A director of a care home has been prosecuted under UK data protection laws over his handling of a data subject access request (DSAR) concerning a care home resident.
Data protection law experts Stephanie Lees and Malcolm Dowden of Pinsent Masons said the prosecution highlights the need for organisations to ensure all staff are trained to identify, and respond to, DSARs in line with data protection law. Staff should also be aware of the personal liability and criminal sanctions they can face if they fail to comply with these requirements, they said.
Individuals have a general right, under UK data protection law, to access information from organisations about the personal data they hold about them and pertaining to the processing of their personal data. Where requests for such access are made – DSARs – they must be handled in accordance with strict rules set out in data protection law.
In the case prosecuted by the Information Commissioner’s Office (ICO), in April 2023, a woman whose father was resident at Bridlington Lodge Care Home in Yorkshire filed a DSAR about her father, exercising her authority to raise the DSAR via a power of attorney. Among other things, she sought incident reports, copies of CCTV footage and notes relating to her father’s care, the ICO said.
When the woman received no response from the care home, she raised a complaint with the ICO. The ICO said Jason Blake, director of the care home, offered no explanation during its investigation for not responding to the DSAR.
Blake was prosecuted by the ICO before Beverley Magistrates Court, where, the ICO said, he was found guilty of having “blocked, erased, or concealed records” to prevent the information requested being disclosed. Blake was fined £1,100 and ordered to pay costs of £5,440.
Andy Curry, head of investigations at the ICO, said: “We describe subject access requests as a fundamental right. This is because it helps people understand how and why organisations are using their information. This family put their trust in Bridlington Lodge Care Home to look after their father, and they had a right to receive information about his care. By ignoring this request for personal information and refusing to provide any explanation, Mr Blake believed he was above the law.”
Dowden said: “It is an offence, under section 173 of the Data Protection Act 2018, when a controller or a person employed by the controller, an officer of the controller or a person subject to the direction of the controller is found to ‘alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive’”.
Lees added: “It is rare for the ICO to bring a prosecution of this nature in the context of DSARs and the case serves as an important warning to businesses and their staff, to ensure they take their data protection obligations seriously. The ICO, which is guided by data protection harms when determining what enforcement action to bring, noted the trust the family had placed in the care home provider and they have a right to obtain this information.”
“The prosecution brought against the care home director in this case – and the ICO's comments on the ruling – highlight the need to ensure that all staff involved in responding to DSARs are made fully aware of the risk of criminal conviction, if they were to make any attempt to tamper with or to hide information that ought to be disclosed in response to a DSAR,” she said.
Contact an adviser
