Michael Ashley v The Commissioners for HMRC

Mr Ashley claims that the Defendant has breached his subject access rights under Article 15 of the UK GDPR. The claim arises from a subject access request which he made through his solicitors on 13 September 2022 (the “SAR”). By the SAR, he sought access to his personal data processed by HMRC in connection with its enquiry into his tax return for the 2011/12 tax year (the “Enquiry”). The Enquiry was conducted by the Defendant’s Wealthy and Mid-Size Business Compliance department (“the WMBC”).

The parties agreed that the claim could be brought under the CPR Part 8 procedure as the material facts were not in dispute.

Following the issue of proceedings, the Defendant provided the Claimant with a schedule of his personal data extracted from 118 documents on 15 February 2024 (“Schedule 1”). A second schedule containing additional personal data extracted from 180 documents was provided on 28 February 2024 (“Schedule 2”). On 2 July 2024, the Defendant provided a further version of Schedule 2 containing additional personal data from 19 documents (“Schedule 3”). On 15 October 2024, the Defendant provided a schedule of additional personal data extracted from a further 15 documents (“Schedule 4”). Schedules 1 – 4 related to data processed by the WMBC. On 15 October 2024, the Defendant also provided a schedule of personal data extracted from 311 documents held by the Valuation Office Agency (the “VOA”), an executive agency within HMRC.

In general terms, when a subject access request is made, Article 15(3) of the UK GDPR requires a data controller to provide a data subject with a copy of their personal data undergoing processing. HMRC now accepts that it breached its obligations under Article 15(3) in its handling of the SAR by reason of its failure between 5 December 2022 and 2 July 2024 to provide Mr Ashley with copies of his personal data. In particular, it accepts that the personal data that was disclosed by Schedules 1 – 3 ought to have been disclosed by 5 December 2022. HMRC also accepts that it acted unlawfully by failing to disclose the information required by Article 15(1)(a)-(f) as to its data processing until its letter of 14 March 2024 (the “14 March letter”).

However, a number of matters remain in dispute between the parties, including the scope of the SAR, the extent of the search that the Defendant was required to undertake and whether copies of all of Mr Ashley’s personal data that it processed have been provided to him. The latter dispute involves the Court considering the meaning of “personal data”, as defined in Article 4(1) of the UK GDPR. Mr Cornwell maintains that the Defendant’s obligation to provide copies of Mr Ashley’s personal data was satisfied by the provision of Schedules 1 – 4, with Schedule 5 being disclosed on a gratuitous basis; whereas Ms Proops KC submits that Mr Ashley’s personal data extends to the Enquiry’s assessment of his tax liability, so that (subject to any applicable exemptions) HMRC is obliged to provide full copies of the investigation and assessment documentation that it holds.

The parties prepared a helpful List of Common Ground and Issues (the “List of Issues”). During the hearing it underwent some amendment. By the time that submissions concluded, the agreed issues for the Court to resolve were as follows:

“Issue 1 – Was the SAR limited to the Claimant’s personal data pertaining to the Enquiry as processed within the WMBC, or did it also include such data where it was being processed more widely by HMRC, including by the VOA?

Issue 2 - Application of Article 4(1) UK GDPR: Does data that relates to the Defendant’s assessment of the Claimant’s tax liability in the context of the Enquiry amount to the Claimant’s ‘personal data’, as defined in Article 4(1) UK GDPR? If not, in what circumstances does that data amount to the Claimant’s personal data?

Issue 3 - Reasonable and proportionate searches: Was HMRC obliged to search for the Claimant’s personal data pertaining to the Enquiry as processed by the VOA?

