In a rare instance of a data decision reaching the High Court, the recent judgment of Ashley v The Commissioners for His Majesty's Revenue and Customs [2025] EWHC 134 (KB) has provided welcome clarification on data subject access requests ("SARs").
Background
The claim arose from a SAR submitted by Mike Ashley, seeking access to all personal data processed by HMRC in relation to an enquiry into his tax return. The enquiry was conducted by the Wealthy and Mid-Size Business Compliance department ("WMBC") and determined that Ashley had sold properties at an overvaluation and therefore owed more money in tax. Ashley's SAR was submitted to obtain the facts behind how the WMBC had arrived at that determination.
HMRC initially refused to provide any personal data, citing exemptions related to tax and legal professional privilege. However, following issuance of legal proceedings, HMRC disclosed five separate schedules of personal data processed by the WMBC and the Valuation Office Agency ("VOA"), an executive agency within HMRC.
HMRC accepted that it had breached its obligations under Article 15(3) of the UK GDPR (a data controller must provide a data subject with a copy of their personal data undergoing processing) by failing to provide Mr Ashley with copies of his personal data.
However, several matters remained in dispute. These included the scope of the SAR, the definition of Mr Ashley's personal data, the extent of the search the Defendant was required to undertake and whether copies of all of Ashley's personal data that it processed were provided to him. These were addressed in the judgment.
Findings
1. Scope of the SAR
The first issue was whether the SAR was limited to personal data processed by the WMBC or whether it extended to data processed by the VOA.
HMRC claimed that since the VOA has its own team who deal with SARs, it would not be normal practice for HMRC to liaise with them when a SAR is received by VOA and vice versa. Following this logic, HMRC did not consider the data held by the VOA as within the scope of the SAR because it was sent directly to the WMBC.
The court found that HMRC had incorrectly applied its own internal limiters by treating VOA as a separate entity and not extending SAR searches to that agency. The terms of the SAR were broad enough to encompass all personal data related to that request and any internal practice of treating two divisions as separate entities cannot alter the scope of that request. Therefore, the scope of the SAR extended to data processed by the VOA despite the internal limits imposed by HMRC.
Data controllers responding to SARs should carefully consider the scope of SARs and ensure that they are not falsely limiting the personal data they are providing to data subjects.
2. Definition of personal data
The second issue concerned the definition of personal data. Ashley argued that all data related to the enquiry (including valuations of properties and information about comparable properties) constituted his personal data due to the impact it had on him.
The court adopted a broad interpretation of personal data, holding that personal data includes information that, by reason of its content, purpose, or effect, is linked to an individual.
This focus on what the information "relates" to resulted in the valuations of Ashley's properties forming part of his personal data, as they were directly relevant to the assessment of his tax liability. However, information about comparable properties not owned by Ashley was excluded from the SAR.
3. Extent of search
The third issue was whether HMRC was obliged to search for Ashley's personal data processed by the VOA as well as that processed by the WMBC. The court confirmed that HMRC should have conducted searches across all relevant departments including the VOA. HMRC had not established that searching the VOA's data would be disproportionate, bearing in mind the importance of the data and resources available.
The practical difficulties arising due to the distinction between entities were not considered a valid reason to withhold the data as data controllers should be expected to know their obligations and design their systems accordingly.
4. The tax exemption
The fourth issue concerned the application of the tax exemption under paragraph 2 of Schedule 2 to the Data Protection Act 2018. HMRC had argued that certain data could be withheld as its disclosure would cause significant prejudice to the assessment and collection of tax.
The court rejected this argument, finding that HMRC had not provided sufficient evidence to demonstrate this.
5. Provision of intelligible data
The final issue was whether HMRC had provided Ashley's data in a concise, transparent and intelligible manner.
The court held that HMRC's practice of providing decontextualised snippets of data, such as Ashley's name and initials, was insufficient. Mrs Justice Williams emphasised that data must be provided in a manner which allows the data subject to understand the context and exercise their rights effectively, including the provision of additional contextual information.
Following this guidance, data controllers should try to avoid providing heavily redacted documents with few snippets of personal data, or tables of excerpts of personal data with no context, when responding to a SAR.
Conclusion
This case has provided significant clarity for both data controllers and data subjects. If you need support with a SAR, please reach out to a member of our Data, Privacy and Cyber team.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
