select search filters
briefings
roundups & rapid reactions
Fiona fox's blog

The Biobank Letters

Intro

On 23 April, a science minister stood up in the Commons and announced that data from UK Biobank volunteers had been offered for sale online on Alibaba in China.

This was frontpage news with questions about how this could happen and what data security was in place.

UK Biobank is a world-renowned research resource with comprehensive biological and health information on 500,000 people, enabling significant new findings across all of medicine. But people’s confidence in how their data is handled is a prerequisite for such research, often with a fear that such trust is easily lost and hard to recover.

At moments like these, what should communications responses look like; what do we know of public views and opinions; and how should we talk about the potential benefits of data research while explaining the levels of security in place to guard against data breaches?

Fiona Fox was already swapping emails about this story with experienced science communications leader, Simon Wilde, when she challenged him to a debate (three rounds, no more than 500 words in each, nothing below the belt, Simon to go first).

They asked me in as a referee to oversee. I don’t know why. They’ve both got strong views and as you’ll see below, they’ve not needed me to ensure a good, clean fight. I’ve ended up being a neutral observer, able to enjoy their debate as it happened.

Now you can all enjoy it too and form your own strong views.

Jonathan Wood, Health Data Research UK

 

 

Letters

Simon Wilde

Dear Fiona,

I’ve been thinking about your question following the UK Biobank headlines: ‘Are the benefits to society of using health data in research such that we collectively acknowledge the risks of breaches and own them, rather than defaulting to apology and tightened controls?’ It’s a question worth discussing, and you’re right that it’s been crowded out by the current commentary which is all about privacy.

It’s the second question, though. The first question we should ask is ‘who decides?’

Who gets to do the ‘collective acknowledging’, and on whose terms? Until that’s settled, ‘society owns the risk’ can mean anything from a genuine public settlement to a small group of people deciding on everyone else’s behalf and calling it consensus.

That’s where I think UK Biobank’s response to the China incident falls short. Letters to participants, platform suspended, file size limits, daily monitoring of exports, board-led investigation. All competent. All beside the point. Researchers with approved access were trying to sell the data. The protection worked. The legitimacy didn’t. The current response only deals with the first.

Polly Toynbee and Simon Kolstoe also push back on the security framing, and they’re right that this conversation is exhausted. Polly says she isn’t worried – the data is anonymised, the science is valuable, volunteers know what they signed up for. Simon says protection is becoming impossible anyway, so we should reframe health data as a public good and accept the trade-off. Neither asks who decides.

It’s a question about power, not technicalities. The current deal goes: hand your data over, trust us to use it responsibly, trust the governance, and if something goes wrong we’ll apologise and tighten things up. Don’t worry about the detail. It’s paternalistic, and the response to incidents like this defends it rather than asking whether it still holds.

The 2019 public dialogue I ran at Genomics England brought together people from across the UK, recruited to be reflective of the population and given balanced briefings. They were willing to share their data for research, but with conditions: no insurance pricing, no targeted marketing, no surveillance, no profiteering on altruistic donation. They didn’t want reassurance. They wanted a stake.

The alternative to ‘hand it over’ isn’t ‘lock it down’. It’s a system where data is jointly owned and curated, where the public and researchers are partners rather than donors and recipients. Breaches will still happen. The difference is who decides what they mean and what gets done about them, including whether the deal still holds. In the current system, ‘society owns the risk’ is something done to people. In a partnership, it’s something done with and by them.

This matters for science. The publics most likely to walk away from the current deal are minority and underserved groups who have the most reason to distrust how their data has historically been used. If we don’t meet those groups where they are, the datasets get less representative, and it’s bad science.

If the job of science communications is to reassure people or talk them into accepting the risk, we’ve already conceded what matters. The job is to argue for a different deal.

Yours,

Simon

 

Fiona Fox

Dear Simon,

Thanks so much for this thoughtful first salvo. First, let me highlight where I’m coming from. I am no expert in longitudinal studies so while your impassioned call for revolution not evolution in the contract between researchers and the public sounds compelling, I’m afraid I’m going to limit myself to responding to what you’ve called the second question.

