The UK Biobank breach is a warning shot for Britain’s new data regime, writes Dr Raj Joshi. If a flagship science project can lose control of sensitive personal information, the Data (Use and Access) Act 2025 demands far tougher safeguards

More than 20 years ago, hundreds of thousands of people across Britain signed up to one of the most ambitious medical research projects ever attempted.

They gave blood and urine samples, answered questions about their diet, sleep, work, lifestyle, mental health and family background, and allowed their health to be tracked over time. Many also agreed to genetic analysis, scans and access to medical records. The promise was clear: their data could help scientists understand, prevent and treat some of the world’s most serious diseases.

That project was UK Biobank, a vast biomedical database now used by researchers around the world to study conditions including dementia, cancer, Parkinson’s disease, chronic pain and Covid-19 immunity.

It was all going rather well until confidential details relating to all 500,000 volunteers appeared for sale on Alibaba.

The information reportedly included gender, age, month and year of birth, assessment centre details, attendance dates, socioeconomic status, lifestyle habits, sleep, diet, work environment, mental health, health outcomes and measures from biological samples relating to haematology, biology and chemistry.

Unlike many corporate data breaches, this appears to have come through authorised access rather than a hostile cyber attack or an extortion attempt. Three Chinese academic institutions, all now suspended from the platform, are believed to have accessed UK Biobank data legitimately before data made available to them found its way into three separate listings on Alibaba, including one said to contain information relating to all half-a-million participants.

Unsurprisingly, the government has sought to play the incident down while highlighting the steps taken to contain it. Ministers have stressed that there is no current evidence the data was bought before the listings were removed, and that the files were de-identified, containing no names, addresses, contact details, telephone numbers or NHS numbers.

We are, it seems, supposed to be reassured.

The uncomfortable truth is that sensitive data can be put at risk by the very access systems designed to make it useful. Approved institutions, accredited researchers and permissions granted in good faith can all become critical points of failure.

I have already argued in these pages that the Data (Use and Access) Act 2025 raises serious questions about ministerial power, automated decision-making, financial privacy and the future limits of state surveillance. At its core, the Act broadens the circumstances in which data can be accessed, shared and reused across parts of the economy and public services.

It creates a more permissive framework for automated decision-making, gives ministers significant powers to bring provisions into force and reshape parts of the regime through regulations, and places greater weight on institutional judgement about what searches and safeguards are “reasonable and proportionate”.

But if a flagship scientific database like UK Biobank, built on consent, accreditation and strict research controls, can see sensitive information copied out of its intended environment by authorised users, then any regime built on wider access must answer a harder question: what stops the same failure happening elsewhere?

Courts have repeatedly recognised that intimate personal information sits close to the core of private life, and de-identification does not remove the need for strict control where data is deep, sensitive and potentially linkable.

The lesson is therefore narrow, but serious. UK Biobank remains an extraordinary scientific resource, and its contribution to global health research is substantial. Its breach does not undermine the case for public-interest research  but it does expose the danger of building a national data regime around expanded access before the systems of containment, audit and accountability are demonstrably strong enough to bear the weight.

For the volunteers who entrusted some of their most intimate information to a flagship scientific project, the word “de-identified” will only go so far.

Dr Raj Joshi is a senior barrister and prominent civil rights advocate whose career spans frontline legal practice, regulatory reform, and international justice. Twice named among the ‘Top 10 Asian Lawyers in the UK’ and listed in the ‘100 Most Influential Asians in the UK’, he has appeared before major inquiries, including giving evidence in the Stephen Lawrence case, and served as Chair of the Society of Black Lawyers. A former Adjudicator to the Solicitors Regulation Authority, Dr Joshi has advised ministers, helped shape legal protocols, and represented the UK in international legal forums. 

READ MORE: What Mexico’s giant data breach tells us about the new hacking age. A huge hack of Mexican government systems exposed nearly 195 million identities and showed how everyday AI tools are being used to build attacks step by step. Has ChatGPT and other platforms opened hacking up to the masses, asks Ian Copeland, Techno-Sociology & Futures correspondent?

Do you have news to share or expertise to contribute? The European welcomes insights from business leaders and sector specialists. Get in touch with our editorial team to find out more.

^{Main image: Pavel Danilyuk/Pexels}