Criminal Liability for Obstructing Data Subject Access Requests: Lessons from the Bridlington Lodge Case

In September 2025, a landmark criminal conviction under the UK’s Data Protection Act 2018 (“DPA 2018”) sent a clear message to organisations: deliberately obstructing an individual’s right of access to their personal data can lead to criminal liability.

The Case

Jason Blake, director of Bridlington Lodge Care Home in Yorkshire, was prosecuted after failing to comply with a Data Subject Access Request (“DSAR”) submitted in April 2023. The request, made by a daughter acting under a lasting power of attorney on behalf of her father, sought incident reports, CCTV footage and care notes relating to his treatment at the home.

Instead of complying, the court heard that between 12 April and 12 May 2023, records were concealed, erased or blocked with the intention of preventing disclosure. The conduct falls squarely within Section 173 of the DPA 2018, which makes it a criminal offence to destroy, alter, conceal or block data following the receipt of a DSAR if these actions were conducted with an intent to prevent disclosure. On 3 September 2025 Blake was found guilty of the offence at Beverley Magistrates’ Court. He was ordered to pay a fine of £1,100 and costs of £5,440.

The Outcome

This appears to be the first successful prosecution under Section 173 of the DPA 2018. Historically, failure to respond to a DSAR has been treated as a civil compliance issue, enforceable via ICO enforcement actions and/or civil claims through the court. The use of criminal proceedings marks a significant escalation.

Notably, various Defence arguments - that the records had already been supplied by staff, that responsibility lay with the care home manager, or even that the company was no longer registered with the ICO - were rejected by the court. The ICO stressed that directors, managers and employees alike have responsibilities once a DSAR has been received by a data controller. Importantly, the ICO confirmed that the requester ultimately received the personal data sought.

Why This Matters

The case is significant for several reasons:

1. Criminal liability for individuals: the prosecution was directed at the director personally, not just the care home’s corporate entity. This signals that decision-makers and employees who deliberately obstruct DSARs may face personal criminal liability.
2. Clarity on Section 173 enforcement: until now, Section 173 had rarely, if ever, been tested in court. This conviction confirms that the ICO is prepared to pursue criminal sanctions where intentional obstruction is involved.
3. Reputational impact: beyond the fine and costs order, the reputational damage for both the individual and the care home sector is considerable. Coverage across legal and industry media underscores the public interest in upholding transparency, accountability and compliance in the processing of personal data.

Lessons for Businesses and Data Controllers

This case serves as a stark reminder for all organisations subject to UK data protection law that data governance is not optional. Data controllers have a legal obligation to (i) respond to DSARs within one month (with limited scope for extension); (ii) disclose all relevant personal data (unless justifiable exemptions apply); and (iii) avoid any attempt to alter, erase or conceal records to prevent lawful disclosure (which is a criminal offence). To achieve this, organisations may wish to consider the points:

• Employees must be trained: Many DSARs are first seen by frontline staff. If employees do not recognise the importance of a request, or fail to escalate it properly, the organisation risks serious consequences. Regular training and clear internal processes are essential.
• Directors and managers are accountable: Responsibility cannot be delegated away. Senior staff must ensure that systems are in place to identify and respond to DSARs promptly and fully within the statutory one-month deadline (extendable to three months in complex cases).
• Documented processes are key: Having a written DSAR response policy, supported by audit trails, demonstrates accountability and reduces the risk of errors or intentional non-compliance.
• Criminal liability is real: This case highlights that failing to respond - or worse, concealing or destroying data - may expose both organisations and individuals to criminal prosecution. The costs, fines and reputational damage far outweigh the effort of compliance.

Conclusion

This recent ICO enforcement action highlights the importance of DSARs and how they are a fundamental privacy right and establishes a new benchmark in DSAR enforcement. The costs of mishandling a DSAR can be substantial, both financially and in terms of reputation. What has historically been a civil compliance matter now also carries a risk of criminal liability for individuals who choose to obstruct access rights. For businesses, charities, and public bodies alike, the message is clear: ensure your employees understand the importance of DSARs, establish robust procedures and clear processes, train teams and embrace transparency to foster a culture of compliance.

Failure to do so could mean not just regulatory enforcement, but a criminal record.

Clyde & Co’s cyber team have a wealth of experience dealing with DSARs, if you have any queries or would like to discuss any other related matter with us then please do contact us, or your usual Clyde & Co cyber team contact.