The reason I suggested this exchange is that you and other comms officers I usually agree with didn’t share my enthusiasm for the two articles by Polly Toynbee and Simon Kolstoe. That reaction reflected one I often encounter from data comms experts after similar stories about breaches: that anything that first acknowledges bad things can happen before stressing the benefits of sharing data looks cavalier about data security, and the top priority should be to double down on reassuring the public that restrictions will be tightened.

You and others saw these articles as a crudely ‘Either /Or’ argument (either we lock down data or use it for research) when you argue we can and must do both.

I saw something different – notably a rare and refreshing invitation to change the terms of debate. An attempt to get us to reflect on where we draw the line in the trade-off between securing patient data and allowing researchers to access it in ways that work for science.

Where we agree is that what the research community says at times of crisis matters and can shape public debate. I worry that if our starting point is an assumption that public trust in these studies relies on the data being 100% secure, then of course our response has to be to promise to tighten everything up.

But what if we are wrong and people are more open to the idea that despite our best efforts things may occasionally go wrong? If true, then we may be missing the chance to have a more honest and interesting societal discussion.

While you mention a new settlement with the public, people who consent to join studies like UK Biobank are different from the wider public. They don’t just tick a box, they invest considerable amounts of time taking part in the various tests, and they do it because they want the data shared and benefits realised. In  a letter to The Times last week, one said. “I volunteered, understanding that all endeavours have potential problems. UK Biobank gave me an opportunity to help medical science to flourish and perhaps help others”

Polly Toynbee asked me whether there was data on how participants respond to these data breaches and I was struck that no one seemed to know or be willing to answer. We do know that each time the media expose any misuse of UK Biobank data, a small number of participants withdraw. But hundreds of thousands don’t, suggesting  something more interesting at play. The only person who did reply to Polly was Nicholas Timpson, Principal Investigator at the ALSPAC (Avon Longitudinal Study of Parents and Children). He said that sadly some people do withdraw after stories like this but added, “What is astounding is the resilience of the majority… Take ALSPAC as an example – some 35 years later we still have a vibrant and growing study.”

Look forward to your reply,    

Fiona

 

Simon

Dear Fiona,

So here we are: me arguing that public involvement should be central to how data is used, you arguing for a more open conversation about the balance of risks and benefits. Fair enough on narrowing the fire to your question (Are the benefits worth us collectively owning the risk?). But you can’t have more of yours without first having more of mine.

You’re right that doubling down on security is perhaps above all a corporate comms instinct, and that the public is probably more sophisticated about risk than that route assumes. The second Genomics England Sciencewise dialogue I co-commissioned with the UK National Screening Committee went directly at this. Participants explicitly accepted that ‘nothing in life is certain’. They were comfortable with trade-offs in principle. But the same participants said data security should be ‘of the highest possible standard’, that legislation should be future-proofed against use by insurers, employers and marketers, and (most relevant to my argument) that the public should be meaningfully involved. Now, their framing as dialogue participants rather than active cohort participants may be more theoretical, but they were asking to be in the room when the trade-offs got made.          

Nicholas Timpson’s ‘resilience of the majority’ is interesting. ALSPAC and UK Biobank participants do stay, and that tells us something. It tells us about the resilience of consented cohorts, not about the deal those cohorts were offered. Those who once made the effort to say yes are not now making the effort to say no. That’s a different thing – and I think it’s a thinner foundation than it looks.

It’s also evidence about a specific kind of person. UK Biobank’s own website says participants are ‘slightly wealthier and healthier’ than the national population, with the caveat that healthy volunteer bias can be handled by careful interpretation. In genetic research that’s not good enough. Some polygenic risk scores are around four times more accurate for people of European ancestry than African ancestry. That exacerbates health inequalities, and is not a problem of interpretation. It’s a problem of who’s in the dataset and who isn’t.

So the resilience of those who volunteer for cohort studies is the issue, not the reassurance. Citing the loyalty of those that do take part as evidence of public acceptance is circular: it’s evidence that the people inside the deal are still inside it.

If these are the only people whose views count, we’ll keep using data that’s less useful for everyone outside it. That’s an argument (and a comms challenge) about quality, not values. It says something about who should be in the room when these decisions get made, and what their absence costs us scientifically as well as ethically.