Issue 4 - Provision of copies of the Claimant’s personal data under Article 15(3) UK GDPR:

Issue 4(a) - Having breached its obligation under Article 15(3) UK GDPR in its handling of the SAR between the period 5 December 2022 and 2 July 2024 by failing to provide the Claimant with copies of his personal data during that period, did the Defendant remain in breach of those obligations after 2 July 2024 (in particular after it had provided the Claimant with Schedule 2 on 28 February 2024), whether as a result of:

(i)

its having applied the concept of ‘personal data’ provided for in Article 4(1) unduly narrowly (as addressed in Issue 2 above) and/or

(ii)

its having failed to conduct reasonable and proportionate searches to identify the personal data of the Claimant falling within the scope of the SAR (as addressed in Issue 3 above); and/or

(iii)

its having wrongfully treated the Claimant’s personal data (as comprised within documents 5 and 115 of Schedule 1) as falling within the scope of the First Tax Exemption. In particular, would disclosure of that data to the Claimant under Article 15 UK GDPR both:

1.

‘provide an insight into HMRC’s position with regard to settlement of the tax due at the time’ (as claimed by the Defendant) and

2.

as a result, amount to a disclosure likely to prejudice the assessment or collection of a tax or duty or an imposition of a similar nature?

Issue 4(b) - Is the Defendant in breach of its obligations under Article 15(3) UK GDPR (read with Article 12(1)) by failing to provide the Claimant with his personal data in Schedules 1-4 in a concise, transparent and intelligible manner?”

It was agreed that Issue 3 only arose if I decided Issue 1 in the Claimant’s favour.

The reference in Issue 4(a)(iii) to the “First Tax Exemption” was the parties’ shorthand (which I will also use) for the Defendant’s reliance upon para 2 of Schedule 2 to the Data Protection Act 2018 (“DPA 2018”) in respect of a small passage of text appearing in two of the Schedule 1 documents. The parties were agreed that a closed procedure was required for the Court to be able to decide this issue. Accordingly, the two documents were made available to the Court (along with a further document that Mr Ashley had asked to be included), but not to the Claimant. After both parties had made open submissions on the applicable legal principles and the context, I heard brief submissions from Mr Cornwell in a closed session. These submissions lasted less than 10 minutes and in so far as counsel had raised matters that could properly be raised publicly, I relayed them once the hearing in open Court had resumed. No evidence was given in the closed session. In the circumstances, I was satisfied that this short, closed session was necessary for me to decide whether the Defendant was right to rely on the First Tax Exemption and that it was a proportionate interference with the fundamental principle of open justice. As will be apparent when I come to address it, having seen the documents, I am able to address Issue 4(a)(iii) in this open judgment (and, for the avoidance of doubt, there is no separate closed judgment).

Until the second day of the hearing, the list also included an Issue 5. By the start of the hearing this was focused upon whether the Defendant was required to identify the recipients of Mr Ashley’s personal data at an individual level (rather than simply by category), where it had been disclosed to individuals external to HMRC. However, upon Mr Cornwell confirming that Mr Ashley’s personal data had not been disclosed outside of HMRC, it was agreed that this issue fell away. The original List of Issues also contained Issues 6 and 7 relating to remedies (the terms of declaratory relief and whether the Court should make a compliance order under section 167 of the DPA 2018). However, I indicated at the outset of the hearing that I would consider remedies and other consequential matters after I had handed down judgment on the issues relating to liability. Both parties were content with this course.

A further potential issue was footnoted by the Claimant to Issue 3. This concerns whether HMRC’s search for the personal data of Mr Ashley that it processed should have extended to individual email accounts of HMRC employees working in the WMBC, including in particular Mr Garside who was responsible for the Enquiry from July 2022. Mr Garside subsequently left HMRC and it is understood that his email account has been deleted. The Defendant’s position is that searches of individual email accounts were unnecessary as employees would have stored all of the documentation, including emails, on the WMBC folder (described at paras 35 and 36 below). Ms Proops preferred to reserve Mr Ashley’s rights in respect of this, as his current concerns may be allayed by further personal data disclosed as a result of this Court’s determination of the current issues. Mr Cornwell did not object to this course.

