Search

How can we help?

Icon

When Ignoring a DSAR Becomes a Criminal Offence

On 3 September 2025, Mr Jason Blake appeared at Beverley Magistrates Court and was fined for failing to respond to a data subject access request (DSAR).

This incident is a striking reminder that failure to comply with this legal obligation is not just poor practice—it can be a criminal offence.

The case highlights the serious consequences of non-compliance and reinforces the importance of robust data protection procedures in the workplace, both in terms of recognising a DSAR and how to appropriately respond to one.

The Facts

Mr Blake the director of a care home, who received a DSAR from an individual seeking access to personal data held by the care home about her father. Mr Blake refused to respond to the request and a complaint was made to the ICO. The ICO investigated and found that the director had failed to comply with their legal obligations, and throughout the investigation Mr Blake did not provide any explanation for why his organisation would not respond.

The director was prosecuted under section 173 of the Data Protection Act 2018, which provides that it is a criminal offence for organisations to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure. This marks a rare but significant enforcement action, demonstrating that the ICO is prepared to pursue individuals who flout data protection laws.

Lessons for Employers

Employers, as data controllers, have obligations to respond to DSAR’s whether from their employees or members of the public. A DSAR must be responded to within one month of receipt, unless an extension to three months is justified.

This case highlights the importance of responding properly as it can attract not only fines for the business, but also personal liability and a potential criminal charge.

The lesson here, is that employers need to have clear policies and training around data rights, what to do when a DSAR is received, and how best to respond to this to protect the business and yourself from liability.

This case highlights the importance of responding properly as it can attract not only fines for the business, but also personal liability and a potential criminal charge.

How Employers Can Stay Compliant

Employers should ensure they have:

  • A clear DSAR policy

The policy should outlines how requests are received, verified and processed.

  • Staff training

A request does not need to state that the individual is making a DSAR under UK GDPR to be covered by this protection, and so it is vital to train staff on how to recognise and escalate DSARs appropriately, as well as on data retention policies.

  • A designated data protection officer

Businesses should have a designated individual who is responsible for overseeing compliance with GDPR law.

  • Systems in place

As the timeline for responding to a DSAR is relatively brief, employers need to ensure that they have systems to locate and retrieve personal data efficiently.

  • Legal support

If you feel uncertain about a request, or do not have the facilities to deal with the volume of data, we recommend getting legal assistance. Our data protection team is on hand to assess complex requests and deal with the assessment and redaction of privileged or third-party information where necessary.

This case should serve as a reminder to all employers that data protection is not optional. With increasing scrutiny from regulators and growing awareness among individuals of their rights, organisations must treat DSARs with the seriousness they deserve.

Now is the time to review internal processes, train staff and ensure that your organisation is prepared to respond lawfully and efficiently to any request for personal information, and our team is on hand to assist.

Please reach out for a bespoke audit of your data protection compliance, or support responding to a DSAR.

 

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Author profile

Lucy White

Senior Solicitor

View profile

+44 118 960 4655

About this article

Read, listen and watch our latest insights

art
  • 02 September 2025
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 18 August 2025
  • Privacy and Data Protection

Top 10 DUAA Compliance Tips for Employers

To support your preparation, we have outlined 10 practical tips to help employers navigate the new requirements and take full advantage of the DUAA’s reforms.

art
  • 12 August 2025
  • Privacy and Data Protection

From WeTransfer to WhatsApp: How Unapproved Tools and “Shadow IT” Could Threaten UK GDPR Compliance

Businesses and self-employed professionals are in a constant pursuit of efficiency and productivity.  There are, as a result, no end of tools and products available to smooth digital workflows. 

Pub
  • 14 July 2025
  • Privacy and Data Protection

From legislation to implementation: The Data (Use and Access) Act 2025

In this podcast, our data protection experts, will explain what the Act means for your organisation and how to ensure compliance with the new regulations.

art
  • 01 July 2025
  • Privacy and Data Protection

Data protection compliance: tricky issues for employers

This article highlights key issues organisations may face when processing personal data and stresses the importance of a proactive approach. It also outlines tailored training packages to support compliance and build internal expertise.

art
  • 20 June 2025
  • Privacy and Data Protection

Data Protection reform receives Royal Assent: What is the Data (Use and Access) Act 2025 (DUAA) and what it means for your business

The UK’s data protection framework is about to undergo its most significant change since the UK GDPR came into force. After months of parliamentary debate, the Data (Use and Access) Act 2025 (‘DUAA’) has successfully received Royal Assent.