This blog was co-authored by Rebecca Young and Peter Bryant.

In a recent and rare data protection decision in Ashley v HMRC [2025] EWHC 134 (KB), the High Court held that HMRC had failed to comply with its obligations under Article 15 of the UK GDPR when responding to Michael Ashley’s subject access request for all personal data pertaining to the HMRC’s enquiry into his tax return for 2011/2012.

The background to Ashley’s Data Subject Access Request (DSAR) involved an enquiry conducted by HMRC’s Wealth and Mid-Size Business Compliance department (WMBC) into properties sold at an alleged overvaluation. HMRC maintained that Ashley had derived a benefit that gave rise to a tax liability of £13.6m. It is reported that Ashley appealed. The parties then entered into a discussion and HMRC later withdrew the closure notice.

Under Article 15 of the UK GDPR, a data subject has a right to obtain from a data controller, in this instance HMRC, confirmation as to whether their personal data was/is being processed and to understand the personal data process in a meaningful and contextualised way Ashley is reported as having submitted a DSAR to obtain the facts behind how the WMBC had reached its determination.

HMRC first responded to state that all of Ashley’s personal data was exempt from being disclosable. It later did respond, and the High Court decision looked at the adequacy of the response. The decision is a rare and important decision on the scope of a DSAR, what might fall to the defined term of “personal data” and the extent of a search that a data controller is required to carry out. It also looked at that tax exemption relied upon by HMRC.

The ruling against HMRC gave rise to the following that businesses should be alert to.

What did the request for ‘all data held’ encompass?

Given the broad expression used by Ashley in his DSAR of ‘any and all data held in relation to HMRC’s enquiry’, the High Court took a broad approach to both the scope of the DSAR and how personal data is defined.

The High Court held that the DSAR extended to include the Valuation Office Agency (VOA) (an executive agency within HMRC) as they were party to the enquiries made about Ashley’s tax return. The High Court rejected HMRC’s argument that as VOA had its own team to deal with DSAR, the two would not liaise with one another and HMRC was not required to include it within the search. The High Court held that HMRC had incorrectly applied its own internal division, and those were irrelevant to the terms of the DSAR.

HMRC also argued whether it would be “disproportionate” to undertake a search that included VOA. Under the UK GDPR / Data Protection Act 2018 a data controller is not obliged to carry out searches that would involve “disproportionate effort”. When considering the “effort” required to comply both the time required and difficulties in complying with the request should be taken into account. This can be the time spent addressing any exemptions may apply and to what extent the data should be redacted. It is an objective decision made on a case by case basis.

HMRC was the data controller of VOA and, on an objective view, it was not disproportionate for HMRC to include a search of VOA. This is a relevant principle for any business that might have separate divisions, within the one legal entity.

What amounted to ‘personal data’?

Under Article 4(1) of the UK GDPR, Personal Data has the following definition:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Ashley claimed that all data processed by HMRC in the context of its assessment of his tax liability fell to the definition of personal data because of the nature and potential effect on him. Ashley claimed this included all valuations of properties and comparable properties. 

The Court decided a more subtle approach had to be taken as to whether information “relates” to a data subject and adopted a broad definition to personal data.

Information meets the criteria of the above definition if linked to the individual. It was found that a restrictive approach had been taken by HMRC. Information related to Ashley where it was valuations of his properties, and fell to the definition of his personal data, as directly relevant to the tax assessment. Information about comparable properties did not.

Did HMRC wrongfully treat personal data as falling with the scope of the ‘tax exemption’ at para 2 Schedule 2 of the DPA2018?

The “first tax exemption” allows entities to reject a DSAR on the grounds that the personal data is being processed for “the assessment or collection of a tax or duty or an imposition of a similar nature”.

Where this exemption is relied upon, the data controller must discharge the burden of proving that application of the DSAR provisions would be likely to prejudice the assessment or collection of tax. The strict test requires the party to show that any interference with the subject’s rights is proportionate to the reliance upon the exemption.

Even though the personal data fell within the exemption HMRC failed to show, through evidence, that there was any prejudice. The Judge could not see how disclosure would provide an insight into HMRC’s settlement strategy or how it would give Ashley any advantage in respect of any future tax disputes. When this was put to representative from HMRC the response was “any insight is of some use”. This was wholly rejected.

Providing personal data in a meaningful way

The final issue explored was whether HMRC had provided Ashley’s personal data in a “concise, transparent and intelligible” manner (article 12 of the UK GDPR). Whilst a data controller is not obliged to provide a data subject with the document in which their personal data is held, the Court held that providing snippets of personal data, such as Ashley’s name or initials, without any context was insufficient and incompatible with the rights of a data subject to understand the personal data held. This is a reminder to data controllers that providing heavily redacted documents, or information with no explanation is likely to be non-compliant.

The decision is helpful to both data controllers when responding to a DSAR, and data subjects is understanding how they might challenge the scope of any DSAR.