Ashley v HMRC – The High Court clarifies the scope of Data Subject Access Requests

Data Subject Access Requests (DSARs) are very rarely the subject of litigation, rarer still in the High Court, so the case of Ashley v The Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB) is a valuable decision for both data subjects and data controllers. The case has attracted attention for this reason, but also the high profile of the Claimant, Mike Ashley.  The focus of the outcome is the scope of a DSAR and what information a data controller is required to share, and what it can withhold.

The claim arose from a historic tax dispute relating to the sales of a number of properties which were sold to special purpose vehicles within the Sports Direct group. These transactions led to an enquiry and HMRC issuing a Closure Notice to Mr Ashley in October 2016, giving rise to a tax liability of ~£13.6 million. The Notice was subsequently withdrawn in November 2022 once he appealed and then entered into discussions with HMRC. However, throughout this process, HMRC inevitably processed Mr Ashley’s personal data.

Before the Closure Notice was withdrawn, Mr Ashley submitted a DSAR to HMRC on 13 September 2022, requesting all of the information it held in relation to him. HMRC initially denied this on the basis that the information was privileged. Mr Ashley issued proceedings and eventually HMRC disclosed a quantity of data and accepted that it had breached its obligations under Article 15(3) of the UK GDPR (which requires data controllers to provide subjects with copies of their personal data).

However, Mr Ashley believed that more data should be disclosed, disputing the definition of his personal data used by HMRC, the general scope of the DSAR, and the extent of the search they were required to make.

Outcome and lessons learned

Personal Data

Under the UK GDPR, personal data is defined as “any information relating to an identified or identifiable natural person”. In this case, the Court found that the definition of personal data is broad, within certain limits. HMRC’s enquiry into the property transactions involved commissioning valuations of Mr Ashley/Sports Direct’s properties and a number of comparator properties. The dispute over the definition focused on whether the comparator valuations were Mr Ashley’s “personal data” for the purposes of Article 4(1) of the UK GDPR. Mr Ashley argued that everything within the scope of the enquiry was his personal data, whereas HMRC argued for a more limited definition.

The Court’s decision on the valuations is a useful guide for other contexts: The valuations of Mr Ashley’s properties should be regarded as his personal data because they were, by reason of their content, purpose or effect, linked to Mr Ashley. In contrast, the valuations of the comparator properties were not, even though they were under the umbrella of the enquiry into his tax.

The scope of the DSAR

HMRC had limited its search to one division, the Wealthy and Mid-Size Business Compliance department (WMBC), which had managed the enquiry. However, the WMBC had made use of the Valuation Office Agency (VOA), a separate executive agency within HMRC. HMRC took the view that the data held by the VOA was not within the scope of this DSAR.

The Court found that this was the wrong approach to take and that in practice the VOA was within HMRC’s control to such an extent that the DSAR response should include the data held by the VOA, even though it was addressed to HMRC. Other data controllers should be careful to not artificially limit the scope of DSARs in this way.

The extent of the search

Following on from the question of the scope was the question of whether HMRC was required to conduct searches across all of its departments, beyond the WMBC, including the VOA.  The Court decided that HMRC had not properly established that it was disproportionate to extend the search to these other departments.

HMRC had argued that to do so would be difficult from a practical perspective, due in part to different data management processes between the VOA and the remainder of HMRC. The Court found that this was not a sufficient reason to limit the search. Data controllers are expected to know their obligations and to design their systems in response to that, which is certainly a point for other data controllers to bear in mind. Although DSARs can be cumbersome to manage due to the potentially large volume of personal data involved, this case highlights the importance of not cutting corners when undertaking searches and demonstrates that such searches may not limited to one department or one subsidiary business, and may require searches across the wider business if various departments or business have processed a data subject’s personal data.

Providing intelligible data

Mr Ashley also disputed whether HMRC had complied with its obligation to provide the data in a concise, transparent and intelligible manner. HMRC had, in places, provided documents which were almost entirely redacted save for Mr Ashley’s name or initials. The Court did not decide on every single document in question, as it had already concluded that HMRC would need to reconsider the DSAR but provided guidance that documents which only revealed the data completely removed from any context were unlikely to comply with this obligation.

Data controllers should, in order to comply with the UK GDPR, provide enough contextual information as is necessary for that personal data to be intelligiblto the data subject. This is still an issue which is context-specific and will need careful attention if a data controller wishes to redact significant sections of a DSAR response.

If you need support with a DSAR or designing a data management system which will aid compliance with the UK GDPR, please do not hesitate to contact our Data Protection lawyers who would be happy to help.