When Ignoring a GDPR Subject Access Request Becomes a Crime 

In March 2025,  the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 
This is the ICO’s usual practice when it comes to complaints about SARs. However recently it went a step further and issued criminal proceedings against a company director. 

Section 173 of the Data Protection Act 2018 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” Both the Data Controller can be prosecuted as well as “a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.” 

On 3rd September 2025, the director of a care home in Bridlington was found guilty of an offence under S.173.  Jason Blake, 56, was found to have blocked, erased, or concealed records held by Bridlington Lodge Care Home between 12th April and 12th May 2023 to prevent information being disclosed.     

The background to the case is as follows: In April 2023, a woman requested personal data about her father from Bridlington Lodge Care Home.  She had the authority to do so due to a lasting power of attorney. The personal data requested included incident reports, copies of CCTV footage and notes relating to her father’s care.   

After Mr Blake refused to respond to the request, a complaint was made to the ICO. During the investigation, Mr Blake did not provide any explanation about why his organisation would not respond to the SAR. The court ordered him to pay a fine of £1,100 and additional costs of £5,440. 

This prosecution, possibly the first of its kind, is a warning to employees and directors of Data Controllers to ensure that they have systems in place to respond to SARs in a timely manner. Failure to do so could lead to personal liability and a criminal record.  

There is potentially more subject access court drama to come. In March the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Nigel Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of subject access requests and is seeking damages on behalf of the data subjects. This is the first case in the UK under Article 80(1) of the UK GDPR, which allows data subjects to mandate a body or organisation to act on their behalf to lodge complaints, exercise data protection rights, and seek compensation for infringements of their data protection rights. 

Our upcoming Handling SARs course can help you deal with complex subject access requests.  

Our 23rd Birthday! Celebrate with Us and Save on Training  

This month marks 23 years of Act Now Training. We delivered our first course in 2003 (on the Data Protection Act 1998!) at the National Railway Museum in York. Fast forward to today, and we deliver over 300 training days a year on AI, GDPR, records management, surveillance law and cyber security; supporting delegates across multiple jurisdictions including the Middle East.  

Our success comes from more than just longevity; we are trusted by clients across every sector, giving us a unique insight into the real-world challenges of information governance. That’s why our education-first approach focuses on practical skills, measurable impact, and lasting value for your organisation. 

Anniversary Offer: To celebrate, we are giving you a £50 discount on any one-day workshop, if you book by 30th September 2025. Choose from our most popular sessions like GDPR and FOI A to Z, or explore new topics like AI and Information Governance and the Risk Managment in IG

Simply quote “23rd Anniversary” on your booking form to claim your discount.

Health Sector Data Protection Expert Joins the Act Now Team 

Act Now is delighted to welcome Raz Edwards, a leading expert in health sector information governance, to our team of associates. 

Raz brings over 17 years of experience as a Data Protection Officer, including more than a decade within the NHS. She currently serves as a DPO at a large NHS trust supporting acute, community, and primary care services, as well as research. Before joining the NHS, she spent six years as a Data Protection Officer in local government. 

She is the current Chair of the National Strategic Information Governance Network (SIGN), which brings together 24 regional networks across England and Wales, and also chairs the West Midlands SIGN. Her expertise has been further recognised through her appointment as a member of the Upper Tribunal (Administrative Appeals Chamber, Information Rights Jurisdiction) and the First-tier Tribunal (General Regulatory Chamber, Information Rights Jurisdiction). 

Raz holds master’s degrees in computer science, law, and leadership and is a certified data ethics professional. At Act Now, Raz will be developing new courses in her specialist areas, serving on our curriculum and exam board, and supporting the delivery of training ranging from one-day workshops to advanced practitioner certificate courses. 

Raz joins is the second expert from the Midlands to join our team this year. Dr. Malkiat Thiarai joined us in August.

Data (Use and Access) Act 2025: ICO Consultation 

Last month the ICO, launched public consultations on its guidance in response to The Data (Use and Access) Act 2025 (DUA Act) coming into force.  

The DUA Act received Royal Assent on 19th June 2025. It amends, rather than replaces, the UK GDPR as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and the Data Protection Act 2018. (You can read a summary of the Act here.)  

The Act is not fully in force yet. The only substantive amendment (Section 78) to the UK GDPR that came into force on 19th June inserted a new Article 15(1A), relating to subject access requests: 

“…the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.” 