The Claimant relied upon witness statements from: (i) himself dated 11 January 2024 (“Ashley 1”); (ii) Rupert Cowper-Coles, a partner at Reynolds Porter Chamberlain LLP (“RPC”), the Claimant’s solicitors, dated 12 January 2024 (“Cowper-Coles 1”); and (iii) Robert Waterson, dated 5 April 2024, also a partner at RPC at the time of his statement (“Waterson 1”). The Defendant relied upon: (i) two statements from Alexander Kempell, a Customer Compliance Manager at HMRC, dated 28 February 2024 and 15 October 2024 (“Kempell 1” and “Kempell 2”); (ii) a statement from Nishat Choudhury, a lawyer at HMRC, dated 3 July 2024 (“Choudhury 1”); (iii) a statement from Rebecca Pitt, employed within the Land Portfolio Valuation Unit (“LPVU”) of the VOA’s District Valuer Services, dated 3 October 2024 (“Pitt 1”); and (iv) a statement from Alison Jayne Fox, employed within the Information Rights and Ministerial Correspondence Team at the VOA, dated 1 October 2024 (“Fox 1”).

The structure of this judgment is as follows:

I will begin by reproducing the parties’ account of their common ground as set out in the List of Issues (omitting passages that I have already covered in my Introduction). I will then summarise additional uncontentious material from the witness statements.

When counsel sought to address me orally on disputed factual issues relating to the quality of the Enquiry and the conclusions that it arrived at, I made clear that I would not be addressing those matters in this judgment. As the parties had agreed to adopt the Part 8 procedure and no live evidence had been called, I am not in a position to form a view on such matters and do not do so. Moreover, I do not need to do so in order to determine the issues that are properly before the Court at this stage. However, to give a brief flavour, the Claimant says that he exercised his right of subject access “in the hope that this would enable me to get to the bottom of how it had come about that HMRC had, over a period of years, made such clearly wrong and unfair decisions concerning my tax liabilities” (para 1, Ashley 1); whereas, Mr Kempell does not accept any error or wrongdoing on the part of HMRC.

The Claimant is an individual and a data subject within the meaning of Article 4 of the UK GDPR.

Between February 2014 and October 2016, the Defendant undertook the Enquiry into the Claimant’s tax return for the year ending on 5 April 2012. In October 2016, the Defendant issued a closure notice under s.28A of the Taxes Management Act 1970 (the “Closure Notice”)in which it concluded that the properties had been sold by the Claimant at an overvalue, meaning he had obtained a taxable benefit, giving rise to a tax liability of c.£13.6 million.. On 23 November 2016, the Claimant appealed against the Closure Notice. On 8 December 2016, the appeal against the Closure Notice was acknowledged and the tax due was postponed. The parties then entered into discussion, and the Closure Notice was withdrawn on 21 October 2022 (the “Notice Withdrawal”).

In the course of the Enquiry and the subsequent dispute between the parties regarding the Closure Notice, the Defendant processed the Claimant’s personal data. Following the Notice Withdrawal, the Defendant continued to process the Claimant’s personal data. The Defendant is a data controller, within the meaning of Article 4 of the UK GDPR, in respect of such personal data.

On 13 September 2022, the Claimant (acting through his solicitors) made the SAR under Article 15 of the UK GDPR in the following terms:

“Please take this email as notification of a Subject Access Request on behalf of our client pursuant to Article 15 of the UK General Data Protection Regulation. Please provide a copy of all information held in relation to our client since the inception of HMRC's enquiry into our client's 2011/12 SATR, to date. For the avoidance of doubt, we require a copy of any and all data held in relation to HMRC's enquiry that pertains to our client.” (Emphasis in original.)

The Defendant provided its substantive response to that request on 5 December 2022. It refused to disclose any copies of any of the Claimant’s personal data that it held, save that it offered to provide the Claimant with copies of inter-partes correspondence between his representatives and the Defendant (the “First SAR Decision”). With respect to the personal data it had withheld, the Defendant claimed that it was lawfully entitled to withhold those data on an application of the exemptions provided for in paras 2 and 3 of Schedule 2 to the DPA 2018.

