Chinese researchers will be granted access to NHS data despite MI5 fears that Beijing’s regime could acquire sensitive information, an investigation has found.
UK Biobank, a research hub, is preparing to transfer data from half a million GP records to its central database where it will be available for use by universities, scientific institutes and private companies.
The medical information has been donated by volunteers, who have agreed for data from their GP records to be added to the database.
Health officials have now audited processes for sharing data internationally – including assessment of applications from China.
A spokesman from UK Biobank told The Guardian that China had passed the audit, meaning researchers from the country can apply to access the records.
The newspaper’s analysis found that one in five successful applications for access to medical data already held by UK Biobank has come from China.
MI5 has previously warned that Chinese organisations and individuals granted access to UK data could be ordered by Chinese intelligence agencies to carry out work on their behalf.
Chinese spying risk warnings
In a joint address in July 2022, Ken McCallum, MI5’s director general, and Christopher Wray, the then FBI director, raised concerns about Chinese entities attempting to acquire sensitive information and technology from Western institutions, warning of businesses and individuals being “forced by law” to co-operate with the Chinese Communist Party.
For the past year, UK health officials had been assessing whether extra safeguards were needed for patient records when added to the genomes, tissue samples and questionnaire responses in the database.
Personal details such as names and dates of birth are stripped from the database before it is shared, but some experts say it is possible for some individuals to be identified.
Luke de Pulford, executive director of the Inter-Parliamentary Alliance on China, said: “UK data transfer rules are totally inadequate. Zettabytes of personal data are routinely transferred to China, and it’s all totally legal.
“Beijing’s regulations make enforcing data rights in Xi’s party-state impossible, and vulnerable to requisition by the Chinese authorities. We should close the loophole that allows UK citizens to be exposed to this.”
A government spokesman said: “Protecting national security is the foundation of everything we do. We have strict security procedures in place to ensure all sensitive UK health data information is protected.”
Of the 1,375 successful applications for access to UK Biobank data, 265 came from China, second only to the US, according to a Guardian analysis of its published records.
A unit of Chinese genetics company BGI is among those given approval to access the data.
The US has blacklisted BGI subsidiaries. In 2023, Joe Biden’s administration justified the restrictions, saying it had information indicating that BGI units’ “collection and analysis of genetic data poses a significant risk of contributing to monitoring and surveillance by the government of China, which has been utilised in the repression of ethnic minorities in China”.
It also claimed “the actions of these entities concerning the collection and analysis of genetic data present a significant risk of diversion to China’s military programmes”.
But a BGI representative said these were “unsubstantiated allegations”, adding: “We have never undertaken genetic surveillance of anybody. BGI does not engage in unethical practices and does not provide gene technology for surveillance. BGI does not condone and would never be involved in any human rights abuses.”
The company dismissed claims the military could access data, saying its research “is undertaken for civilian and scientific purposes only”.
A UK Biobank representative said it was “continually in dialogue” with MI5 and other state agencies about the use of its data, including by BGI.
Chinese researchers have used UK Biobank data to research air pollution and biological markers to predict dementia.
Approval to access data
In October, Wes Streeting, the Health Secretary, gave instructions to press ahead with the transfer of patient records for consenting volunteers to UK Biobank and other research hubs, despite objections from some GPs and privacy campaigners.
In December, Michael Chapman, a senior NHS England official, said “access will only be for countries approved by NHS England”, adding that approval would be based on “security considerations” and countries’ data protection.
NHS England said: “Any approval of access to personal data from overseas territories requires data recipients to comply with their responsibilities” under UK data law “and is kept under review if circumstances change”.
Intelligence sources raised concerns that health data can be useful in espionage if anonymisation can be broken. Experts say it may be possible to match public information about an individual’s medical treatment with anonymised patient records to identify who they refer to.
Edward You, then a top US intelligence officer specialising in new technologies, said in 2021: “Once they have access to your genetic data, it’s not something you can change like a pin code.”
A spokesman for UK Biobank said it had “no evidence of anyone being identified”.
Prof Sir Rory Collins, UK Biobank’s chief executive, said: “All our volunteers have given explicit consent for researchers to study their de-identified health data, and many have emphasised the importance of their GP data being analysed.”
After China adopted legislation in 2017 to enforce cooperation with the regime’s spies, MI5 warned custodians of British personal data that the national intelligence law “may affect the level of control you have over your information and assets as you engage with Chinese individuals and organisations, especially if you work in an area that is of interest to the Chinese state”.
The UK government spokesman added: “UK Biobank data sharing has been in use for over a decade and is always de-identified, removing the direct and indirect details that allow people to be identified.
“There is an extremely high bar and data is only shared with legitimate researchers for specific research purposes. It can only be accessed within a secure digital environment and it is not possible to download copies of the GP data outside of that secure digital space.”
An NHS spokesman said: “NHS England is working closely with government and the GP profession to allow GP data to be shared with specific approved research studies in cases where individual patient consent has been provided.
“While a legal direction would be required before any data is shared or before any agreement reached, NHS England will continue to work to ensure that appropriate measures are in place to protect NHS data.”
