Does subject access have to be taxing?

Posted on | by Timothy Pitt-Payne KC

Does subject access have to be taxing?

Blockbuster High Court judgments about subject access requests are a rarity. The judgment of Mrs Justice Heather Williams in Ashley v The Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB) (27th January 2025) gives us considerable food for thought.  Overall, it is good news for those making subject access requests.  For controllers, it is a sobering illustration of how onerous their obligations can be.

Mr. Ashley is a well-known businessman and entrepreneur.  Between February 2014 and October 2016, HMRC undertook an enquiry into his 2011/12 tax return (“the Enquiry”).  The Enquiry was conducted by HMRC’s Wealthy and Mid-Size Business Compliance Unit (“the WMBC”).  In October 2016 HMRC issued a closure notice, with a finding that Mr. Ashley had sold certain properties at an overvalue, giving rise to a taxable benefit on which there was a substantial tax liability.  Following Mr. Ashley’s appeal, the closure notice was withdrawn on 21st October 2022.

On 13th September 2022 Mr. Ashley made a subject access request (SAR) to HMRC under UK GDPR Article 15.  He sought all information held in relation to him by HMRC since the commencement of the Enquiry.  Initially HMRC refused to provide any data at all in response.  Following the issue of proceedings regarding the SAR, HMRC provided four schedules of personal data processed by the WMBC, and a separate schedule of personal data processed by the Valuation Office Agency (“VOA”), an executive agency within HMRC.  Mr. Ashley continued to maintain that HMRC had not properly complied with his SAR.

His claim was heard in December 2024.  By the end of the hearing, the agreed issues for the Court to resolve were (in summary) as follows:

Issue 1 – whether the SAR was limited to personal data regarding the Enquiry as processed within the WMBC, or whether it also extended to data as processed by the VOA.

Issue 2 – the extent to which data relating to the Enquiry amounted to Mr. Ashley’s personal data.

Issue 3 – whether HMRC was obliged to search for Mr. Ashley’s personal data as processed by the VOA.

Issue 4(a) – this involved consideration of various matters, including what the parties referred to as the “First Tax Exemption”, i.e. the exemption in paragraph 2 of Schedule 2 to the Data Protection Act 2018 (“DPA 2018”).  This exemption relevantly provided that the GDPR provisions as to the right of subject access did not apply to personal data processed for the purpose of the assessment or collection of a tax or duty or similar imposition, to the extent that the application of the subject access provisions would be likely to prejudice that matter.

Issue 4(b) – whether HMRC was in breach of its obligation to provide Mr. Ashley’s personal data in a concise, transparent and intelligible manner.

Below, I summarise how the Court resolved each issue.

Issue 1 was about the scope and interpretation of the SAR.

The Court approached this as an objective question, requiring consideration of the terms of the SAR read in its context, but without applying exacting standards of precision.  HMRC was a data controller for the VOA, and the terms of the request were broad enough to encompass Mr. Ashley’s personal data in respect of the Enquiry that was processed by the VOA.  HMRC’s internal practice of treating the main part of HMRC and the VOA as separate entities for the purposes of subject access requests could make no difference to the proper interpretation of Mr. Ashley’s request.  In all the circumstances, the Court construed the SAR as extending to data processed by the VOA.

Issue 2 was about what information “related to” Mr. Ashley for the purposes of the definition of personal data in UK GDPR Article 4(1).

For Mr. Ashley, it was submitted that all documentation processed by HMRC as regards the Enquiry constituted his personal data.  The Enquiry had considered the valuation of 32 specific properties disposed of by Mr. Ashley.  It was contended on his behalf that all the data relating to these 32 properties, including material about comparable properties taken into account by HMRC during the Enquiry, constituted Mr. Ashley’s personal data.  It was said that all of this material was central to HMRC’s investigation and inextricably intertwined with Mr. Ashley’s personal tax liability.

HMRC argued for a more limited approach, arguing that not all the information relating to how HMRC arrived at its valuations of the 32 properties constituted Mr. Ashley’s personal data.

The Court considered the far-reaching proposition advanced for Mr. Ashley, that all the data processed by HMRC in the context of the Enquiry’s assessment of his tax liability amounted to Mr. Ashley’s personal data, because of the nature of that exercise and its potential effect on him.  The Court rejected this approach as being too broad.  The question was whether particular pieces of information held by HMRC related to Mr. Ashley, rather than whether the overall exercise that HMRC were embarked upon related to him:  see the decisions of the CJEU in in Nowak v Data Protection Commissioner [2018] 1 WLR 3505 (“Nowak”) and FF v Ősterreichische Datenschutzbehörde [2023] 1 WLR 3674 (“FF”).