The Defendant conducted an independent review into the First SAR Decision (the “Review”). The Defendant informed the Claimant of the result of the Review on 12 January 2023. The Review maintained the First SAR Decision, and explained that no further information could be provided to the Claimant pursuant to his SAR. The Defendant also relied, at that stage, on exemptions provided pursuant to paragraph 19 of Schedule 2 to the DPA 2018 in respect of legal professional privilege in relation to a “handful of documents” (the “LPP Exemption”).

In response to a letter before claim from the Claimant dated 17 February 2023, the Defendant maintained the position in its pre-action response letter dated 13 April 2023. The Claimant again wrote to the Defendant on 15 November 2023 intimating an intention to commence proceedings to which the Defendant responded on 27 November 2023 expressing an intention to respond by 22 December 2023. On 22 December 2023 the Defendant wrote again stating, inter alia, that it was not yet in a position to provide a full response, but it had revised its position and was further reviewing the information that it held to identify non-exempt personal data that could be disclosed and would provide another update to the Claimant “early in the New Year” as to the anticipated timescale. The Claimant issued the present claim on 12 January 2024.

The Defendant asserted in respect of Schedules 1 and 2 that it is entitled to withhold personal data in 53 documents under the LPP Exemption, and in two documents under the First Tax Exemption. The Claimant does not take issue with the withholding of his data pursuant to the LPP Exemption.

On 14 March 2024, the Defendant wrote to the Claimant stating, inter alia that the purpose of its processing of the Claimant’s personal data was to “comply with a legal obligation and [as] necessary for the performance of a task carried out in the public interest or in the exercise of [its] official authority as a government department”, and that it was now also processing his personal data in connection with the legal proceedings that he had initiated. The letter also provided certain information as to the categories of recipients of the Claimant’s personal data.

On 2 July 2024, the Defendant wrote to the Claimant stating, inter alia, that one of the schedules provided on 28 February 2024 was “missing a number of entries”, providing Schedule 3 and profusely apologising for the error.

On 15 October 2024, the Defendant served supplemental evidence on the Claimant, in the form of Kempell 2, Pitt 1 and Fox 1. Through this evidence, the Defendant:

On 20 April 2012, a number of Special Purpose Vehicle companies (the “SPVs”), which were owned by Sports Direct International Plc (“SDI”), purchased 32 properties owned by Mr Ashley. Ashley 1 explains that although the Claimant founded the Sports Direct business, he was not involved in any SDI Board discussions on these transactions.

On 23 April 2013, HMRC received the Claimant’s Self Assessment for the tax year ending on 5 April 2012. This return reported that he had disposed of the 32 properties on 6 September 2011. In February 2014 HMRC opened an enquiry into Mr Ashley’s return for this year under section 9A of the Taxes Management Act 1970.

Following investigation, HMRC asserted that the amount which SDI had paid for the properties (£86.8 million) was an overvalue, as they were collectively worth only £60 million and that, accordingly, a benefit had been conferred on the Claimant under sections 201 – 203 of the Income Tax (Earnings and Pensions) Act 2003. As part of its investigation, HMRC instructed the VOA to provide independent valuations of the properties. Ms Pitt explains that individual valuations were prepared on each of the 32 properties and that after she had reviewed and collated the valuations to arrive at a total value for the portfolio, negotiations took place to see if these could be agreed with Mr Ashley. Grant Thornton (his then accountants) were provided with a summary of each of the valuations. Subsequently, additional details were provided in relation to seven of the properties. As agreement could not be reached, in August 2016, the VOA provided the WMBC with a “Defendable on Appeal” report which concluded that the appropriate valuation of the properties was £60 million. Ms Pitt says that this report is a confidential document provided for HMRC’s internal use only, to assist HMRC in considering whether to pursue a valuation to litigation. Ms Pitt subsequently provided Grant Thornton with a table setting out all the figures that had been used in the valuations and an explanation of the methodology that the VOA had employed to value the properties occupied by SDI and those let to third-party tenants.

