Sensitive health information donated for medical research by half a million UK citizens has been shared with insurance companies despite a pledge that it would not be.

An Observer investigation has found that UK Biobank opened up its vast biomedical database to insurance sector firms several times between 2020 and 2023. The data was provided to insurance consultancy and tech firms for projects to create digital tools that help insurers predict a person’s risk of getting a chronic disease. The findings have raised concerns among geneticists, data privacy experts and campaigners over vetting and ethical checks at Biobank.

Set up in 2006, the database contains millions of blood, saliva and urine samples, collected regularly from about 500,000 adult volunteers – along with medical records, scans, wearable device data and lifestyle information. Approved researchers can pay £3,000 to £9,000 to access records ranging from medical history and lifestyle information to whole genome sequencing data. The resulting research has yielded major medical discoveries and led to Biobank being considered a “jewel in the crown” of British science.

Biobank said it strictly guarded access to its data, only allowing access by bona fide researchers for healthrelated projects in the public interest. It said this included researchers of all stripes, whether employed by academic, charitable or commercial organisations – including insurance companies – and that “information about data sharing was clearly set out to participants at the point of recruitment and the initial assessment”.

But evidence gathered by the Observer suggests Biobank did not explicitly tell participants it would share data with insurance companies – and made several public commitments not to do so.

When the project was announced, in 2002, Biobank promised that data would not be given to insurance companies after concerns were raised that it could be used in a discriminatory way, such as by the exclusion of people with a particular genetic makeup from insurance.

In an FAQ section on the Biobank website , participants were told: “Insurance companies will not be allowed access to any individual results nor will they be allowed access to anonymised data.” The statement remained online until February 2006, during which time the Biobank project was subject to public scrutiny and discussed in parliament.

This weekend, Biobank said the pledge – made repeatedly over four years – no longer applied. It said the commitment had been made before recruitment formally began and that when Biobank volunteers enrolled they were given revised information.

This included leaflets and consent forms that contained a provision that anonymised Biobank data could be shared with private firms for “health-related” research, but did not explicitly mention insurance firms or correct the previous assurances.

Biobank also said commitments that “insurance companies ... will not be given any individual’s information, samples or test results” meant to refer to identifiable information, such as that which is linked to a person’s name, rather than to other data about Biobank participants.

The exact nature of the data shared with the insurance industry is not clear because Biobank does not routinely publish this and has declined so far to say. Summaries published online suggest it included de-identified, participant-level data on diseases, lifestyle and biomarkers.

One company granted access, ReMark International, is a “global insurance consultancy” that underwrites a million life insurance policies a year and lists clients including Legal & General and MetLife. In its application to Biobank, approved in December 2022, the company said it needed data to develop an algorithm to predict diseases and death, using hospital records and smartwatch data to examine the relationship between lifestyle, mental health and biomarkers. Another firm given Biobank data, Lydia.ai, is a Canadian “insurtech” firm that wants to give people “personalised and predictive health scores”.

Prof Yves Moreau, a genetics and AI expert who has worked with data from UK Biobank, said the data-sharing appeared to be a “serious and disturbing breach of trust”.

Biobank said it rejected any suggestion that data had ever been shared for uses that volunteers had not consented to, and said it was wrong to suggest that prior promises – which pre-dated formal enrolment at Biobank – should still apply.

It added that researchers worked for “all manner of companies”, and that provided they passed its “stringent access protocols”, they could conduct research using Biobank data. It added that it had consulted independent ethicists “at length” about commercial data sharing, and that “complex” applications were referred to an expert committee.

Prof Naomi Allen, chief scientist at UK Biobank, said: “Our careful processes have been followed in all these cases. De-identified health data has been shared because these are bona fide researchers working on healthrelated research, including looking at what impacts human health and longevity – and that is what our participants signed up to help with.”

There is no suggestion that Biobank data has ever been used by insurers to make direct decisions about individual policies. No physical biological samples were shared.

The Information Commissioner’s Office, the UK’s data privacy watchdog, is considering the matter.