When asked if Biobank participants could potentially be identified through sharing of its datasets, Sir Rory told Today it was “impossible” to entirely rule out that people could be identified by using its de-identified data and other information.
But he said there was no evidence to suggest this had taken place.
The organisation referred itself to the UK’s data watchdog, the Information Commissioner’s Office (ICO).
An ICO spokesperson said in a statement on Thursday it had been informed of the incident and was making enquiries.
“People’s medical data is highly sensitive information, not only do people expect it to be handled carefully and securely, organisations also have a responsibility under the law,” they said.
Jon Baines, senior data protection specialist at law firm Mishcon de Reya, said the regulator would likely be seeking to confirm volunteer information was truly de-identified and, as such, does not constitute personal data under UK law.
Meanwhile, the organisation said there would also be a “comprehensive and forensic board-led investigation of this incident”.
Sir Rory acknowledged “we can always do more” to prevent potential misuse, but said it had to balance making data available for scientific discovery and protecting it.
“UK Biobank has allowed discoveries to be made that otherwise would never have emerged about how to prevent and treat diseases like dementia,” he told Today.
“The balance then is how do you put in place safeguards to allow that to go on, while doing it in a secure way.”
