Last updated: 1 October 2024

On this page

1. Background

The purpose of the Information Governance Committee is to monitor and enhance UK Biobank’s overall strategy and operational methods of securely collecting, storing and distributing information relating to the UK Biobank resource.

The relevant UK Biobank information includes:

  • Participant level information (identifiable, pseudonymised and anonymised information);
  • Summary and tabular information relating to participants; and
  • Individual level information relating to researchers, employees and suppliers.

There will be areas of overlap with other committees of the UK Biobank Board, including the Access Committee, the Ethics Advisory Committee, the Audit and Risk Committee and the newly constituted Participant Advisory Group.

2. Membership

The Committee shall comprise of at least two directors of the Board and at least two external members.

The Committee shall be entitled to invite such members of UK Biobank’s Senior Management Team as it sees fits, including the CEO/PI, the deputy Chief Executive, the Chief Information Officer and the General Counsel. External experts, advisors and auditors may also be required to attend. A representative of either of the two funders of UK Biobank may also attend.

Appointments to the Committee shall be for a period of up to three years. Members may serve a second term of up to three years.

3. Conduct of meetings

The Secretary (or another member of the legal team) shall act as the secretary of the Committee and will ensure that the Committee receives notice of each meeting confirming the venue (meetings can be fully or partially virtual) time and date, agenda and papers in a timely manner.

The quorum necessary for the transaction of business shall be two, with at least one Board member in attendance. The Committee shall meet at quarterly or at such other frequency as may be agreed.

Meetings of the Committee shall be called by the secretary of the Committee and/or at the request of the Committee Chair. The secretary of the Committee shall minute the proceedings and resolutions of Committee meetings.

The Committee is authorised to obtain, at UK Biobank’s expense and through the General Counsel outside legal or other professional advice on any matters within its terms of reference.

4. Procedural matters

The Committee shall be provided with:

  • with sufficient resources in order to carry out its duties, including access to the Secretariat for advice and assistance as required; and
  • appropriate and timely training and guidance on applicable laws and regulations.

The Committee shall, annually, review its constitution and terms of reference to ensure it is operating at maximum effectiveness and recommend any changes it considers necessary to the Board for approval.

5. Remit

These constitute such matters as the Committee shall reasonably consider to be relevant, and include:

Information systems and system security

The Committee shall review the strategy, operational practices and prevailing national and international standards (legal, regulatory and good practice) relating to access, collection, storing, usage, sharing, security and storage of information within UK Biobank’s information systems.

In particular, the Committee shall keep under review:

  • The overall architecture and technical design of the information systems;
  • The internal and external testing of its information systems; and
  • Proposed enhancements, upgrades and re-design of its information systems.

Data breaches

The Committee shall review the processes for identifying, managing and mitigating unauthorised data breaches. These include:

  • External hacking and external security threats (denial of service, phishing etc.);
  • Researcher misuse of information (advertant or inadvertent); and
  • Internal security breaches and failures.

The Committee shall review the level and frequency for information governance training, support and guidance which is available:

  • to UK Biobank staff within the organsiation; and
  • to researchers (and others) outside the organisation.

Data Provision

The Committee shall review the provision of information to third parties (in particular the provision of participant level information to researchers):

  • The approach for de-identifying participant level data, including the removal of direct and indirect identifiers, the use of uncommon variables (sparsely populated post codes, rare disease and/or a combination thereof), participant’s use of social media and posting proprietary information (and potential for suitable communication to participants);
  • The manner in which the participant level data is made available to researchers and related developments of the Research Access Platform, TREs and air locks;
  • The practical confirmations which researchers provided to UK Biobank relating to the security of participant level data and the level of appropriate and practical oversight (audit) of researcher conduct, including the manner in which the participant level data is returned and deleted; and
  • How this approach and framework is compatible with the ONS’s 5 safes’ principles, namely:
    Safe data: data is treated to protect any confidentiality concerns;
    Safe projects: research projects are approved by data owners for the public good;
    Safe people: researchers are trained and authorised to use data safely;
    Safe settings: a secure environment is used to prevent unauthorised use; and
    Safe outputs: screened and approved outputs that are non-disclosive.

Risks, regulation and reporting

The Committee shall review the significant risks to UK Biobank and identify, propose and recommend such actions to the UK Biobank Audit & Risk Committee and/or the UK Biobank Board as it may reasonably see fit.

The Committee shall keep under review the prevailing legislation and regulation – including sanctions, the National Security and Investment Act – and any HMG-related guidance or advice in this area.

The Committee shall also consider how it should present and promote its activities externally, particularly to researchers, participants and the public; as well as keeping under review related general communications’ issues (in conjunction with the UK Biobank Ethics Advisory Committee and the UK Biobank Access Committee).