The recent ruling in Ashley v HMRC provides detailed judicial guidance on responding to data subject access requests (known as DSARs). The judgment addresses several questions which frequently arise in practice, including how to identify responsive personal data and the extent of the search required. 

In 2022, Mr Ashley submitted a DSAR requesting “all information held in relation to” him by HMRC relating to an enquiry between 2014 and 2016 concerning the valuations for tax purposes of properties owned by him. 

Initially, HMRC refused to disclose anything more than some correspondence with his solicitors, citing exemptions under the Data Protection Act. After some further exchanges, and Mr Ashley commencing a High Court claim in January 2024 challenging their response, HMRC provided a number of schedules containing extracts of his personal data. However, Mr Ashley maintained the response was unsatisfactory and a two day trial took place before Mrs Justice Heather Williams DBE in early December 2024. 

Mr Ashley used a procedural mechanism under Part 8 of the Civil Procedure Rules which brings cases to trial quickly (in Mr Ashley’s case, within 12 months) and without needing to incur the costs associated with gathering extensive factual evidence. 

Although Mr Ashley was not entirely successful, the Court found in his favour on most of the issues in dispute, requiring HMRC to reconsider its response to the DSAR. 

There are four main takeaways from the judgment for data controllers responding to DSARs. 

1. Determining the scope of a DSAR 

The scope of a DSAR is to be determined on the basis of a fair reading of the request as a whole. Limitations or qualifications on scope must not be implied by reference to the data controller’s internal practice or policies. If there is uncertainty as to the scope of a request, the data controller may clarify what data is sought by the data subject if it is genuinely required in order to respond to a DSAR and a data controller processes a large amount of information about the data subject. 

In Mr Ashley’s case HMRC insisted that, properly interpreted, his request was only for personal data held by its Wealthy and Mid-Sized Business Compliance Department (the WMBC). However, the Court held that this was not a fair interpretation of Mr Ashley’s “unambiguous” DSAR, which “was expressed in very broad terms” and therefore extended to personal data held within other HMRC departments. In particular, the request was broad enough to cover personal data held by the Valuation Office Agency ("VOA") – an executive agency within HMRC – even though HMRC’s own internal practice was to treat the VOA as a separate entity for the purposes of responding to DSARs.

2. The meaning of “personal data” 

The judgment provides a lengthy overview of the existing authority (both English and European) on what constitutes personal data, and highlights some important points of detail.

• Data will amount to “personal data” within the scope of a DSAR where it is information that by reason of its content, purpose or effect is "linked” to an individual.
• Whether data is “linked” to an individual is to be construed in a broad way, but there is a “continuum of relevance.” Accordingly, “an indirect or tenuous link at several removes is unlikely to suffice”.
• The data may concern an object (in Mr Ashley’s case, various properties) rather than an individual, but may relate indirectly to an individual (and therefore fall within the scope of a DSAR) by virtue of it belonging to them.
• Subjective opinions, reasoning and assessments concerning an individual can be personal data (and therefore fall within the scope of the DSAR) where interlinked with or connected to information that more specifically relates to an individual.
• However, the UK GDPR does not create a right to be given copies of a decision-maker’s reasoning. Mr Ashley was not, therefore, entitled to see how HMRC had reached its own property valuations – unless the information was (as above) interlinked with information which specifically related to Mr Ashley.

3. What is a reasonable and proportionate search?

A data controller is obliged to undertake a reasonable and proportionate search for data in response to a DSAR. The search does not need to involve disproportionate effort. That is to be assessed objectively according to the wider circumstances of the request at the time it is made. 

HMRC had argued that its officers had spent hundreds of hours responding to Mr Ashley’s DSAR and so it could not reasonably or proportionately be expected to do any more. But the Court disagreed, noting that:

• as a data controller, HMRC bore the burden of establishing that supplying further information would be disproportionate. It had failed to satisfy that burden; and 
• HMRC was also expected to understand its obligations to respond to DSARs and to design its systems accordingly. It could not therefore rely on internal practical difficulties arising from how it had decided to organise the data it held.

The Court also highlighted two further notable points.

• Determining whether disproportionate effort would be involved in responding to the DSAR requires more than just an assessment of the time spent searching for responsive information. The time and effort required should be considered in the round, including the time taken to consider the application of relevant exemptions (such as privilege) and (if necessary) applying redactions.
• If a data controller can point to a “cogent and reasoned” (i.e. logical and justified) assessment at the time the DSAR was made that a particular search was disproportionate, then that is likely to support the proposition that undertaking additional steps would have been unreasonable.

4. The provision of personal data in a concise, transparent and intelligible manner

A data controller is required to provide personal data in a concise, transparent, intelligible and easily accessible form. Providing decontextualised snippets of personal data is too narrow an approach. Where necessary, a data controller is obliged to supply additional contextual data so that the data subject can properly understand how their data is processed. 

HMRC adopted what is now a common practice of providing Mr Ashley with a schedule of extracts of his personal data, as opposed to providing copies of the documents containing such data. This approach is typically adopted as the data subject’s right is a right to access data, rather than a right to access documents. However, in some cases HMRC only provided Mr Ashley with snippets of personal data such as his name or initial, without any further context or explanation. 

The Court held that providing these decontextualised snippets of personal data was insufficient, because it rendered the data unintelligible (in other words, it made it impossible for Mr Ashley to understand how the data was being used by HMRC). The Court held that where “necessary”, a data controller is obliged to supply additional contextual data, although the strict nature of the “necessity” criterion was emphasised.

Comment 

Responding to DSARs has been a costly and time-consuming reality for most businesses for a number of years. Data subjects will often submit DSARs as a tactical step either in the context of another dispute (for example, as a route to receiving advanced disclosure) or to seek to exert pressure on the data controller for other reasons. A data controller is required to respond to a DSAR save where the request is “manifestly unfounded or excessive”. This is a high bar that is met where, for example, the request is malicious in intent or is submitted but the data subject offers to withdraw it in return for some sort of benefit from the data controller. 

This recent decision reflects some of the main challenges faced by data controllers when dealing with a DSAR. It also adopts, for the first time in English law, a number of principles laid down in recent European case law which encourage the provision of information. 

While cases involving DSAR compliance are still relatively unusual (perhaps because litigants are not usually as well-resourced and motivated as Mr Ashley), this case highlights the potential risks when data controllers do not comply with their obligations and why it is important to take advice when responding.