The Taxman Cometh: Data Subject Access Requests (DSARs) in Ashley v HMRC

Ashley v HMRC [2025] EWHC 134 (KB) is the latest example of the UK courts answering questions about the scope of data subject access requests (DSARs).  In this article, I look at some of the key takeaways from the judgment for those of us who deal with DSARs in practice.

Background

The background to the Ashley case involves the eponymous UK businessman (first name Mike, owner of the Fraser Group) and his tax affairs with His Majesty’s Revenue and Custom (HMRC).  Through his lawyers, Ashley submitted a DSAR to HMRC for personal data relating to his tax return for the 2011/12 tax year.  Ashley challenged HMRC’s response to his request, claiming that:

1. HMRC did not apply a wide enough meaning to what constituted Ashely’s ‘personal data’;
2. the search carried out by HMRC was inadequate; and
3. certain exemptions were improperly applied.

Therefore, HMRC did not disclose all of the personal data to which Ashley was entitled.

Key points to note

In examining the issues raised above, the court made a number of findings which are relevant to how we deal with DSARs in practice.  Many of these reinforce existing established principles from earlier case law and/or the ICO guidance.

It’s also interesting to note that – despite Brexit – the High Court continues to draw strongly on the case law of the Court of Justice of the European Union (CJEU) in relation to data protection, noting the shared history in this space, as well as the ongoing near-identical nature of the EU and UK versions of the GDPR with respect to foundational concepts.

In my view, the key points to note from Ashley are the following:

• Form of DSARs – DSARs can be made informally (the law does not impose any requirements as to form), and must be interpreted fairly by the controller. Broad and even vaguely worded requests still need to be handled in good faith. Whilst controllers can request clarification, they cannot demand that requests are made in a certain way (e.g., via a dedicated webform or checklist).

• Scope of business units – Organisations cannot limit the scope of their response based on the internal separation of business units. The court overturned HMRC’s attempt to restrict Ashley’s broadly worded request to its ‘wealthy individuals and mid-sized business compliance’ (WMBC) division, and to not provide any of Ashley’s personal data held by another part of HMRC – the Valuation Office Agency (VOA) division.  It remains to be seen how far this principle would be extended in the context of a group of companies – for example, if a request is submitted to one entity in a corporate group, is it necessary to provide personal data held by all entities within the group?  This is often context specific, but as a general rule our experience shows that the ICO does not like companies taking an overly rigid approach.  If a data subject would not be able to perceive any difference between legal entities – because those legal entities are operationally integrated with one another (including with respect to IT systems) and/or because they perform the same functions, in terms of delivering services to customers or employers – then it may be necessary to provide data held by more than one entity.

• A broad and purposive meaning of ‘personal data’ – This is necessary to ensure that the right of access is effective. In particular, the court reminds us that ‘personal data’  includes all information ‘relating to’ the data subject, where the ‘relating to’ requirement is satisfied if ‘the information, by reason of its content, purpose or effect, is linked to a particular person’ (per the test set by the CJEU in the Nowak case). Consequently, information in a document that talks about how a person will be evaluated or treated (in this case, in relation to his tax affairs) is that person’s personal data, and not just the direct references to that person’s name or initials.

• A ‘reasonable and proportionate’ search – This remains the legal standard in terms of what controllers are required to do when responding to a DSAR. This is a helpful and well-established ground rule for controllers, which means it is not necessary to ensure that no stone is left unturned when searching for data.  However, in Ashley the court emphasised that the onus is on the controller to show that supplying a copy of the information would involve disproportionate effort.  This is likely to require a considered, contemporaneous assessment that a search would be disproportionate, highlighting the importance of documenting all aspects of how a DSAR is handled.

• Supplying additional contextual data – This may be necessary to ensure that the provision of the data subject’s personal data is intelligible (per the CJEU in FF). For example, decontextualised references to names of initials may require further explanation of the context from which they were extracted, which might include needing to provide additional passages from the document containing the individual’s personal data or even the entire document.  However, the requirement to supply additional contextual information is very fact specific and in many instances won’t be necessary as the personal data in itself will meet intelligibility requirements.