Other provisions of the Act will commence in stages, 2 to 12 months after Royal Assent. The first commencement order, The Data (Use and Access) Act 2025 (Commencement No. 1) Regulations 2025, came into force on 20th August.  

Recognised Legitimate Interests 

The DUA Act amends Article 6 of the UK GDPR to introduce ‘Recognised legitimate interest’ as a new lawful basis for processing personal data. This covers activities such as crime prevention, public security, safeguarding, emergencies and sharing personal data to help other organisations perform their public tasks. The proposed ICO guidance aims to make it easier for organisations to successfully use recognised legitimate interest by explaining how it works, along with giving practical examples. Further details on the 10-week consultation, which closes on 30 October 2025, can be found here.  

Data Protection Complaints 

By June 2026, Data Controllers must have a process in place to handle data protection complaints. A complaint can come from anyone who is unhappy with how an organisation has handled their personal data. The proposed ICO guidance sets out the new requirements and informs organisations of what they must, should and could do to comply. Further details on the eight-week consultation, which closes on 19 October 2025, can be found here.  

Data protection professionals need to assess the changes to the UK data protection regime set out in the DUA Act. Our half day workshop will explore the new Act in detail giving you an action plan for compliance. A revised UK GDPR Handbook is now available incorporating the changes made by the DUA Act.

Information and Records Management Practitioner Certificate: Final Course for 2025

Act Now Training is pleased to report that the next Information and Records Management Practitioner Certificate course, starting in September, is fully booked. An additional course (November) has been added which will be the final course of 2025. 

Effective information and records management is vital for all organisations. It ensures compliance with legal requirements, mitigates risks, preserves institutional memory and facilitates efficiency. It is even more vital in an age of AI as the foundation of any AI system, especially Generative AI, is data. AI algorithms rely on vast amounts of data to learn, make predictions, and generate insights. Therefore, the accuracy, completeness, and reliability of this data are paramount.  

The IRM Certificate has now been completed by four cohorts since its launch last year. It meets the need of information management professionals to equip themselves with practical skills to navigate the full information and records lifecycle. The principal trainer, Scott Sammons, is a recognised expert on records management. He was previously the Chair of the Information and Records Management Society (2016-2020) and now leads the IRMS work on accreditation.  

The course is structured over four days, approximately one day per month, and can be undertaken online or in the classroom. Each day includes engaging discussions, exercises and case studies. Upon completion, delegates submit a practical assessment within 30 days. Personal tutor support is provided, throughout the course, together with comprehensive training materials. 

This course is also available to be delivered on an in house basis, online or at your premises. Please get in touch for a quote. 

AI Governance Practitioner Certificate: Final Course for 2025 

Act Now is pleased to report that the next AI Governance Practitioner Certificate course, starting in September, is fully booked. There are still a few places available on the next course, starting in October, which is the final one in 2025. 

The AI Governance Practitioner Certificate is designed to equip Information Governance professionals with the essential knowledge and skills to navigate AI deployment within their organisations. As we detailed in our previous blog “What is the role of IG Professionals in AI Governance?”, IG professionals should be aware of how this technology works so that they can help to ensure that there is responsible deployment from an IG perspective, just as would be the case with any new technology.   

So far thirty delegates, from a variety of backgrounds, have successfully completed the course, giving great feedback. Delegates have complimented us on the scope of the syllabus and the delivery style. Cora Suckley, Information Governance Service Manager, Digital Health and Care Wales said: 

“The AI Governance Practitioner Certificate exceeded my expectations. The content was comprehensive and well-structured, successfully bridging the gap between technical AI concepts and essential governance frameworks. The course delved into responsible AI principles, risk management, compliance, policy and ethical considerations, equipping me with practical tools to navigate the evolving regulatory landscape. 

The instructor was excellent and made the sessions interactive, highly engaging and applicable, providing real-world examples. This course provides a solid foundation for implementing AI governance in a meaningful and effective way.” 

The final course for 2025 starts in October. Places are limited so book early to avoid disappointment.  

Dr. Malkiat Thiarai Joins the Act Now Team 

Act Now is delighted to welcome Dr. Malkiat Thiarai to our team of associates. 

Our associates play a vital role in delivering our mission: helping to create a more privacy-conscious world by educating IG professionals. At Act Now, we pride ourselves on providing training that is clear, practical, and jargon-free — making complex topics accessible and engaging. 

