Rather than complying with the request, the Director was found to have deliberately blocked, erased, or concealed the records held by the Care Home in an apparent attempt to prevent disclosure which is a criminal offence under Section 173 of the Data Protection Act.
Following a complaint and investigation by the Information Commissioner's Office (ICO), the Director offered no explanation for the care home's refusal to respond.
The Director was found guilty and ordered to pay £1,100 in fines and £5,440 in costs by Beverley Magistrates Court on 3 September 2025.
Key takeaways for the Care Sector
This case serves as a stark reminder for all care providers that data governance isn't optional. Many care homes are dealing with sensitive health data on a daily basis and managing scenarios where residents are represented by next of kin, representatives and powers of attorney.
As a reminder, data protection laws place legal obligations on organisations to:
- Respond to DSARs within one month (with limited scope for extension).
- Disclose all relevant personal data unless justifiable exemptions apply.
- Avoid any attempt to alter, erase or conceal records to prevent lawful disclosure - which is a criminal offence.
This recent ICO enforcement action highlights the importance of DSARs and how they are a fundamental privacy right that empowers individuals to understand how their personal information is being used. The costs of mishandling a DSAR can be substantial, both financially and in terms of reputation. By establishing clear processes, training your team and embracing transparency, organisations can not only reduce the risk of regulatory penalties but foster a culture of privacy compliance.
- Implement clear DSAR policies and procedures: Ensure your staff are trained to recognise and act on DSARs promptly (with internal escalation occurring immediately). Ensure that staff understand when a third party is entitled to request data on behalf of another person.
- Maintain accurate and accessible records: Poor record-keeping make searching for requested data difficult.
- Avoid collecting and recording unnecessary data: Don’t record data that is not required.
- Don't delay: Failing to act on a DSAR is a breach; obstructing it is a crime.
This case is a powerful wake-up call for the care sector. Mishandling a Data Subject Access Request isn’t just a compliance issue—it can lead to criminal liability, reputational damage, and financial penalties. In a sector built on trust and care, transparency and accountability must be non-negotiable.
DSARs are not just administrative tasks—they are a legal right and a vital part of safeguarding personal data. Care providers must be proactive, not reactive, in their approach to data governance.
What you can do now
- Review your DSAR procedures today: Make sure your team knows how to identify and respond to requests quickly and lawfully.
- Train your staff: Equip them with the knowledge to handle sensitive data and third-party requests confidently.
- Audit your records: Ensure your data is accurate, accessible, and necessary.
- Act fast and act right: Delays can breach the law. Obstruction can lead to prosecution.
Need support?
Our data protection team works closely with care providers to navigate complex DSARs and build robust compliance frameworks. Whether you're reviewing your policies or responding to a live request, we’re here to help.
Co-authored by Nina Wright, Trainee Solicitor
