HMRC Ordered By The Court To Reconsider Its Response To A DSAR

Background

Michael Ashley v The Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB)

This dispute arose from a Data Subject Access Request (DSAR) made by Michael Ashley’s solicitors on 13 September 2022. Within the request, he asked to be provided with copies of his personal data processed by HMRC in connection with an enquiry into his tax return for the 2011/12 tax year. The enquiry was conducted by the Wealthy and Mid-Size Business Compliance department (WMBC) and therefore, the DSAR was sent directly to the WMBC.

Article 12(3) of the UK GDPR requires a data controller to provide a response to a DSAR without undue delay and in any event within one month of receipt of a request. The timescale for response can be extended by a further two months, where necessary in relation to particularly complex requests.

HMRC asked for an additional 2 months to respond to the DSAR, and on 5 December 2025, provided its substantial response. Within the response, HMRC refused to provide Mr Ashley with copies of his personal data.

As a result, Mr Ashley issued proceedings on 12 January 2024. Following the issuing of proceedings, HMRC provided some data to Mr Ashley on 15 February 2024, 28 February 2024, 2 July 2024 and 15 October 2024. On 15 October 2024, HMRC also provided personal data extracted from documents held by the Valuation Office Agency (VOA), an agency within HMRC.

HMRC accepted that it had breached its obligations under the UK GDPR by failing to provide Mr Ashley with copies of his personal data within the requisite time frame. They accepted that they should have provided Mr Ashley with the data (excluding the personal data held by the VOA) by 5 December 2022.

The issues to be determined by the Court were as follows:

Issue 1 – scope of the request

The judge found that the DSAR was in very broad terms as it sought “any and all data held in relation to HMRC’s enquiry”. The request was not limited in any way to a particular department or agency of HMRC, and accordingly, the scope of the DSAR was not limited to data processed within WMBC.

Issue 2 – definition of personal data

The judge found that the data relating to the assessment of Mr Ashley’s tax liability did not necessarily amount to personal data per se and that it would only amount to personal data if the purpose or effect was linked to Mr Ashley. The judge asked HMRC to reconsider its response to the DSAR keeping this in mind.

Issue 3 – extent of HMRC’s search

The judge linked this issue to the scope of the request. She clarified that the burden is on the controller to show that supplying a copy of the information would involve a disproportionate effort. She concluded that as the scope of the request was not limited by department, HMRC were obliged to search for the data processed by the VOA and therefore, the search they had carried out was inadequate.

Issue 4 – had HMRC complied with its obligation when providing the data to Mr Ashley

The judge concluded that as a result of Issue 1 above, HMRC had adopted an unduly narrow approach in relation to Mr Ashley’s personal data and therefore, they remained in breach of the obligations notwithstanding the disclosure of data. The judge also referred back to issue 2 and the Defendant’s failure to provide the data processed by the VOA. The judge determined in relation to this that HMRC had been in breach until 15 October 2024 when it provided the data processed by the VOA.

Lastly, the judge considered whether HMRC had actually provided all of the data they were required to provide and whether their reliance on the first tax exemption present within the Data Protection Act 2018 (DPA 2018) was appropriate. The judge accepted that the personal data was being processed for one of the purposes set out in Schedule 2 Paragraph 2 of the DPA 2018. The judge, however did not consider that HMRC had sufficiently discharged the burden that providing the data would be likely to prejudice the assessment or collection of tax.

The Court ultimately ordered HMRC to reconsider its response to the DSAR.

Comment

The above is an important reminder of the many pitfalls when responding to a DSAR and the importance of seeking legal advice if you are unsure as to your position.