Every one of our associates brings extensive real-world experience from the information governance sector. This expertise enriches our courses and ensures they remain relevant, insightful, and highly rated by our delegates. We are excited to have Dr. Thiarai join us in continuing this tradition of excellence. 

Dr. Malkiat Thiarai has worked for Birmingham City Council for over 30 years and has led the information governance function for over 20 years. He is currently the Head of Practice – Corporate Information Management and part of the council’s Digital and Technology Services multi-disciplinary leadership team. His role encompasses the duties of the Data Protection Officer as well as other aspects of information governance. He helps to improve the management of council data assets and provide strategic and operational management of information management.   

In 2021, Dr. Malkiat successfully completed a PhD in Urban Science from the University of Warwick. His research focussed on the understanding the challenges and capability of using personal data held within public sector organisations for research purposes and use the analysis to develop new models of service delivery that are focused on social care data whilst balancing the rights of the individual to privacy and a personal life. He has previously completed the LLM Information Rights and Law as well as an MBA in Public Service. 

Dr. Malkiat will be developing new courses around his area of expertise and sitting on our curriculum and exam board. He will also be assisting our team to deliver everything from one-day workshops to advanced practitioner certificate courses. 

Ibrahim Hasan, Director of Act Now Training, said:  

“I am very pleased that Dr. Malkiat has joined our team. I have known Malkiat for over 25 years. I am confident that his strong academic background coupled with experience of working in IG for many years, he will be great contribution to our team developing innovative curricula to help foster a culture of responsible data usage, build public trust and drive positive change.” 

The Role of PACE  in Local Authority Regulatory Investigations 

For local authority investigators, interviewing is at the heart of effective casework. Interviews aren’t just fact finding conversations; they are a formal investigative tool with legal significance. The way you conduct them can determine whether your evidence stands up in court or during enforcement action. 

But good interviewing isn’t just about instinct or experience. It requires a clear understanding of the law, particularly the Police and Criminal Evidence Act 1984 (PACE), and a professional approach supported by structured techniques like the PEACE model (Planning and preparation, engage and explain, account, closure and evaluation). 

When interviews are handled lawfully and skilfully, they generate reliable evidence, support sound decision-making, and protect the public interest. When mishandled, they can result in inadmissible evidence, failed prosecutions, or reputational damage to your authority. 

PACE  

PACE isn’t just for the police. If your investigation might result in a criminal prosecution, PACE applies to you too. This includes interviews carried out under caution by local authority officers acting in their enforcement role; whether you’re interviewing a business owner suspected of misleading trading, a landlord accused of a housing offence or a shop keeper breaching licensing conditions. 

PACE protects the rights of suspects and ensures fairness in the gathering of evidence. The key provisions every local authority investigator must know include: 

Caution 
You must caution a person before asking questions if you suspect them of an offence and intend to use their answers in evidence. The standard caution reads: 
“You do not have to say anything, but it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence.” 

Using the wrong caution, or failing to use it when required, risks making the evidence inadmissible. 

Right to Legal Advice 
Under PACE, suspects have the right to free legal advice. You must make them aware of this right before the interview starts. Proceeding without making this clear can jeopardise your case. 

Recording Interviews (Code E) 
Local authority investigators must follow the rules for audio-recording interviews when interviewing suspects for indictable offences or where required by enforcement policy. Correct handling, sealing, and storage of recordings protect both you and the interviewee. 

Safeguarding Vulnerable People 
If the interviewee is under 18 or considered vulnerable (for reasons such as mental health or learning difficulties), an appropriate adult must be present during the interview. Failing to ensure this safeguard can invalidate the interview. 

Avoiding Oppression and Misconduct 
You must always act with integrity and fairness, even in difficult interviews. 

Any evidence obtained through threats, unfair pressure, or oppressive behaviour is likely to be excluded.  

PEACE 

While PACE sets the legal rules, PEACE (Planning and preparation, engage and explain, account, closure and evaluation) provides a practical structure for conducting effective, professional interviews in the regulatory enforcement context. 

Unlike formal suspect interviews under PACE, PEACE can also help structure fact-finding interviews with witnesses, business representatives, or those who may later become suspects. 

1. Planning and preparation: Successful interviews start long before you sit down with the interviewee. Good planning involves: 

  • Clarifying your interview objectives. 
  • Understanding the evidence you already have. 
  • Deciding whether a caution is required. 
  • Considering the need for legal advice or an appropriate adult. 
  • Structuring your questions logically. 