Upon receipt of the report from the VOA, HMRC issued the Closure Notice that I have referred to at para 16 above. The Claimant disputed the Closure Notice on the basis that the properties were purchased for a fair price in an arm’s length transaction. Between November 2016 and April 2022, the Claimant’s solicitors (who wereDentons and then subsequently RPC), were in discussions with various individuals at HMRC and a number of meetings took place.

In April 2022 Mr Ashley was offered the opportunity to have the matter reviewed by a HMRC officer not previously involved in the case. This was accepted and Robert Martindale, a HMRC Customer Compliance Officer, undertook the review. Mr Garside took over from him in July 2022 upon Mr Martindale’s retirement. Both of these officers were line managed by Martyn Pattinson.

Ashley 1 says that on 29 June 2022 the Claimant’s solicitors met with Mr Martindale, who said that HMRC accepted that the basis of the Closure Notice was incorrect and that the matter could be closed via the issue of a further notice. Kempell 1 explains this view was arrived at because Mr Martindale accepted RPC’s contention that as Mr Ashley was not an employee of the SPVs which had acquired the properties, no tax charge could arise. However, after Mr Garside took over, he indicated that the matter could not be formally closed until HMRC’s Dispute Resolution Board had met (in October 2022) to confirm Mr Martindale’s conclusion. Kempell 1 explains that Mr Garside then came to the view that a third-party benefit still applied, given Mr Ashley’s ultimate employment with SDI Property Ltd, the parent company of the SPVs. This was communicated to RPC during a phone call on 9 September 2022, where Mr Garside stated that HMRC would be maintaining their position that the properties were sold at an overvalue. The SAR was made a few days later.

On 20 September 2022, RPC submitted a further ground of appeal, indicating that although the sale of the properties had begun during the year ending on 5 April 2012, the purchases were not completed until 20 April 2012. Accordingly, the relevant year of assessment was the tax year ending on 5 April 2013. Kempell 1 says that HMRC did not have an open enquiry into this later year and were out of time to raise an assessment in respect of it and this was what led to the Notice Withdrawal.

The SAR was contained in an email sent by Mr Waterson on 13 September 2022 to Mr Pattinson, copying in Mr Garside. The majority of the email took issue with the changed position that Mr Garside had communicated during the 9 September 2022 phone call, complaining that it was “unacceptable” in light of the recent history. Mr Pattinson was asked to confirm that the matter was still going before the Dispute Resolution Board on 13 October 2022 and asked to provide details of the most recent advice that HMRC had obtained. The last substantive paragraph of the letter was headed “Subject Access Request” and then contained the text quoted at para 18 above. The paragraph concluded by saying that the information must be provided within one month of the date of the email, namely by 12 October 2022.

HMRC replied indicating that it required the additional two months that the legislation permitted for complex requests. Mr Kempell says that when the SAR was received, Mr Garside undertook a review of all the documents that the WMBC held in relation to the Enquiry. HMRC does not have a central team that deals with responses to subject access requests and the standard process is for the response to be undertaken by the relevant business area. In this instance the relevant business area was the WMBC, as it had dealt with the Enquiry.

Kempell 2 describes how the Enquiry material was held by HMRC. The WMBC previously had a Controlled Access Folder (“CAF”) for each person it was considering. A CAF contained multiple folders, each representing an individual tax year. Accordingly, there was a particular folder for this Enquiry into Mr Ashley’s tax return for the year ending on 5 April 2012. CAFs were electronic files, and prior to their use, documents were generally held within paper files. In September 2021, all of the CAFs held by the WMBC were migrated over to SharePoint and the system remained that there would be a separate folder for each tax year. The documentation held in the folder would include copies of all correspondence (external and internal), case reviews, requests for and responses to advice from internal stakeholders within HMRC and other procedural documentation. Mr Kempell considers that these are the documents that Mr Garside would have reviewed in responses to the SAR. The Claimant’s folder for the 2011/12 tax year contains seven subfolders and comprises over 1,000 documents. At this stage, the search did not extend beyond the folder held by the WMBC.

Mr Kempell says that all of the documents held by the WMBC relevant to the Claimant’s 2011/12 tax return would have been saved in this folder. It is a requirement and standard practice within the WMBC to do this in respect of all emails sent and received and all other documents generated or received. This would include any emails or other documents received from the VOA. He indicates that he has seen nothing to suggest that this standard approach was not followed in the present case.

Mr Garside listed the documents in a disclosure log, catalogued according to whether they contained any personal data, were previous correspondence and whether any of the exemptions in Schedule 2 of the DPA 2018 applied. The disclosure log was also used by Owen Jones in conducting the Review.

In response to the First SAR Decision, RPC indicated that it did not seek copies of the correspondence between the parties.

The letter of 13 April 2023 indicated that HMRC was treating the SAR request as “a request for a copy of any and all data held in relation to HMRC’s enquiry into your client’s 2011/12 SATR that pertains to your client”. RPC was asked to indicate if the SAR was wider than this. This does not seem to have received a response in RPC’s subsequent correspondence. However, I do not regard this as significant, since it appears that RPC was proceeding on the assumption that references to “HMRC” included the VOA, whereas the Defendant was proceeding on the basis that the search request only related to the data that was processed by the WMBC and that “HMRC” did not include the VOA for these purposes.

RPC’s letter before claim of 15 November 2023 asserted that HMRC had taken too narrow an approach to “personal data” and that its earlier correspondence disclosed an erroneous approach focusing on which “documents” were disclosable or exempt, rather than asking whether and to what extent Mr Ashley’s personal data was contained within documents held by HMRC and should be provided. In its response of 22 December 2023, HMRC accepted that it had erred in its approach to “documents”, particularly when considering whether any of the exemptions applied. HMRC indicated that it would undertake a further review.

The further review is described in Kempell 1 and Kempell 2. The first step was a review of all the documentation containing personal data that had previously been categorised as covered by the Schedule 2, para 2 or para 3 DPA 2018 exemptions. Personal data was extracted from the documents and recorded on a separate schedule before consideration was then given to whether the exemptions applied to this data. This led to the compilation and disclosure of Schedule 1. Given the incorrect “document-based” approach that HMRC had taken earlier, a further review was also conducted of all documents that were previously identified as containing no personal data. This process led to the compilation and disclosure of Schedule 2.

The 14 March letter said that the personal data processed in respect of the 2011/12 tax return related to Mr Ashley’s “income, capital disposals, business activities, business properties, National Insurance Number, name, address, contact details and employment information”. The letter also indicated that: the only recipients of the Claimant’s personal data were the listed departments within HMRC, the VOA and his tax agents and legal representatives; the standard default period for retention of HMRC records was 6 years plus the current year; and the personal data had predominantly been collected from Mr Ashley or his respective agents, although some personal data had been generated within HMRC for the purposes of the Enquiry. An electronic link was provided to HMRC’s Privacy Notice.

Choudhury 1 explains that Schedule 3 was prepared in July 2024 because Mr Kempell noticed that the schedule served in February 2024 was an earlier draft of the document, rather than the finalised version, and had some items missing.

Kempell 2 also addresses the nature of the additional personal data that was disclosed on 15 October 2024 in Schedule 4. Mr Kempell reviewed the documentation in light of points made in Waterson 1 and this resulted in him identifying the further material that he describes.

Mr Kempell says that the WMBC spent over 150 hours in identifying and extracting Mr Ashley’s personal data across the various reviews that were undertaken.

The Defendant accepts that HMRC is the data controller of personal data that is processed by the VOA. However, Mr Kempell says that the VOA has its own team who deal with subject access requests, so that it is not normal practice for HMRC to liaise with the VOA when a subject access request is received by them, or vice versa. In this instance the SAR was sent directly to the WMBC, who did not consider that the VOA was intended to be within its scope.

Kempell 2 and Fox 1 explain that the VOA was approached by HMRC in June 2024 to conduct an assessment of the personal data that it held in relation to the Claimant and the Enquiry, in case the Court decided that this material was within the scope of the SAR. From this it emerged that the VOA held a large amount of material and documents in relation to their valuations of the properties, some of which contained the Claimant’s personal data.

Ms Fox describes the documentation held by the VOA. There are 33 electronic main folders for the 32 properties that were the subject of the valuations (with one of the properties having two main folders). Each of these folders contains sub-folders, so that, in total, there are 65 folders for the 32 properties. There are approximately 7,347 pages in total, including duplicate documents. The folders include: instructions from, correspondence with and reports to the LPVU; valuation research and workings; internal VOA correspondence; and internal procedural documentation. She explains that there is also a master file comprising 1,785 pages. These were extracted from an out-housed storage facility and scanned onto the VOA’s system. This documentation includes: correspondence with HMRC; correspondence with the Claimant’s agents; correspondence with the local District Valuer who provided the individual property valuations; internal records of discussions about the valuations and technical advice; and copies of various valuation reports provided by the Claimant’s agents.

Ms Pitt clarifies that all of the valuations include the identification and analysis of comparable evidence, including details of property transactions by unconnected third parties who have no interest in or awareness of these valuations. The comparable information is derived from various sources including the VOA’s internal database.

Ms Fox explains that information relating to the internal operations of the VOA and that relating to third parties or their properties was not considered the Claimant’s personal data. She says that Schedule 5 also excludes data that the VOA were able to identify as duplicates of information already provided to the Claimant in the earlier WMBC schedules.

Ms Fox says that the exercise of searching for the Claimant’s personal data, extracting it and preparing Schedule 5 has taken her team 165.5 hours and that she has spent an additional 20 hours on the exercise herself.

I mention for completeness that Kempell 2 confirms that no search has been made of documents held by HMRC’s Large Business team. However, as no complaint has been made about this aspect, it is unnecessary for me to describe the material held by that team.

By the time of the hearing, the Defendant no longer relied upon the exemption contained in para 3 of Schedule 2 to the DPA 2018.

Reliance on the First Tax Exemption was explained in HMRC’s letter of 13 April 2023 as follows:

“You have questioned how the provision of your client’s personal data could prejudice the collection of tax as no further tax can be collected in relation to this matter. As set out in our letter of 12 January 2023, prejudice in this regard does not relate solely to your client’s tax affairs but to HMRC’s wider function in the assessment and collection of tax.

The prejudice here is disclosing information that could assist in artificially lowering any future liability, rather than prejudicing any current assessment or collection activities. If these documents are disclosed, this will give an indication as to what HMRC considers when looking to determine whether a benefit should be charged and therefore resulting in a prejudice to the assessment and collection of tax.”

The First Tax Exemption was also addressed at para 37 of Kempell 1, as follows:

“…disclosure to Mr Ashley would be likely to prejudice the assessment or collection of tax. The prejudice in this regard does not have to solely relate to a customer’s tax affairs but can relate to HMRC’s wider functions in the assessment and collection of tax. In this case, the disclosure of personal data…would provide an insight into HMRC’s position with regard to settlement of the tax due at the time.”

As clarified during the hearing, the First Tax Exemption is claimed in respect of the same short phrase that appears in two iterations of the VOA’s “Defendable on Appeal Report – Case Summary”.

