[This is a joint statement made with the Department for Science, Innovation and Technology.]
Human genomic data drives medical and scientific breakthroughs that benefit people by helping to identify some of the underlying factors in who will develop diseases and how they progress, leading to the development of new treatments. It also contributes significantly to global scientific benefit and economic growth. The UK is a global leader in human genomic data, due to the scale, richness and diversity of its datasets.
However, we also know that human genomic data, if shared without due care, has the potential to present national, economic and biological security risks to the UK. The UK government is committed to keeping human genomic data safe. Keeping human genomic data secure is also important in maintaining the trust of the public in how their health data is used, even more so when people have voluntarily shared their genomic data for research studies. Whilst there are clear legislative requirements and regulatory frameworks that help protect people’s health data, there is no clear statement of the Government’s expectations on how human genomic data should be made available for research.
Therefore, over the last 12 months, we have been considering how to protect people’s privacy and security, whilst continuing to make human genomic data available for legitimate research. Today, we are publishing new guidance for UK Government funded major holders of human genomic data that make data available to external users. This applies to Genomics England, Our Future Health, UK Biobank and NIHR Bioresource. It sets out recommendations on how these bodies can make data available in a way that manages the benefits of global access and use of human genomic data, whilst managing security risks.
The guidance is in three parts:
The first part uses the Office for National Statistics ‘Five Safes’ framework, which are widely regarded as best practice in protecting data when making it available to users.The second part sets out a framework to support major holders of human genomic data when considering whether to make data available to users outside of the UK.The third part sets out the expectations on protective security and the measures that holders should have in place to manage insider risk and protect their physical environment.The guidance makes clear recommendations for how major holders of human genomic data should make data available using the Five Safes Framework: safe settings, safe data, safe people, safe projects and safe outputs. It recommends that:
Human genomic data should be made available through one or more secure data environments (SDEs), which have an appropriately robust ‘airlock’ in place (the airlock places controls on the data and tools that are allowed into or out of an SDE).Holders of human genomic data should have robust policies and processes in place to assess individuals who are potential users and the organisation sponsoring the project, to check access is justified before it is granted.Careful consideration should be given where a user or their sponsoring organisation have a history of data breaches or misuse: the expectation is that a history means approval will not normally be given.Access should be granted only for projects that are intended to benefit human health or deliver wider public benefit.Access to data by users located outside the UK is considered an international data transfer. The guidance makes clear that where a holder of human genomic data is considering access by a user located outside the UK, in a country or territory that is not covered by UK adequacy regulations, a transfer risk assessment (TRA) must be completed before access is allowed. (Adequate countries and territories are those that the UK Government has assessed as having a level of data protection that is “not materially lower” than that provided for by UK law. This allows personal data to be sent to those countries without the need for additional transfer mechanisms and safeguards.)
As the guidance notes, the Information Commissioner Office’s TRA tool can help holders complete their transfer risk assessment. Given the potential significant personal impacts that could be associated with HGD, it is likely to be considered a ‘high harm risk’ category of data transfer. GDPR requires supplementary measures to be put in place if, after risk assessment, relevant tests are not likely to be met. The guidance sets out some criteria that holders of human genomic data can use when assessing whether the data protection test is met.
How human genomic data can be made available safely and securely for a range of research and other uses is rapidly developing as technology advances. We will, therefore, keep this guidance under review and will update it when required.
https://www.theyworkforyou.com/wms/?id=2026-07-02.hcws175.0
seen at 09:56, 3 July in Written Ministerial Statements.