Following Nowak, the “relating to” requirement was satisfied where “the information, by reason of its content, purpose or effect, was linked to a particular person”.  In applying this test, the “content”, “purpose” and “effect” of the information were disjunctive ways in which it might be linked to an individual. However, in many instances these features were likely to overlap, and the position would be strengthened where a link existed in more than one of these senses.

The Court held that HMRC would need to reconsider the SAR, applying the above approach.

In relation to the 32 properties, the Court considered that the valuations of these were Mr. Ashley’s personal data.  The 32 properties were owned by Mr Ashley and HMRC’s valuations were directly relevant to its assessment of his potential liability to pay tax.  However, it did not follow that all the data generated by HMRC in arriving at those valuations was also his personal data.  For instance, it was difficult to see how details about comparable properties that Mr Ashley did not own and had no link to would be information relating to Mr Ashley. Similarly, it was difficult to see how information relating to HMRC’s processes would be information relating to him. On the other hand, data relating to the 32 properties themselves, used in HMRC’s assessment of their value, was likely to be Mr. Ashley’s personal data.

Issue 3 was about the extent of HMRC’s obligation to search.  The Court concluded that this obligation extended to data held by the VOA.  HMRC had not established that a requirement for it to search such data would be disproportionate.

Issue 4(a), in the light of the above findings, raised only one further point, namely whether HMRC was entitled to rely on the First Tax Exemption in relation to a certain (very limited) part of the personal data at issue.

The Court held that HMRC had not shown that the application of the subject access provisions would be likely to prejudice the assessment or collection of tax. “Likely” connoted a very significant and weighty chance of prejudice, to be established convincingly by evidence rather than assertion. The suggestion that the relevant data would provide an insight into HMRC’s position as to the settlement of future tax liabilities was, at best, merely speculative.

Issue 4(b) was about the requirement for personal data responsive to a SAR to be provided in a concise, transparent and intelligible form (see UK GDPR Article 12(1)).  The Court considered whether HMRC was required to provide anything more than a copy of the personal data, i.e. whether it was also required to provide contextual information. Relying on FF, the Court concluded that HMRC was obliged to provide contextual information where that was necessary for that personal data to be intelligible, in the sense of enabling the data subject to exercise their GDPR rights effectively.  Providing a documentary extract consisting of the Claimant’s name or his initials or other entirely decontextualised personal data was unlikely to suffice.

Overall, the decision is good news for those making subject access requests.  The approach taken to the meaning of personal data is a relatively wide one, though not as broad as Mr. Ashley had sought.  The requirement to provide contextual data is highly case-specific, but in future data controllers will find it hard to justify providing heavily redacted documents with only a few visible snippets of personal data.

Among Counsel, there was an 11KBW monopoly.  Anya Proops KC, leading Zac Sammour, acted for Mr. Ashley.  James Cornwell acted for HMRC.

At the coalface of EIR: investigative journalists win Whitehaven mine case

Posted on | by Ben Mitchell

At the coalface of EIR: investigative journalists win Whitehaven mine case

Rarely has a decision provoked so much ire as the last government’s approval of a new coal mine in Whitehaven in Cumbria. And not just from the usual green suspects: lesser-known eco-warriors the CBI thought it was a terrible idea, as did poor old Alok Sharma (remember him?), a member of the self-same government – perhaps because it fell to him to defend this lunacy to a sceptical world, while hosting the COP 26 climate change summit in Glasgow in 2021.

The decision was, inevitably, challenged in court, and one of the judicial review claimants sought disclosure of the ministerial submission – a briefing from civil servants to Secretary of State prior to the approval decision. Disclosure was refused in the litigation – an important part of the context in this EIR case, about a request for the same information.

The FTT has now granted the appeal against the Commissioner’s decision that the submission could be withheld under reg. 12(4)(e) EIR (Amin v IC [2025] UKFTT 221 (GRC)).

