• 13 Feb 2025
• •
• 3 min read

Recent case on subject access requests highlights issues for organisations to consider

The High Court recently heard a case brought by businessman Mike Ashley who successfully argued that HMRC had breached his subject access rights under the UK General Data Protection Regulation (UK GDPR).

Mr Ashley had requested “a copy of any and all data held in relation to HMRC’s enquiry” into his 2011/2012 tax return that pertained to him. As well as dealing with a tax specific data protection issue, the court also considered several more generally applicable points which organisations should have in mind when dealing with subject access requests (SARs).

The definition of “personal data”

“Personal data” is defined in the UK GDPR as “…any information relating to an identified or identifiable natural person.”

The key issue in this case was the scope and meaning of “relating to”.

Mr Ashley argued that all the data held by HMRC in relation to its tax enquiry (including the material from the investigation and assessment process that was not exempted from disclosure) was his “personal data” because of the nature and potential effect on him of that exercise.

The court disagreed and said that data is “personal data” where the information by reason of its content, purpose or effect is linked to a particular person. The court went on to say that the “content”, “purpose” and “effect” of the information are alternative ways in which the information could be linked to an individual, but in many situations there could be an overlap and the position would be strengthened where a link existed in more than one sense.

The Information Commissioner’s Office website has helpful guidance on the meaning of “relating to” which the judge referred to in this case.

However, deciding what data “relates to” an individual can be a minefield, and organisations need to take care to ensure that they are interpreting this concept correctly so that they comply with their data protection obligations.

What constitutes “reasonable and proportionate searches” for personal data

An organisation is not obliged to provide an individual with a copy of their personal data where to do so would involve “disproportionate effort”. The court said that this was not limited to a consideration of the time spent in searching documentation for the individual’s personal data but might also include difficulties experienced in the process of dealing with the SAR, such as applying exemptions or redacting data. The question was an objective one judged by reference to the facts of each case. However, if a data controller made a cogent and reasoned assessment that a particular search was disproportionate, then this was likely to support the argument that taking the additional steps would have been unreasonable.

As the onus is on the data controller to show that supplying a copy of an individual’s personal data would involve disproportionate effort, if any such an assessment is made, then we would recommend that this is recorded in writing in case an organisation needs to refer to its decision-making process at a later date.

A data controller’s duty to provide context for personal data

An individual is entitled to receive their personal data in a concise, transparent and intelligible manner. Where intelligibility requires it, a data controller is obliged to go beyond providing just a copy of an individual’s personal data where contextual information is necessary for that personal data to be intelligible so that an individual can exercise their data protection rights effectively. In this case, the court gave guidance that “… it is unlikely that providing an extract that simply comprises the Claimant’s name or his initials or other entirely decontextualised personal data of that sort, will amount to compliance with this obligation (unless there is a proper basis, such as the application of a prescribed exemption or overriding third party rights, for withholding the additional data).”

This means that organisations may need to disclose a document or parts of a document as part of its response to a SAR if this is necessary to give meaning/context to the requester’s personal data and there are no exemptions that apply to the additional data.

If you have not received this article directly but would like to receive articles and data protection news alerts from Trethowans, please contact [email protected].

Disclaimer

This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.