enter. Monitoring must be real-time, not retrospective. And accountability must extend beyond individual actors to the structures that enable them.
None of this is straightforward. All of it introduces friction into a system that has thrived on accessibility.
But the alternative is a model that becomes progressively more difficult to defend.
A defining moment for UK data leadership
The UK has long argued that it offers a unique environment for health innovation – combining world-class science, a unified health system and high-quality data at scale.
The events of the last few days will not undermine that proposition. But it depends on something deeper than capability – it depends on confidence.
The incident with UK Biobank is a test of that confidence.
Handled with seriousness and transparency, it can become a catalyst for strengthening the system – an opportunity to modernise how we think about data stewardship in a global, AI-driven research landscape.
Handled defensively, or treated as an isolated failure, it risks signalling that the governance underpinning one of our greatest strengths is not keeping pace with its importance.
The choice is not between openness and security, but whether we are prepared to build systems that genuinely deserve both.