English High Court ruling highlights five key lessons for handling data subject access requests

A recent landmark case on data subject access requests (DSARs), brought in the High Court by Sports Direct founder, Mike Ashley, against HMRC in respect of its handling of his DSAR, provides businesses with a number of valuable learning points and practical guidance on how to manage DSAR responses.

Background to dispute

The dispute arose from Mr Ashley's sale of a group of properties in 2012. HMRC challenged his valuation of the properties and, in 2016, Mr Ashley found himself facing a tax bill for an additional £13.6m. He appealed the bill, which was withdrawn a few months later, but that was not the end of the matter as he later exercised his right under Article 15 of the UK GDPR to access information relating HMRC's tax enquiry, namely "…all information held in relation to our client since inception of HMRC's enquiry into our client (2011).  For the avoidance of doubt we require a copy of any and all data held in relation to HMRC's enquiry that pertains to our client".

HMRC took a very restrictive approach to the DSAR. It had no dedicated DSAR team and searches were limited to data processed by the department which received the DSAR, despite its knowledge that other departments were likely to have processed significant amounts of Mr Ashley's personal data. In its response to the DSAR, HMRC initially disclosed nothing and then only copies of correspondence between HMRC and Mr Ashley's representatives, relying on "tax" and "legal privilege" exemptions as justification for withholding the remainder of his personal data.

After extensive exchanges with HMRC, Mr Ashley remained dissatisfied with its response and issued court proceedings regarding its handling of the DSAR. In January 2025, the High Court found in Mr Ashley's favour on most grounds, ruling that HMRC had not complied with legislative obligations in respect of handling his DSAR.

While the court's decision is unlikely to be the most welcome news for those on the receiving end of DSARs, businesses need to be aware of the learning points and factor these into their decision making, otherwise data controllers are likely to find themselves being challenged on the same or similar issues.

Lessons for data controllers

In general, this case emphasises why data controllers should proceed with caution if deciding to provide nothing in response to a DSAR – rarely will that bring an end to the matter. As in this case, it is more likely to prompt a complaint that the response was incomplete and inadequate, and encourage a more zealous approach by the individual to seek out the information they are looking for.

Scope of the search

Unsurprisingly, the court held that HMRC was wrong to limit searches to one particular department on the basis of internal policies and because the departments are run as separate entities.

Practical implications: Data controllers need to apply a "holistic across the business approach". This means that reasonable searches must reach all locations where personal data could be held and not be limited by internal restrictions, even if that means searching different departments in an organisation. 

Businesses should anticipate this case being used to support an argument that searches should take place across a group of companies (even where, for example, the wording of the DSAR referenced only the name of a single group company). This would be a trickier argument for individuals to pursue where group companies operate, both legally and in practice, as self-contained entities. However, more careful consideration would be needed where services are shared across the group. 

Concept of personal data

The court ruled that HMRC applied an unduly restrictive approach to what constitutes personal data and set out guidance on how to determine what information constituted personal data in practice –information that is not personal data per se may become personal data if linked to the individual by reason of its content, purpose or effect. 

For example, in the context of the HMRC enquiry, valuations of Mr Ashley's properties were his personal data because they were being processed for the purpose of calculating his tax liability (so the information was directly linked to him), whereas details about comparable properties not owned by him which assisted in valuation of his properties were unlikely to constitute personal data. This is a wider definition of personal data than sometimes applied, which clearly has relevance in a disciplinary and/or grievance context. 

Practical implications: Personal data can include information relating to an individual to the extent it impacts them or where it is used to evaluate their interests, rather than just where it identifies them directly and/or where they are obviously the focus of the information. The decision-making process involves looking at each individual piece of information (rather than whole categories of processing, such as the HMRC's property evaluations) to determine whether it is linked to a data subject as a result of the content, purpose and result/effect of information.