Inadequate planning often leads to missed opportunities, legal errors or unreliable evidence. 

2. Engage and explain: Your professional approach is crucial. This includes: 

  • Building rapport and explaining the purpose of the interview. 
  • Clarifying rights and procedures, including the right to legal advice and, if relevant, explaining the caution. 
  • Being neutral, objective, and professional throughout. 

Your approach can affect the cooperation of the interviewee and the credibility of the evidence obtained.  Experienced interviewers have suggested that there is a positive correlation between constructive interpersonal relationships between the suspect and the interviewer and a higher level of information given. 

3. Account clarification and challenge: This is the main part of the interview. This includes: 

  • Starting with open questions, 
  • Gaining the suspects explanation of what has happened in relation to the suspected offence. 
  • Gradually asking more specific questions. 
  • Using closed questions if required to obtain finer details. 

4. Closure: Closing an interview properly matters. You should: 

  • Summarise key points with the interviewee. 
  • Offer them the chance to clarify or add anything. 
  • Explain what will happen next in the investigation. 
  • Ensure all paperwork, recordings, and notes are accurate and complete. 

Closure isn’t just administrative; it helps protect the integrity of the investigation. 

5. Evaluation: After the interview, critically assess what happened. Ask yourself 

  • Did I meet my objectives? 
  • Was the interview PACE compliant? 
  • Has new information come to light requiring further action? 
  • Are my records and recordings complete? 

The evaluation stage reinforces accountability and learning, helping you improve your practice and ensure evidential quality. 

Regulatory investigations often operate in complex legal and social environments. PACE protects the rights of individuals and the admissibility of evidence. PEACE helps you apply structure, professionalism, and investigative skill. Mastering both frameworks is key to investigative success. 

Training 

Interviewing is a professional skill, and like any skill, it needs regular practice and updating. 

  • PACE Training: Make sure you’re familiar with the latest Codes of Practice, particularly around cautions, legal rights, and vulnerable interviewees. 
  • PEACE Interview Skills: Keep refining your questioning techniques, planning, and post-interview evaluation. 
  • Scenario-Based Practice: Realistic training scenarios help bridge the gap between theory and practice. 

Regular training not only sharpens your skills but demonstrates your authority’s commitment to lawful and effective enforcement. 

Act Now has a range of customised in house training courses on RIPA, PACE, investigations and interview techniques. Our associates include Naomi Mathews who is a Senior Solicitor and was a co-ordinating officer for RIPA at a large local authority in the Midlands. Naomi has extensive experience in all areas of regulatory law and investigations.  She has worked as a defence solicitor in private practice and as a prosecutor for the local authority in a range of regulatory matters including Trading Standards, Health and Safety and Environmental prosecutions. Naomi has higher rights of audience to present cases in the Crown Court. 

Get in touch if you would like a free 30 minute consultation to discuss your training needs. 

AI Governance Practitioner Certificate: First Cohort Successfully Completes Course 

Act Now is pleased to report that the first cohort of its new AI Governance Practitioner Certificate has successfully completed the course. 

This course is designed to equip Information Governance professionals with the essential knowledge and skills to navigate AI deployment within their organisations. As we detailed in our previous blog “What is the role of IG Professionals in AI Governance?”, IG professionals should be aware of how this technology works so that they can help to ensure that there is responsible deployment from an IG perspective, just as would be the case with any new technology.   

The first course ran over a four week period in May and June. It consisted of ten delegates from the health sector in Wales. They all successfully completed the course assessment in July. 

The course was extremely well received by the delegates who complimented us on the scope of the syllabus and the delivery style: 

“I took a huge amount from the course which will help shape the development of processes for us internally in the coming months.” Dave Parsons , WASPI Code Manager (Wales Accord on the Sharing of Personal Information)  

“This was a superb course with a lot of information delivered at a carefully managed rate that encouraged discussion and reflection.  Literacy in AI and its application is vital – without it we cannot comprehend the ever changing level of IG threat and risk.” MA, Digital Health and Care Wales

The training was very good. The instructor was also very knowledgeable about the subject.” HP, Digital Health and Care Wales

Cora Suckley, Information Governance Service Manager, Digital Health and Care Wales said: 

“The AI Governance Practitioner Certificate exceeded my expectations. The content was comprehensive and well-structured, successfully bridging the gap between technical AI concepts and essential governance frameworks. The course delved into responsible AI principles, risk management, compliance, policy and ethical considerations, equipping me with practical tools to navigate the evolving regulatory landscape. 