None of this is an argument for starting from scratch. The current cohorts exist, the data exists, and the next breach is a matter of when not if. The interesting question is what UK Biobank should do differently at that point.

But my point stands: we can’t have a more open conversation about benefits and risks until we’ve widened who gets to have it.

Yours,

Simon

 

Fiona

Dear Simon,

Thanks for another thought-provoking letter. 

I’m totally with you on the importance of getting more meaningful public engagement. But one way to do that is to use the opportunities provided by data-sharing hitting the headlines, when people are most engaged. The core of my argument is that what we say at such times matters.

We seem to agree that the focus on apologising and promising to do better is a ‘corporate communications instinct’ that underestimates the public. While you seem wearily resigned to that, I’m still hopeful we can challenge it. It goes hand in hand with the instinct that the best response to a crisis is to close it down as quickly as possible. Speaking out, we are told, fans the flames and keeps the issue in the news. One comms colleague described it like this: “Bad thing has happened. Stop the bad thing happening now. Also, this is unpleasant and it’s under my watch, so it must be stopped from happening at all in future.” 

Even if we could stop stories from getting traction (and I don’t think we can), I would still see it as a missed opportunity. The recent Public Attitudes to Science survey is the latest showing the more we explain science to people, the more they understand and the more supportive they become.

All this reminds me of the reaction to the Care.data debacle. Many argued that it had become a toxic brand and scientists speaking out would be tainted by association. I argued the opposite. I’d spent years trying and failing to generate media interest in the benefits of data-sharing for research. Suddenly the media was all over the topic like a rash but the people queuing up to be interviewed were privacy campaigners and angry GPs. Despite the pressure to fall silent, I pushed at an open media door to get loads of scientists into the news They were clear that Care.data was a mess, but argued there was still a compelling case for sharing patient data with medical researchers. I never saw any sign that the public blamed scientists for that cock up and I’m sure that the public support we enjoy today is in part down to moments like this where scientists rode the wave of media and public interest. 

I also worry about scientists over-promising an end to problems. Of course after a data breach we should assure people we are continually reviewing procedures to reduce risk. That’s true and important to say. But at a time when bad actors from rogue states to teenagers can hack into high-security systems, offering guarantees feels like a hostage to fortune. A more honest engagement about risks shows respect for the public and is more likely to engender trust than promises that inevitably get broken.

It’s important to say that the UK Biobank comms team eschewed the instincts outlined above. Their scientific leaders did loads of media and Professor Rory Collins apologised but also talked about the cost to science of pausing and locking down more tightly. Justin Webb even picked up on this, praising UK Biobank for being so open and honest after interviewing Rory on Today. But one of the reasons we are having this exchange is because several of the non-Biobank people I spoke to worry that this approach looked cavalier about security. Maybe we can return to this in our next exchange.

Fiona

 

Simon

Dear Fiona

Yes, ‘we guarantee this won’t happen again’ is a hostage to fortune. It tells the public they’re being managed rather than respected. The UK Biobank comms team did way better than this. They were open and honest, and it matters. Care.data? Absolutely: speaking up during that crisis built public support for data sharing that wouldn’t have existed. You were right. The argument I’m making is about what comes next. I’m weary of the apologise-and-tighten reflex, but not resigned to it. We can absolutely do better.

Is there room to admit some risk is inevitable, and that the balance has to be drawn with the public good? Yes. The honest response to a data incident acknowledges that this kind of research carries irreducible risk, that the question is what level is proportionate to the benefit, and that this is a conversation worth having openly. That’s a comms move I’d defend without qualification. The unresolved question – still – is about who gets to be part of that conversation when it happens.

Which brings me to Public Attitudes to Science, which I take a different message from. It argues explicitly against the deficit model: “information alone does not build public trust or deepen connections to science and technology.” Information matters, but it’s about interaction with, not just exposure to science. That’s an involvement argument, not an explanation one.

Only 12% of the public feel they’re sufficiently involved in decisions about science and technology. 64% say scientists should be required to involve all groups of the population in their research. Yet nearly half are uncertain that scientists “consider people like me” when designing it. It’s not about what people understand. It’s about who they think the science is for.