Consistency is also important here: the court criticised HMRC for inconsistencies in the approaches to disclosure applied by different departments. This is a problem that can arise in any situation where a DSAR response is compiled by different internal and/or external entities. It is avoidable if a clear strategy is agreed and followed from the outset, not just in relation to an individual DSAR but also on a wider level to ensure consistency of approach to DSARs throughout an organisation.

This case also emphasised the need to be transparent with the individual about the details of the search and to keep a log of key decisions as an audit trail. The latter can be referred to in the event a data subject and/or the ICO subsequently questions the data controller's approach to disclosure of personal data.

Reasonable and proportionate searches

HMRC argued that more extensive searches would have been "disproportionate" on the basis that search of one department alone had taken 150 hours. The court said that HMRC had applied the incorrect approach and therefore the time spent could not be regarded as disproportionate, but in any event the amount of time spent does not, by itself, outweigh the requirement that the search be reasonable and proportionate in other regards, particularly given the size and resources available to an organisation.

Practical implications: Businesses need to re-think their understanding of what is reasonable and/or disproportionate and not base any arguments on time alone.

Reliance on the tax exemption

The tax exemption allows a data controller to withhold personal data if disclosure is likely to prejudice the assessment or collection of tax. 

The court clarified that "likely" connotes a "very significant and weighty chance of prejudice" which must be satisfied by evidence as opposed to anything speculative. HMRC had not provided such evidence, particularly given that the tax dispute had been resolved, and it was therefore hard to see how disclosure of Mr Ashley's personal data would give any insight into HMRC strategy.

In future, businesses can expect to see this high burden of proof being applied to other exemptions that can be justified on the basis of "likely prejudice". In an employment context, such exemptions might be applied where "likely prejudice" could arise from disclosure of records of intentions in negotiations and/or conduct of a business arising from disclosure of management forecasting or management planning.

Practical implications: Exemptions cannot be used as a blanket to deny access to whole categories of data – they can only be justified if applied in a granular way to individual pieces of information. So, if a business is relying on an exemption which requires prejudice, it must be able to show evidence of prejudice or demonstrate how the information would be very likely to cause the prejudice.

Provision of data

The UK GDPR requires that information provided in response to a DSAR must be provided in a concise, transparent and intelligible form. 

The court held that HMRC's disclosure of extracts were unlikely to meet intelligibility requirements where all content was redacted except for Mr Ashley's name or initials. It emphasised that there is an obligation to supply additional contextual data where it is "necessary" to ensure that personal data is intelligible so that individuals can assess the lawfulness of processing and whether to exercise their other data rights conferred by the UK GDPR (such as rectification, erasure or the right to object to processing).

Practical implications: Businesses should be careful that the approach to redaction and/or extraction of data doesn't decontextualise information such as to render it unintelligible (the "does it make sense?" test). This may mean that businesses need to provide additional information containing context for clarity.  

Osborne Clarke comment

In addition to giving an indication of how the courts assess compliance with DSAR obligations, this case provides a stark reminder that the right of access is treated by them as a fundamental right and a gateway to other data rights.

Although few cases go all the way to court, with the significant time and cost implications being a disincentive for many, cases like this generate greater awareness among individuals of how DSARs can be used to understand how decisions about them have been reached. As such, we expect to see increased reliance upon DSARs and there is no room for "slack in the system" – data controllers are expected to know their obligations and design their systems accordingly.

We have a designated DSAR team focused on helping clients respond to employment-related DSARs. We offer a range of options from ad hoc advice to handling the DSAR from receipt through to completion, as well as bespoke arrangements to meet client needs. In the absence of a robust and compliant strategy, responding to a DSAR can be a tricky, time consuming and costly exercise so please do get in touch if you would like to discuss how we can help you to navigate this process.

This case was discussed at Osborne Clarke's GDPR for HR event, held in London on 5 March 2025. If you were unable to join us, our Dipping into Data 2025 spring series features a GDPR for HR webinar on 20 March. Register for the webinar.

If you would like to join the GDPR for HR network, please sign up here.