The instructor was excellent and made the sessions interactive, highly engaging and applicable, providing real-world examples. This course provides a solid foundation for implementing AI governance in a meaningful and effective way.” 

Two more cohorts are currently completing the course. The next course starts in September and has a few places left.  

Charity Receives £18,000 GDPR Fine

On Monday, a Scottish Charity (Birthlink) received a GDPR Monetary Penalty Notice of £18,000 after it destroyed approximately 4,800 personal records, up to ten percent of which may be irreplaceable. 

Birthlink is a charity specialising in post-adoption support and advice, for people who have been affected by adoption with a Scottish connection.
Since 1984 it has owned and maintained the Adoption Contact Register for Scotland. The Register allows adopted people, birth parents, birth relatives and relatives of an adopted person to register their details with the aim of being linked to and potentially reunited with family members. 

Key findings from the Information Commissioner’s Office (ICO) investigation include: 

  • Handwritten letters and photographs from birth parents amongst items destroyed 
  • Some people’s access to part of their family histories and identities may have been permanently erased due to systematic data protection failures 
  • Poor records management means true extent of actual loss will never fully be known 
  • The charity had limited knowledge of data protection obligations and lacked cost effective and easy-to-implement policies and procedures, which would likely have prevented the destruction. 

Background 

In January 2021, Birthlink reviewed whether they could destroy ‘Linked Records’ as space was running out in the charity’s filing cabinets. ‘Linked Records’ are files of cases where people had already been linked with the person they sought and can include handwritten letters from birth parents, photographs, and copies of birth certificates.  

Following a February 2021 Board meeting, it was agreed no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor record keeping, it is estimated some records were destroyed on 15 April 2021 with a further 40 bags destroyed on 27 May 2021.  

In August 2023, following an inspection by the Care Inspectorate, the Birthlink Board became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction. It reported the incident to the ICO. 

ICO Findings 

The ICO investigation found the following infringements of the UK GDPR: 

  1. Birthlink’s destruction of manual records containing personal data of approximately 4,800 of its service users without authorisation or lawful basis (“Relevant Processing”) occurred as a result of its failure to implement appropriate organisational measures ensuring the security of the personal data contained in the records. In this regard, the ICO found that Birthlink contravened Articles 5(1)(f) and 32(1)-(2) of the UK GDPR (security). 
  1. A significant contributing factor leading to the Relevant Processing, was Birthlink’s failure to demonstrate compliance with the data protection principles in accordance with Article 5(2) of the UK GDPR. Birthlink has accepted that there was limited understanding of the UK GDPR at the time of the Relevant Processing until around March 2023 when it introduced data protection training for its staff. 
  1. Despite acknowledging the high risk to affected service users arising from the Relevant Processing, Birthlink did not notify the ICO of the personal data breach until 8 September 2023. A delay of two years and five months represents a marked departure from the obligation to notify the ICO within 72 hours of becoming aware of a personal data breach in accordance with Article 33(1) UK GDPR. 

Why a fine now? 

This fine comes two weeks after the catastrophic data breach involving the Ministry of Defence (MoD) was reported, following the High Court lifting a superinjunction. In February 2022, an MoD official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP). The data breach also contained personal details of more than 100 British officials including those whose identities are most closely guarded; special forces and spies.  

Despite the scale and sensitivity of the MoD data breach, the ICO decided not to take any regulatory action; not even a reprimand! In its press release, the ICO praised the MoD’s internal investigation and mitigation efforts, stating that “no further regulatory action is required at this time”.  

The ICO has been heavily criticised for their inaction. The Commons Defence Committee said it would launch its own inquiry, and Dame Chi Onwurah, chair of the Commons Committee for Science Innovation and Technology, said that it is writing to the Information Commissioner pushing for an investigation. Following this, the Information Commissioner issued a further statement explaining the ICO approach.  

Of course no one is suggesting that the ICO fine for Birthlink is an attempt by the ICO to move on from the MoD non-enforcement but readers may at least be wondering why a relatively small Scottish charity is fined whilst a large government department (which has been fined previously in similar circumstances) has faced no action at all.  

This case shows the importance of good records management in ensuring GDPR compliance. Our forthcoming workshop will help you implement records management best practice and understand how it can help manage the personal data lifecycle.