Tag: SAR

When Ignoring a GDPR Subject Access Request Becomes a Crime 

In March 2025,  the Information Commissioner’s Office (ICO) issued reprimands to two Scottish councils for repeatedly failing to respond to subject access requests (SARs) within the statutory timeframe under the UK GDPR. 
This is the ICO’s usual practice when it comes to complaints about SARs. However recently it went a step further and issued criminal proceedings against a company director. 

Section 173 of the Data Protection Act 2018 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” Both the Data Controller can be prosecuted as well as “a person who is employed by the controller, an officer of the controller or subject to the direction of the controller.” 

On 3rd September 2025, the director of a care home in Bridlington was found guilty of an offence under S.173.  Jason Blake, 56, was found to have blocked, erased, or concealed records held by Bridlington Lodge Care Home between 12th April and 12th May 2023 to prevent information being disclosed.     

The background to the case is as follows: In April 2023, a woman requested personal data about her father from Bridlington Lodge Care Home.  She had the authority to do so due to a lasting power of attorney. The personal data requested included incident reports, copies of CCTV footage and notes relating to her father’s care.   

After Mr Blake refused to respond to the request, a complaint was made to the ICO. During the investigation, Mr Blake did not provide any explanation about why his organisation would not respond to the SAR. The court ordered him to pay a fine of £1,100 and additional costs of £5,440. 

This prosecution, possibly the first of its kind, is a warning to employees and directors of Data Controllers to ensure that they have systems in place to respond to SARs in a timely manner. Failure to do so could lead to personal liability and a criminal record.  

There is potentially more subject access court drama to come. In March the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Nigel Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of subject access requests and is seeking damages on behalf of the data subjects. This is the first case in the UK under Article 80(1) of the UK GDPR, which allows data subjects to mandate a body or organisation to act on their behalf to lodge complaints, exercise data protection rights, and seek compensation for infringements of their data protection rights. 

Our upcoming Handling SARs course can help you deal with complex subject access requests.  

Council Loses High Court Damages Claim for Misuse of Personal Data 

A recent High Court judgment highlights the importance of data controllers treating personal data in their possession with care and in accordance with their obligations under the General Data Protection Regulation (GDPR). Failure to do so will also expose them to a claim in the tort of misuse of private information.

The Facts

In Yae Bekoe v London Borough of Islington [2023] EWHC 1668 (KB) the claimant, Mr. Bekoe, had an informal arrangement with his neighbour to manage and rent out flats on her behalf, with the income intended to support her care needs. In 2015, Islington Council initiated possession proceedings against Mr Bekoe. During the proceedings, the council submitted evidence to the court, including details of Mr. Bekoe’s bank accounts, mortgage accounts, and balances. This provided a snapshot of Mr. Bekoe’s financial affairs at that time. Some of this information, it appears, was held internally by the Council, and disclosed by one department to another for the purpose of “fraud” whilst other information was received after making a court application for disclosure by the bank and Mr Bekoe.  Subsequently, Mr. Bekoe filed a claim against Islington Council, alleging the misuse of his private information and a breach of the GDPR. Amongst other things, he argued that the council obtained his private information without any legal basis. Mr. Bekoe also claimed that the council failed to comply with its obligations under the GDPR in responding to his Subject Access Request (SAR). He made the request at the start of the legal proceedings, but the council’s response was delayed. Mr Bekoe also claimed that the council was responsible for additional GDPR infringements including failing to disclose further data and destroying his personal data in the form of the legal file which related to ongoing proceedings.

The Judgement

The judge awarded Mr. Bekoe damages of £6,000 considering the misuse of private information, the loss of control over that information, and the distress caused by the breaches of the GDPR. He ruled that the information accessed went beyond what was necessary to demonstrate property-related payments. Regarding the breach of the GDPR, the judge concluded that: 

  • The council significantly breached the GDPR by delaying the effective response to the subject access request for almost four years. 
  • There was additional personal data belonging to Mr. Bekoe held by the council that had not been disclosed, constituting a breach of the GDPR. 
  • While the specifics of the lost or destroyed legal file were unclear, there was a clear failure to provide adequate security for Mr. Bekoe’s personal data, breaching the GDPR. 
  • Considering the inadequate response to the subject access request, the loss or destruction of the legal file, and the failure to ensure adequate security for further personal data, the council breached Mr. Bekoe’s GDPR rights under Articles 5 (data protection principles), 12 (transparency), and 15 (right of access). 
     

The Lessons

Whilst this High Court decision is highly fact-specific and not binding on other courts, it does demonstrate the importance of ensuring there is a sound legal basis for accessing personal data and for properly responding to subject access requests.  Not only do individuals have the right to seek compensation for breaches of the UK GDPR, including failures to respond to subject access requests, the Information Commissioner’s Office (ICO) can take regulatory action which may include issuing reprimands or fines. Indeed, last September the ICO announced it was acting against seven organisations for delays in dealing with Subject Access Requests (SARs). This included government departments, local authorities, and a communications company. 

This and other GDPR developments will be discussed in our forthcoming GDPR Update workshop.