Continue reading

11KBW Information, Technology and Media Law Conference 2025

Posted on | by lawrence

Bookings are now open for our Information, Technology and Media Law Conference 2025 on Thursday 13 March 2025. Our conference will be covering the new and exciting developments across information, technology and media Law. 11KBW speakers are expected to include Tim Pitt-Payne KCAnya Proops KCAndrew Sharland KCChristopher KnightRobin HopkinsJamie Susskind, Hannah Ready and Ruth Kennedy, amongst others. We are also thrilled to announce that Ofcom will also be participating in this year’s conference, with Jon Higham (Director of Online Safety Policy at Ofcom) and Rob Haywood (formerly of Twitch, now Principal, Online Safety Policy at Ofcom) coming along to speak about the evolving landscape for regulating intermediaries under the Online Safety Act and the practical challenges and opportunities surrounding online content moderation.

The conference will be covering the following topics:

Morning Session – Focus on the technology sector

  • AI Regulation: what next for UK government policy?
  • Online Safety – the view from the regulatory bridge: in conversation with Ofcom’s Jon Higham and Rob Haywood

Afternoon Session – Data, Privacy & Media Law: General

  • Media & privacy update
  • Data privacy class actions: the dog that keeps barking
  • Key developments in the law of data protection

Beyond the content offered through the above sessions, the conference offers a great opportunity for all ITM lawyers and practitioners to network with one another, both during the coffee breaks and lunch-break and also at our post-conference champagne tea. We look forward to seeing you there.

Full Conference Details:

Date: Thursday 13 March 2025

Time: 9am-3.30pm followed by a champagne tea

Venue: The IET, 2 Savoy Place, London, WC2R 0BL

Cost: £125+VAT per session. (£250+VAT for the whole day)

 Bookings: To book your place on this year’s conference please email your name, firm and which session/s you would like to attend with any purchase order information to RSVP@11kbw.com.

Please note we do not take payment via card. You will be sent an invoice for payment via BACS.

Special requirements

If you have any special requirements please let us know at the time of booking.

Cancellations
A refund can be made up to 14 days before the conference. A substitute delegate will be accepted any time before the conference.

Additional Requirements
If you have any additional requirements e.g. wheelchair access, large print documentation or an induction loop, or if you have any particular dietary requirements please let us know.

Important Note
11KBW reserve the right at any time and without prior notice to change the venue, speakers or programme. We also reserve the right in our absolute discretion and without further liability to cancel the conference, in which event full refunds will be made.

Important judgment on subject access rights and the scope of personal data

Posted on | by charlotte

Following a 2-day Part 8 trial, Heather Williams J has handed down a lengthy and important judgment concerning the application of the concept of “personal data”, the extent of searches required by Article 15 UK GDPR, the provision of contextual information and the proper approach to the application of the “tax exemption” under paragraph 2 of schedule 2 to the DPA 2018.

Michael Ashley v Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB) concerned a claim brought by the well-known British businessman, Mike Ashley, against HMRC for breach of his subject access rights under the UK GDPR. Mr Ashley made a subject access request (“SAR”) in the context of a (then) ongoing tax dispute. HMRC initially maintained that all of Mr Ashley’s personal data were exempt and therefore not disclosable. When it did subsequently provide Mr Ashley with some data, Mr Ashley contended that its response was incomplete and inadequate. He argued that HMRC failed: properly to construe his SAR; to conduct adequate searches when responding to it; properly to apply the concept of personal data and the tax exemption; and to provide him with copies of his personal data in a sufficiently contextualised manner so as to render them intelligible.

Heather Williams J found in Mr Ashley’s favour on each of those points, albeit rejecting his wider argument that all data relating to HMRC’s assessment of his tax liability in respect of the tax enquiry amounted to his personal data. Her judgment contains useful guidance for practitioners dealing with SARs at every stage of the process from construing a SAR when first made, to providing copies of the personal data in a manner that is intelligible and transparent for the data subject. More widely, the judgment contains important guidance as to how the foundational concept of “personal data” is to be construed and applied in practice.

The judgment is here.

Anya Proops KC and Zac Sammour acted for Mr Ashley. James Cornwell acted for HMRC.

Prismall in the Court of Appeal: social media makes justice difficult

Posted on | by Robin Hopkins

Multi-party claims for misuse of data: how do you take them forward? GLOs yes, though they are often seen as too unwieldy. Straightforward multi-claimant litigation using ‘omnibus’ claim forms is fine, but doesn’t get litigation funders the maximum volumes they seek. Representative actions under CPR 19.8 are the ideal vehicle in that sense, but Lloyd v Google effectively killed them as regards data protection claims (no loss of control damages; individualised assessment needed). Can misuse of private information claims (loss of control damages available; individualised assessment perhaps not needed) fare better? The Prismall action was the leading post-Lloyd candidate on this front, but it has suffered another death this Advent. Continue reading