In brief
- A care home director has been prosecuted and fined by the Information Commissioner in relation to a Data Subject Access Request (DSAR). This is believed to be the first such prosecution of its type.
- While failure to comply with a DSAR is usually treated as a civil matter, section 173 of the Data Protection Act 2018 makes it a criminal offence – once a DSAR is received - to alter, erase, or conceal information to prevent disclosure.
- Criminal liability under section 173 can lie with the data controller itself, or with individual directors and staff, and all organisations should be alive to the possibility of prosecutions being brought.
Where a data controller fails to comply lawfully with a data subject access request (DSAR) under the UK GDPR, that failure will constitute a breach of statutory duty, potentially attracting civil enforcement action by the Information Commissioner’s Office (ICO). However, a recent prosecution illustrates that a failure can, in some circumstances, also be a criminal offence.
The right to know how one’s personal data is being processed is recognised in law as especially important - it has been described as a "lynchpin" of data protection law.
When a DSAR is made to a data controller, the controller must supply, normally within one month - and subject to the application of exemptions - an explanation of the processing, and copies of the personal data undergoing processing.
Ordinarily, a failure to comply will be treated as a civil wrong, potentially resulting in civil enforcement action by the Information Commissioner (ICO) or civil proceedings by the requester to secure compliance. However, section 173 of the Data Protection Act 2018 (DPA) also provides that a controller (or an employee or officer of the controller) will commit an offence if - after receiving a DSAR - it alters, defaces, blocks, erases, destroys or conceals information with the intention of preventing disclosure of all or part of the information that the requester would have been entitled to receive.
The recent prosecution by the ICO - believed to be the first such section 173 DPA case - was of a director of Bridlington Lodge, a care home in Yorkshire, who was found to have blocked, erased, or concealed records held by the care home, to prevent this information being disclosed. The request had been made by a woman who had lasting power of attorney over her father’s affairs (and so was authorised to make the request on his behalf).
At Beverley Magistrates Court on Wednesday 3 September 2025, the director was convicted and ordered to pay a fine of £1,100 and additional costs of £5,440.
The ICO has informed Mishcon de Reya that the director offered an unsuccessful defence that, variously, claimed that: the information requested had in fact been provided by a member of staff; the care home manager was responsible for responding to the DSAR, not him; the company had been deregistered from the ICO in 2016 (not that this could conceivably have been relevant); Bridlington Lodge was a building, not a data controller.
The ICO also explained to this firm that the requester now has the requested personal data.
The ICO has attracted some criticism in recent times for the relatively low volume of civil enforcement actions it brings. In particular, it has rarely shown a willingness to intervene in DSARs where the requester has been faced with a recalcitrant data controller. Whether this criminal enforcement case indicates a shift in approach is not yet clear - it may be that the behaviour of the director in this particular case was simply so egregious that it warranted exceptional action. However, all data controllers - and indeed, their employees and directors, who might be directly criminally liable - should be aware that prosecutions under section 173 of the DPA can be brought, and, in appropriate cases, might well be pursued by the ICO.