On 3 September 2025, Jason Blake, 56, director of Bridlington Lodge Care Home in Yorkshire, was ordered to pay £1,100 in fines and £5,440 in costs after being found guilty of failing to respond to a data subject access request (DSAR). The case is a rare criminal prosecution for DSAR non-compliance.
The Facts
In April 2023, a woman requested personal information about her father from Bridlington Lodge Care Home. She held lasting power of attorney and specifically requested incident reports, CCTV footage and notes relating to her father’s care.
Mr Blake refused to respond to the request. The requester complained to the ICO and an investigation followed, Blake provided no explanation for his organisation’s refusal to respond to the SAR.
Between 12 April and 12 May 2023, Mr Blake was found to have blocked, erased, or concealed records to prevent this information being disclosed.
The Legal Framework
Blake was prosecuted under Section 173 of the Data Protection Act 2018, which states:
It is an offence for a person listed in subsection (4) to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.
Subsection (4) covers:
- The controller
- A person employed by the controller
- An officer of the controller
- A person subject to the direction of the controller
This criminal offence is distinct from regulatory enforcement. While most DSAR failures result in reprimands or civil penalties against organisations, Section 173 creates personal criminal liability for individuals who deliberately prevent disclosure.
What This Means
The Right to Access
Under Article 15 of the UK GDPR, individuals have the right to:
- Obtain confirmation whether their personal data is being processed
- Access that personal data (in most cases)
- Receive additional information about how their data is used
Organisations must respond within one month of receipt (extendable to three months for complex requests).
The ICO typically addresses DSAR non-compliance through:
- Reprimands – formal notices identifying breaches
- Enforcement notices – requiring specific actions
Growing Enforcement Activity
This case follows increased ICO enforcement cases on DSAR compliance:
- February 2025: Glasgow City Council and City of Edinburgh Council reprimanded for significant DSAR backlogs (responding to only 45% and 60% of requests on time respectively)
Action You Should Take
For Directors and Senior Managers
- Understand that DSAR non-compliance can lead to personal criminal prosecution
- Ensure adequate resources and systems for handling DSARs
- Never delete or conceal information after receiving a request
- Document decision-making on complex requests
For Organisations
- Implement clear DSAR procedures and tracking systems
- Train staff to recognise DSARs (no specific format required)
- Respond within statutory timeframes
- Apply exemptions properly – don’t simply refuse
- Maintain comprehensive logs of all requests. A spreadsheet will do if you don’t get many.
Conclusion
The Blake prosecution demonstrates that deliberate DSAR obstruction can result in criminal conviction. With total costs of £6,540 plus a criminal record, the personal consequences are significant. Directors and senior managers must ensure proper systems are in place and never attempt to prevent legitimate disclosure of personal data.
We also suggest you regularly audit the data that you hold, and figure out the systems where it’s held. This can help you plan scheduled “clean-ups” of the data, and reduce your burden when it comes to delivering on Subject Access Requests.
Resources:
