DSARs: LESSONS LEARNED FROM ASHLEY V HMRC

The right to access data has barely been tested in UK law since the implementation of the GDPR. Not all subjects have the means or motivation to challenge their right of access in the courts – until Sports Direct founder Mike Ashley found himself in a tax dispute with HMRC worth £13.6m.

Ashley submitted a data subject access request (DSAR) to HMRC seeking all personal data held in relation to a tax enquiry. HMRC’s response was limited and inconsistent, relying heavily on exemptions and internal boundaries without real grounds. Ashley challenged the response, and the court found in his favour on most grounds – providing us with a much needed precedent when it comes to data access rights.  

So what are the key lessons?

1. Scope of the search: go wide, not narrow.

HMRC only searched one department, arguing internal boundaries. The court disagreed, stating that searches must be “holistic across the business.”

Action point: DSAR searches must span all relevant departments and systems. Internal silos or policies do not justify limiting the scope. This may even extend across group companies if services are shared.

2. Personal data: it’s broader than you think.

The court ruled that HMRC applied an unduly narrow definition of personal data. Information becomes personal if it relates to an individual by content, purpose or effect.

Action point: Consider whether data impacts the individual or is used to evaluate them—even if it doesn’t name them. For example, property valuations used to assess tax liability were deemed personal data.

“This case reinforces that DSARs are not just administrative tasks. They are legal rights with real consequences. HR and legal teams must treat them seriously, with robust systems and clear processes.”

3. Consistency and transparency are key.

HMRC’s inconsistent approach across departments was criticised. The court also emphasised the need to be transparent with the individual and to keep a log of key decisions.

Action point: Develop a clear DSAR strategy and apply it consistently. Keep an audit trail of decisions and explain your search methodology to the individual.

4. Reasonable and proportionate: rethink what this means.

HMRC argued that wider searches were disproportionate due to time spent (150 hours). The court disagreed, stating that time alone doesn’t justify limiting a search.

Action point: “Reasonable and proportionate” must consider your organisation’s size and resources, not just time. Avoid blanket refusals based on workload.

5. Exemptions: use them carefully and with evidence.

HMRC relied on the tax exemption without showing how disclosure would cause prejudice. The court clarified that “likely prejudice” requires a “very significant and weighty chance,” backed by evidence.

Action point: Apply exemptions granularly to specific data items. If the exemption you are relying on requires “likely prejudice,” you must show how disclosure would cause harm, not just speculate.

6. Intelligibility: make the data make sense.

HMRC provided redacted extracts with only names visible. The court said this failed the UK GDPR requirement for data to be “concise, transparent and intelligible.”

Action point: Ensure disclosures are understandable. Provide contextual information where needed to help the individual assess the lawfulness of processing.

Our view:

This case reinforces that DSARs are not just administrative tasks. They are legal rights with real consequences. HR and legal teams must treat them seriously, with robust systems and clear processes. As DSARs become more common in employment disputes, proactive compliance is essential.

Need support?

We offer tailored DSAR support, from ad hoc advice to full-service response management. Get in touch to discuss how we can help streamline your DSAR processes.