Why are Data Subject Access Requests so Taxing?

In principle, Data Subject Access Requests (DSARs) appear straightforward – at least to the person making the request. The UK GDPR grants individuals the right to obtain information from businesses that process personal data about them. In practice, however, DSARs can be challenging and time consuming for those on the receiving end of one. We often find ourselves asking “what is the individual entitled to receive?” or “does this document constitute their personal data”. The recent case of Ashley v HMRC [2025] EWHC 134 (KB) has provided significant insights into how businesses should handle DSARs and highlights just how onerous their obligations to comply with DSARs can be.

The facts

Between February 2014 and October 2016, HMRC undertook an enquiry (the enquiry) into Mr Ashley’s tax return. In late 2016, HMRC found that Mr Ashley had sold certain properties at an overvalue, meaning he had obtained a taxable benefit which in turn gave rise to a tax liability of £13.6 million. The tax liability was disputed and in 2022, Mr Ashley submitted a DSAR to HMRC under Article 15 UK GDPR, requesting all information that it held about him since the enquiry was launched.

HMRC initially refused to provide any data to Mr Ashley in response to his request and argued that it would rely on the tax and legal privilege exemptions as justifications for not disclosing his personal data to him. Mr Ashley issued court proceedings against HMRC in 2024, maintaining that the response he got from HMRC was unsatisfactory.

The issues for the High Court to determine were as follows:

1. Scope: was the scope of Mr Ashley’s DSAR limited to personal data relating to the tax enquiry or did it extend to data being processed more widely?
2. Personal Data: was data relating to Mr Ashley’s tax enquiry considered to be personal data under Article 4 UK GDPR?
3. Searches: was HMRC obligated to carry out a search for personal data that was processed by the Valuation Office Agency (an executive agency within HMRC)?
4. Providing the data: was HMRC entitled to rely on the tax exemption under the Data Protection Act 2018 and had it failed to provide Mr Ashley with his personal data in a concise, transparent and intelligible manner?

The Court found the following in relation to each issue:

1. The scope of the DSAR was not limited to the personal data which was processed by HMRC in relation to the enquiry but included data which was also being processed by the Valuation Office Agency (VOA). The Court determined that HMRC was a data controller for the VOA and the scope of Mr Ashley’s DSAR was wide enough to encompass data that was being processed by the VOA.
2. Data will constitute personal data where it is considered to be linked to the individual by way of its content, purpose or effect.
3. HMRC had failed to demonstrate that searching across all departments relevant to the request would have been disproportionate.
4. HMRC had also failed to demonstrate that disclosing Mr Ashley’s personal data would have caused significant prejudice to the tax case. The Court also held that providing decontextualised data was insufficient.

What can businesses learn from this case?

This case has shed some light on what businesses should be thinking about going forward when it comes to complying with DSARs. It can often be easy to look for an exemption to rely on or argue that a request is manifestly unfounded or excessive. Businesses should be careful not to apply exemptions too freely. One of the main challenges that businesses often face is determining what constitutes personal data, particularly if it involves documents that the business would rather not disclose because it contains something incriminating about the individual who has made the request.

1. Carefully consider the scope of the DSAR you have received: what are the terms of the request? What searches should you be making? This case highlights that it is up to the data controller i.e. the business who has received the request to demonstrate why a search would not be proportionate.
2. Assessments: what constitutes personal data? This can be a tricky exercise, particularly if data is being processed by other departments within your business. Be careful not to argue that further searches would be disproportionate. Bear in mind what resources you have and the importance of the data.
3. Provide contextual information: Make sure the information provided is intelligible and includes necessary context. Consider whether redactions have been made appropriately.
4. Apply exemptions correctly: You should be prepared to demonstrate how the information would cause the alleged prejudice if relying on exemptions. Avoid making unnecessary redactions that leaves documents with little personal data and little context.
5. Deadlines: Bear in mind the one-month response timeframe. Be mindful about the approach you are taking when it comes to DSARs. If you know that you process a large volume of personal data about the individual who has made the request, then you must make reasonable searches of all locations where data could be held. Avoid making internal restrictions when it comes to handling DSARs.

Case law involving compliance with DSARs is not common, Ashley V HMRC highlights the risks that businesses could face if they don’t comply with their data protection obligations or respond to DSARs correctly.

You can learn more about our data protection services here, but if you have any questions about compliance with DSARs or if your business is experiencing time consuming data protection issues, please reach out to me directly at mspencer@prettys.co.uk