Generally, where a data controller fails to comply with their obligations to respond to a data subject access request (DSAR), the data protection failure has been considered a civil matters, with either the data subject applying for an order compelling the data controller to comply with the DSAR or the  Information Commissioner’s Office (ICO) considering civil enforcement action.  A recently published decision on the ICO’s website is thought to be the first decision that recognises that a failure to comply with a DSAR can lead to a criminal offence under Section 173 of the Data Protection Act 2018  (herein the Act).

On 03 September 2025, at Beverley’s Magistrates Court, a care home director was prosecuted and fined for ignoring a DSAR.

In this legal update, we consider the criminal conviction under the Act and the implications for data controllers. 

What is a DSAR?

Most of us, whether as an individual or business, have heard the term DSAR.  Following the introduction of the General Data Protection Regulation or GDPR, terms such as “data subject rights” or “DSAR” have become familiar terms, used in our everyday conversations. A data subject has a broad statutory right under Article 15 of the (post Brexit) UK GDPR to ask an organisation if it is using or processing their personal data, and to receive a copy.  A data controller should respond to a DSAR within one month of receipt of the request, pursuant to Article 12(2) of the UK GDPR.  That time can be extended, subject to some exceptions, but a data controller is expected to engage with a DSAR.

Section 173 of the Act makes it a criminal offence if following receipt of a DSAR, a controller (or officer or employee of the controller) alters, erases, blocks, defaces, destroys, or conceals information, with the intention to prevent the requester receiving information which they would have otherwise been entitled to receive.

The facts

In April 2023, a woman requested personal information about her father from Bridlington Lodge Care Home. The daughter held a lasting power of attorney and, had the authority to request and receive the information.

Following Mr Blake’s refusal to engage with the DSAR, a complaint was made to the ICO.  The ICO reported that Mr Blake was unable to provide any justification as to why the organisation had ignored the request.

Jason Blake, the care home director, was found to have blocked, erased or concealed records held by the care home between 12 April and 12 May 2023 to prevent this information being disclosed. On 03 September 2025, appearing at Beverley Magistrates Court, Mr Blake was fined £1,100, and ordered to pay additional costs of £5,440 after being found guilty of breaching Section 173 of the Act.

The case is an example of an individual and/or organisation not taking a DSAR seriously and as a result, facing a future with a criminal record.

The importance of a DSAR

In commenting on the case, Andy Curry, Head of Investigations at the ICO, described DSARs as “a fundamental right” as it helps people to understand how and why organisations use their personal information. The ICO took seriously that Mr Blake ignored the DSAR, refused to provide any explanation, and to avoid scrutiny by asking the ICO to cancel his registration.    

Generally, given the volume of complaints received, the ICO is unable to intervene in DSARs where the data subject feels that the data controller has not properly engaged with the request.  It appears that the ICO may have taken a different stance in this matter, with a concern that the director’s behaviour was particularly concerning.

Whilst most data controllers look to comply with their statutory obligations when responding to DSARs, this criminal prosecution acts as a reminder to organisations of the importance of engaging and putting in place appropriate measures to preserve documents on receipt of a DSAR, and that a failure to engage may lead to criminal prosecution. This ruling should encourage organisations to re-familiarise themselves with their obligations to in responding to a DSAR, to ensure that a proportionate and an adequate search for personal data has been undertaken.

At JMW, we can advise you as a data controller on your obligations when responding to DSAR’s.  Often businesses are uncertain as to the extent of  their obligations in carrying out a search for personal data that might be held, and the first step of where to begin those searches might seem overwhelming.  The ICO website has a wealth of information for organisations, and data subjects, and user friendly step by step guides.  If further advice is required, or specific queries, we can help you to understand the parameters of the DSAR you have received, and processes to put in place to comply with your statutory obligations.