It’s one of the clearest rules in data protection: when someone makes a subject access request, you respond. You don’t block, erase, or conceal the records. Yet that’s exactly what a Yorkshire care home director did, and now he’s been fined.
The Information Commissioner’s Office (ICO) has successfully prosecuted a care home director who refused to respond to a subject access request (SAR).
Jason Blake, 56, of Bridlington Lodge Care Home in Yorkshire, was found guilty of blocking, erasing, or concealing personal records between April and May 2023 in order to prevent disclosure. The request had been made by a resident’s daughter, who held lasting power of attorney.
A look inside the case
The personal information requested included incident reports, CCTV footage, and care notes relating to the resident. Rather than comply, Mr Blake ignored the request, provided no justification to the ICO, and even attempted to cancel his registration as a data controller.
At Beverley Magistrates’ Court on 3 September 2025, Blake was fined £1,100 and ordered to pay £5,440 in costs after being found guilty under Section 173 of the Data Protection Act 2018.
The ICO’s Head of Investigations, Andy Curry, emphasised:
“Subject access requests [are] a fundamental right…By ignoring this request and refusing to provide any explanation, Mr Blake believed he was above the law.”
Why this case matters
SARs are one of the cornerstones of UK data protection law. Every individual has the right to know whether their personal data is being used, how it is being used, and to obtain a copy of that data. Organisations must respond within one month (extendable to three in complex cases). Altering, concealing, or deleting information with intent to avoid disclosure is a criminal offence.
In this case, the request was made under a lasting power of attorney. It’s true that POAs can sometimes raise complex issues, but the law provides ways to address those concerns. If Mr Blake had doubts, he could have sought clarification or challenged the request through proper channels. Instead, he gave no explanation at all and chose to conceal records, which is indefensible.
This case is a reminder that:
- No organisation is exempt: data protection applies to all sectors, including care homes.
- Powers of attorney are valid: unless challenged through appropriate legal channels, SARs made under PoA must be honoured.
- Training and procedures are critical: mishandling a SAR is both a compliance and reputational risk.
Jason Blake has now given every compliance trainer an unfortunate but valuable case study. His poor judgement demonstrates how quickly a simple SAR can escalate into a criminal prosecution. For organisations, the lesson is clear: ensure staff know their obligations under the Data Protection Act and GDPR, and put robust procedures in place to handle requests lawfully and responsibly.
Our UK GDPR and Data (Use and Access) Act 2025 (DUAA) courses automatically align with the UK’s evolving data protection regulations, so you will always have the latest training. Learn through interactive and engaging courses on how to keep data safe and approach data protection based on job role and risk exposure.
Try our UK GDPR and DUAA training today
