The recent prosecution of Jason Blake by the Information Commissioner’s Office (ICO) marks a pivotal moment in UK data protection enforcement. Jason Blake, director of Bridlington Lodge Care Home, was found guilty under Section 173 of the Data Protection Act 2018 for intentionally obstructing a Subject Access Request (SAR), a fundamental right in UK GDPR.
What is the right of access?
To better understand the case, it is important to note that the right of access is an individual’s right to request a copy of their personal data. Individuals can also use a third party to action such a request, this can be a family member, solicitor, or someone with authorisation from the individual to do so. SARs can be made either verbally or in writing and organisations have one month to respond and, in some circumstances, this can be extended to three months.
What happened in this case?
In this case, we see a daughter making a SAR on behalf of her father. The request sought access to incident reports, CCTV footage, and care notes.
Jason Blake refused to respond to the request which led to the complaint to the ICO. When the ICO decided to investigate, Jason Blake did not have a good reason as to why the organisation did not respond to the SAR. As a result, he was found guilty in court and ordered to pay a fine of £1,100, along with an additional £5,440 in costs.
Why is this case important?
- Criminal Enforcement of SAR Rights: This case highlights the ICO’s power to prosecute employees of an organisation, rather than the organisation itself when they alter, deface, block, erase, destroy, or conceal personal data relating to an SAR. This case highlights the importance of understanding your obligations to information rights and the need for a balanced approach.
- Accountability of Individuals: The prosecution was aimed at Jason Blake personally, not the organisation. This reinforces the principle that directors and senior managers can be held individually liable, and therefore it is important to have the right GDPR compliance mechanism in the organisation.
- SARs as a Fundamental Right: The ICO’s commentary emphasised that SARs are not optional or negotiable, and failure to comply undermines transparency and trust.
- The care sector and bodies such as charities, whereby sensitive health data are routinely handled, must be especially aware of their compliance obligations under the UK GDPR
Conclusion:
As the ICO continues to assert its enforcement powers, organisations must ensure they treat SARs as well as other obligations with the seriousness they deserve; not just as a regulatory requirement, but as a legal right with real consequences.
It seems there has never been a better time to ensure you appoint an experienced and reliable DPO. Having a DPO significantly reduces the risk for an organisation, the Directors and its staff, as the DPO’s expertise contributes to the decision-making process and therefore reducing the risk of fines and prosecutions.
If you need support in dealing with SARs, or want to know more about our outsourced DPO service, please reach out to Hope & May at info@hope-may.com