So my advice for comms people?

First, put more voices in the response than just the Principal Investigators. UK Biobank speaking openly is good. UK Biobank speaking alongside participants would be better. It’s harder to write but more honest: this isn’t an institution defending itself, it’s a community of people working out what should happen next.

Second, resist the over-promising you’ve already named. The honest version is the one we’ve both signed up to: risk is irreducible, the question is what’s proportionate, and this is a conversation worth having openly.

And for the comms officers shaping the cohorts that come next (Our Future Health, the Adolescent Health Study, others)? They’re making the same decisions about who’s in and who isn’t that Biobank made 15 years ago.

Research we commissioned at Genomics England with Black African, Caribbean, Pakistani and lower socio-economic communities tested the standard messaging used in genomics recruitment. Starting with the benefits, even using inclusive framings like “this research needs to represent everybody”, was rejected as emotional blackmail by participants who’d heard similar promises before. What worked was the opposite: acknowledging concerns first, before introducing the science. The hello before the pitch. The ‘key messages’ communicators reach for to broaden participation can do exactly the opposite.

Which brings me back to where we started. Your instinct with Care.data to see this potential crisis as an opportunity to communicate was vital and should be the default. The work that remains is whether all those taking the risks are getting all of the benefits, and whether what we say as communicators is closing that gap or widening it.

Over to you.

Yours,

Simon

 

Fiona

Dear Simon,

So we agree on the fundamentals – controversies are no time to fall silent or go into damage limitation mode.    

I like your points about the need to include a wider section of the public in these discussions in meaningful ways. You know more than me about how we achieve that but I will say that public attitudes can be somewhat contradictory. One of the questions in the Public Attitudes to Science survey shows that 30% of respondents are not interested in being involved in decision making about scientific research. Another 35% say they want the public to be more involved, just not them. Only 9% saying they want more active involvement. This data isn’t specifically about data sharing but it shows the complexity at play. Surveys that are on data sharing show that the public care a lot about security, but also that understanding more about benefits leads to increased trust and can mitigate some of the fears around unwelcome uses.

Also, if we only look at what people currently think, we may need to consider a new career. We presumably believe we can shape public attitudes, not with ‘key messages’ or an eye on the ‘optics’, but through scientists openly talking about the trade-offs. My entire argument is that if we join with privacy campaigners and media to focus primarily on security over benefits, we should not be surprised if the public end up preoccupied by that too.

My final point is about the price of not having an open debate. Rory Collins may have irritated FT readers and ministers by acknowledging that tighter restrictions will have a cost ‘to the discoveries that are made’ but he was speaking for many scientists. It wasn’t until this row that I found out that UK Biobank is loved by researchers partially because they find it more accessible and usable than some more tightly locked datasets. Other than the FT piece, I also didn’t see any reporting on the impact of the pause on researcher access to UK Biobank data. It may well be the right thing to do in response to the China data breach, but surely people should know what the pause on access means for science? One researcher said, ‘Everything has come to a standstill: projects frozen mid-analysis, large studies halted, and even previously generated results are inaccessible.”      

We know people want their data to advance science as well as be kept safe, but yet again we are talking lots about one and not the other. As Cathie Sudlow says, if we only ask one question (about security) we’ll end up locking up data and throwing away the key.

So we can have a narrow debate where we accept the terms set by campaigners and journalists. Or we can have a richer, more honest one involving the public, where we are the ones that say there is more than one question and finding the balance between tightening security and ensuring we do the best science is a tough one that we should thrash out.

Of course those who think UK Biobank should do better should say so. In fact how about this: everyone should say what they think! But I’m arguing that no one should be saying, ‘don’t say that, it looks bad’ or worse still, ‘I agree but we can’t say that’. There is a wider risk/benefit debate to be had and it’s interesting and important. It ill-serves anyone to avoid it.

Fiona

 

This blog contains the thoughts of the author rather than representing the work or policy of the Science Media Centre.

Leave a Reply

Your email address will not be published. Required fields are marked *

*By commenting on this blog you agree to abide by our Terms and Conditions.