Hot on the heels of Data Protection Day comes the High Court’s judgment in Ashley v HMRC [2025] EWHC 134 (KB). This judgment, relating to his subject access request (“SAR”) to HMRC to get details of its tax investigation of him, is a real classic of data protection law (and lore), which advances the law in some ways and applies existing law in a manner that is highly instructive.
Everybody working in data protection should read it and the main points are set out below. (References are to paragraph numbers in the judgment.)
The Bottom Line
HMRC, while not losing on everything, really messed up:
-
- It took far too narrow an approach to the meaning of personal data;
- It took way too long to cough up any personal data in the first place;
- It provided much of the personal data in a manner that was impossible to understand;
- It did not search all of the organisation because that’s just the way it did things; and
- It wrongfully tried to rely on a statutory exemption.
Data controllers everywhere should review the judgment closely to make sure they do not repeat HMRC’s mistakes.
Delayed Response
Mr Ashley issued his SAR in September 2022. HMRC did not provide any data in response until February 2024 – after he had issued proceedings.
We see this time and again: data controllers feel free in their ability to ignore and resist data subjects until they see that the data subject is serious enough to go to court. But most data subjects lack Mr Ashley’s resources, so the controllers get away with it. It is particularly shameful that a government agency acts this way (and we see them doing so frequently).
What is personal data?
This question – the answer to which forms the basis of what a data controller must do when it receives a SAR – is not as simple to answer as you may think.
The court did a thorough and commendable review of past decisions, both High Court and CJEU, and guidance, from the ICO and Article 29 Working Party, to get us to a modern answer fit for use in today’s UK: information relates to a person and is thus their personal data when the information, by reason of its content, purpose or effect, is linked to a particular person (161).
Data protection nerds will note that the Judge has taken the Court of Justice of the European Union’s (“CJEU”) definition in Nowak v Data Protection Commissioner [2018] 1WLR 3505 and made it part of English law. Quite right too.
She also states (finally) that Durant v Financial Services Authority [2003] EWCA Civ 1746, a famous early authority (in data protection terms), is not binding post-GDPR because it relates to a different definition of “personal data”. But she does not consign Durant to the scrapheap, and shows how it still may be useful. (164)
This brilliantly resolves the longstanding tension in English law between the narrower and broader conceptions of personal data: the broad conception has won, which should have been obvious from the moment we implemented the GDPR.
The application of the holding in the case shows that the broad approach nevertheless has limits:
-
- The judge ruled that the valuations of properties owned by Ashley, even though they are about objects, are his personal data, because the purpose of the information is to treat him in a particular way, and has a real impact on his rights and interests (175-78).
- Information about the properties themselves in reaching that valuation is personal data, as that is linked to him. But information about comparable properties used in reaching that valuation is not personal data, since it simply does not relate to him (180).
- Similarly, the full contents of the investigation into Mr Ashley is not his personal data because much of it is not linked to him (156). The inquiry thus remains very fact-specific, and must consider each document or piece of information on its merits.
Proportionality
Data controllers are not required to conduct disproportionate searches. In this case, HMRC (and a subsidiary agency) spent more than 300 hours responding to the SARs. The judge did not consider their searches were disproportionate (though she considered only about half of that time in her analysis, given the way the case was framed) (193).
In particular, she was not impressed by the fact that a lot of searching was conducted on the wrong basis. There is also a presumption that a data controller has proper systems. So if the lack of proper systems costs the data controller a lot of extra time – which was the case here – tough on them!
In addition: 1) in fighting this case, HMRC’s lawyers have certainly spent more than 300 hours; and 2) more than 300 hours to respond a DSAR is quite a lot, though.
How much personal data should be provided
This has long been a bone of contention between data subjects and data controllers. Often, data controllers provide only information that is indisputably personal data and redact or withhold the rest. This means that the data subject will sometimes get page after page showing just his name and date of birth, with no other information to show how that data is being used. This frustrating practice has seemed at best to be observing the letter of the law while totally ignoring the spirits. Now Justice Heather Williams has made clear that such an approach is in violation of the letter too.
The point here is that we have a right of access under the law so that we can be aware of how our data is processed and verify its lawfulness. So the information provided must be intelligible and easy to understand. Decontextualised data is the opposite of that and frustrates the purpose of the GDPR’s subject access right.
This was recognised in a CJEU case called FF v Ősterreichische Datenschutzbehörde [2023] 1 WLR 3674, which make clear that where necessary to understand if your personal data is being processed lawfully – which has to include an understanding of how and for what purposes it is being processed – then the data controller must provide “extracts for documents or even entire documents or extracts from databases which contain, inter alia, the personal data undergoing processing” (128). By clear implication, that means the data controller in such cases has to provide some information that is not personal data so the data subject can understand how their data is being processed.
The judge has now made the reasoning in FF a part of English law. (205) Hurrah!
So data controllers, stop supplying just “a decontextualised snippet of data”!
Exemptions
Last but certainly not least is the issue of exemptions. The Data Protection Act 2018 contains a number of exemptions to the GDPR’s subject access rights. And while Dr Johnson did not in fact say “Exemptions are the last refuge of a scoundrel”, that is only because he was unfortunate enough to die before the advent of data protection laws.
The thinking behind exemptions is that it is more important to keep some data confidential than to provide it to the data subject. And this is of course correct in general, and when applied properly. But data controllers, including (perhaps especially) government departments, rely on exemptions willy-nilly, knowing that most of the time they won’t be called on it.
In order to withhold some information, HMRC relied on what is known as the “Crime and Tax Exemption”, which allows it to withhold “personal data processed for … the assessment or collection of a tax … to the extent that [providing subject access] would be likely to prejudice [the assessment of collection of tax]”. Fair enough, in theory.
The courts have worked out how these exemptions should be applied. Properly, they have placed a pretty tight burden on the data controller to show how the disclosure would cause prejudice: the data controller must provide this is the case convincingly by evidence, “not by mere assertion” (134). That reference to “assertion” shows what often happens in practice.
The judge did not change the law, but the way she applied it is important:
-
- HMRC tried to rely on the exemption to withhold some information. Ashley said there could be no prejudice because his tax investigation had concluded. But no, said HMRC, what matters is not Mr Ashley’s case but the general picture: if the information was disclosed, it would provide an insight into HMRC’s approach to a tax settlement and would be used to the advantage of Mr Ashley or other taxpayers in dispute with HMRC (197). Their suspicion may have been that Mr Ashley, irked by his treatment, would tell everybody else how to get one over on HMRC.
- The judge was not having it, calling HMRC’s position “speculative”, and saying she could not see how information about a dispute that had long been resolved could help Mr Ashley or other taxpayers later.
- HMRC’s response was that “any insight is of some use”. The judge called that an “entirely vague proposition” (200). Pretty excoriating language from a High Court judge.
HMRC’s stance is a very common move by data controllers – if anybody else knows what we do, then all is ruined. This judgment should make them think twice about making indiscriminate use of that argument.
