We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorised as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
For organisations processing data, subjects access requests can be a time consuming and expensive process that often have to be addressed while still undertaking “the day job”.
The decision of the English High Court in Ashley v HMRC [2025] EWHC 134 issued earlier this year only re-enforces those perceptions and is likely to benefit data subjects making requests and increase the burden on controllers responding to those requests.
The SAR in question was made by Mike Ashley, CEO of Sports Direct, in the context of an investigation carried out by HMRC.
Dissatisfied with HMRC’s response to his SAR, Mr Ashley raised proceedings for orders from the court to force HMRC to comply with his request. The case considered a number of different issues including one of the most fundamental which arises when dealing with SARs – what is personal data?
UK GDPR clearly states that “personal data” must both identify and relate to an individual. So far, so good, but what about information which is processed in the context of a wider exercise (such as an investigation) where the information itself may not relate to the data subject, but it has been processed in relation to an investigation of the data subject?
The information in this case related to information regarding the value of several properties, some of which were owned by Mr Ashley and some of which were used for comparison. The court held that information which had been used by HMRC (the comparators) to calculate the value of the properties owned by Mr Ashely was not, of itself, personal data (albeit closely related to the personal data). However, the court went on to say that the information in relation to those properties owned by Mr Ashley, was likely to constitute personal data.
Data controllers will, no doubt, be pleased to hear that information which is ancillary to the processing carried out, is not personal data, but information such as the value of properties owned the data subjects is a decisive shift towards expanding the concept of personal data. Information of this nature has often been seen as a grey area and whether it would constitute personal data, largely turned on the facts of the case and to what degree it actually reveals information about the data subject. It seems, however, that the door is open to widening the scope of personal data in this direction.
Another issue considered by the court was the detail which has to be given surrounding the personal data held. UK GDPR provides that data subjects must be provided with a copy of the personal data undergoing processing. As such, data subjects will often receive a copy of a document containing their personal data which has all other information redacted. The practical effect is often that data subjects will receive a document with only their name or other very scant details floating in an otherwise blank sheet.
Generally speaking, the controller is not under any duty to explain how or why the data came to be recorded other than complying with its general duty of lawful, fair and transparent processing. However, the obligation to provide only a “copy” is caveated by article 12 of the UK GDPR, which provides that data must be provided in a “concise, transparent, intelligible and easily accessible form”.
The court considered whether highly redacted data would, in fact, be intelligible or whether some context for the data also had to be provided. The court ruled that a data subject is entitled to be aware of and verify the lawfulness of processing and the controller must provide data in a way which gives effect to that right. Highly redacted data was therefore unlikely to give effect to that right.
The provision of any context for the data will need to be considered on a case by case basis but this requirement will undoubtedly place an additional burden on controllers and, in a world where organisations are consistently being asked to do more with fewer resources, this could prove problematic.
BTO’s IP, Tech & Data Team is here to help with any assistance required.
© 2025 BTO Solicitors LLP | V.A.T. No: 260371482 | All rights reserved.
Notifications
