SAR Non-Compliance Leads to Criminal Conviction

Data lawyers believe that last week the first ever criminal conviction was secured under the Data Protection Act (DPA) 2018, when the director of a care home was fined for refusing to respond to a request for personal information.  The Director was found to have blocked, erased or concealed information that was requested under a data subject access request (DSAR) resulting in his prosecution and conviction.

The individual appeared before Beverley Magistrates court Wednesday 3 September 2025, where he was found guilty and ordered to pay a fine of £1,100 and additional costs of £5,440, marking the first successful conviction of an individual under section 173 of the DPA 2018.

Andy Curry, Head of Investigations at the Information Commissioners Office (ICO), emphasised, “We describe subject access requests as a fundamental right. This is because it helps people understand how and why organisations are using their information”.

He added, “I hope this successful prosecution reminds all organisations that data protection applies to everyone, and subject access requests must be handled lawfully and responsibly.”  

It is not clear to what degree aggravating factors contributed to the prosecution, including the director failing to respond to ICO, deregistering from the ICO (albeit some time ago), arguing that the company was not a data controller, or the director in question attempting to shift blame to others within the organisation (notably the manager) for failing to reply to the request. However, it is a sobering reminder that the ICO has teeth!

Failure to respond to a DSAR is commonly dealt with as a civil matter under the UK GDPR.  But as this case demonstrates, it can lead to enforcement action and criminal prosecution under the Data Act 2018, section 173 if a controller alters, defaces, blocks erases, destroys or conceals information with the intention of preventing disclosure of all or parts of the information that the requestor would have been entitled to receive.