03/02/2025

The High Court recently handed down its decision in Ashley v HMRC, which looked at whether HMRC had complied with a subject access request (DSAR) within the requirements of the UK GDPR.

Whilst cases like this are inevitable fact-specific, the case does draw out some useful reminders for those who are responsible for dealing with these requests.  

My four key takeaways from the judgment are:

  • Reasonable searches will include all locations where personal data could be held – even if that means searching different departments within an organisation.  A global approach to information held by the data controller as a whole should be taken when first looking for information that falls within scope;
  • Deciding what is and is not personal data is difficult!  If you have made a decision or formed a conclusion about an individual, then information relating to the process by which you reached the decision or conclusion should be considered, but it does not automatically follow that all of the information will be personal data.  What is or is not personal data will be context-specific, document-specific and may vary even with similar situations.
  • If you are relying on an exemption which requires prejudice, you must be able to show, evidence or demonstrate how the information would cause the prejudice that you are claiming.  On the facts of this case, HMRC were not able to show a clear link between a harm to their purposes in relation to the collection of tax, and the information that was withheld.  It may help to go through a three stage test that those subject to Freedom of Information legislation will be all too familiar with:
    • What is the prejudice or harm that you say would be caused?
    • How would the information, if provided to the individual, cause that harm – what is the link between the information being in the individual’s possession and the potential harm?
    • How likely is it that the harm would occur?
  • The information that you supply to the individual must be intelligible.  This may mean that you provide documents containing the personal data, or additional context for clarity.  Although not relevant to the facts in this case, this is something to consider when looking at mixed personal data – if you remove third party identifiers, does what is left make sense?  If not, then consider whether you can provide some context to make it intelligible, or consider whether all of the information exempt.

For those interested in the facts, read the full High Court Judgment Template.  In summary, Mr Ashley had asked for his personal data relating to a decision about valuation of properties for tax purposes.

The information was held by two departments within HMRC – one of which being the VAO, which had its own DSAR procedure.  HMRC do not, surprisingly, have a central DSAR team, and historically, the VAO had been treated completely separately.  The Judge in the case found, however, that as HMRC was the overarching data controller of both, and personal data relevant to the DSAR would likely be found in both departments, both should have been considered as part of the original request.

The most interesting discussion (for me at least), was around the definition of personal data.  In this case, it focused on whether the way in which a decision was reached was automatically personal data, because the decision related to the tax owed by an individual.  The amount of tax owed by an individual is personal data, but it did not follow that all of the information related to the decision would also be personal data.  The Judge made it clear that all of the information should be considered, but it is possible that some of it would not be personal data.  Examples included information about other properties which assisted in the valuation of the properties owned by the data subject, and information about HMRC internal processes.  This confirms what we already know – that whether or not something is personal data depends very much on the context, and it is not always an easy task to identify when something is or is not personal data. 

In conclusion

Carrying out a reasonable search is key to starting a DSAR process, and understanding what that looks like should be an important first step when a DSAR is received.  What is reasonable will depend upon what you have been asked, and the context of the request, but identifying where information is most likely to be held will be key.

Once you have identified where the information might be held, identifying documents which contain personal data will be the next step, followed by considering what information constitutes disclosable personal data, and how that information should be presented so that the individual can understand it.

Finally, keeping a record of your decisions and reasons for those decisions will be vital in the case of any complaint.

If you have any questions about the judgement, or would like to discuss how we can help with any aspect of information law compliance, please contact Vicki Bowles, head of Information Law and Privacy on vicki.bowles@bevanbrittan.com or 07386 660329.

 

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.