The GDPR (Regulation (EU) 2016/679) came into force on 25 May 2018 and remained the data protection regime in the United Kingdom until 31 December 2020 (the end of the transitional period that followed the United Kingdom leaving the EU). From that point onwards, a modified data protection regime, the UK GDPR, came into effect. I will focus on the UK GDPR as the regime in force during the time that I am concerned with, but counsel have not suggested that for present purposes there is any material distinction between the GDPR and the UK GDPR. The DPA 2018 also came into force on 25 May 2018. A number of the cases that I need to refer to were decided under the earlier Data Protection Act 1998 (“DPA 1998”) regime, which implemented EU Directive 95/46/EC (the “Directive”).

Article 4(1) defines “personal data” as follows:

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more of the factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Article 4(2) defines “processing”:

“‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.

Article 4(7) defines a controller:

“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”

Article 5 sets out the principles relating to the processing of personal data. In summary, they are that personal data shall be: (a) processed lawfully, fairly and transparently; (b) collected for specified, explicit and legitimate purposes; (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; (e) kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and (f) processed in a manner that ensures appropriate security of the personal data. Article 5(2) states that the controller shall be responsible for and be able to demonstrate compliance with these principles. Article 6(1) provides that processing shall be lawful only if and to the extent that one of the purposes identified at (a) to (f) applies.

Article 12 is headed “Transparent information, communication and modalities for the exercise of the rights of the data subject”. As relevant, it provides:

“1.

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communications under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language…

2.

The controller shall facilitate the exercise of data subject rights under Articles 15 to 22…

3.

The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. The period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay…

…..

5.

…Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:

(a)

charge a reasonable fee for taking into account the administrative costs of providing the information or communication or taking the action required; or

(b)

refuse to act on the request.

The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.”

Articles 13 and 14 are concerned with information that is to be provided by the controller when personal data is obtained. Article 15 is at the heart of this case. It is headed “Right of access by the data subject” and (as relevant) states:

“1.

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

a.

the purpose of the processing;

b.

the categories of personal data concerned;

c.

the recipients or categories of recipients to whom the personal data has been or will be disclosed…

d.

where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e.

the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f.

the right to lodge a complaint with the Commissioner;

g.

where the personal data are not collected from the data subject, any available information as to their source;

h.

the existence of automated decision-making, including profiling referred to in Article 22(1) and (4)…

…..

3.

The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”

The UK GDPR does not prescribe any particular means or format by which a subject access request is to be made. A request can be made in a written or oral form and there are no specific requirements regarding the way that it is sent to the controller or the controller’s address that is to be used.

In The Information Commissioner v Experian Limited [2024] UKUT 105 (ACC), a case concerned with the obligations in Articles 5 and 14 of the GDPR, a Presidential Panel of the Upper Tribunal (Administrative Appeals Chamber) considered the GDPR transparency requirements. The Panel’s summary (at para 95) included:

“a.

there is an overarching obligation to process personal data in a transparent manner in relation to the data subject;

b.

it is achieved, principally, by providing information to data subjects about how their personal data is being processed;

c.

it is a lynchpin of, or gateway to, the GDPR, because, without this information, data subjects cannot enforce the rights afforded them under the GDPR to have their personal data protected…”

Rights to rectification, erasure, restriction of processing and data portability are contained in Articles 16 – 20 of the UK GDPR.

Article 23(1) provides that the Secretary of State may restrict the scope of the obligations and rights provided for in Articles 12 – 22 “when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard” one of a number of matters that are then listed, including “taxation matters”.

The exemptions are contained in Schedules to the DPA 2018. This statute defines “personal data” in a slightly different way to the UK GDPR, as: “any information relating to an identified or identifiable living individual”. Counsel did not suggest that anything turned on this. Section 15(1) and (2)(b) indicate that Schedule 2 makes provision restricting the application of the rules contained in Articles 13 – 21 of the UK GDPR in the circumstances described in Article 23(1).

Schedule 2, para 2 of the DPA 2018 is headed “Crime and taxation: general” and (as relevant) provides:

“(1)

The listed GDPR provisions…do not apply to personal data processed for any of the following purposes –

(a)

the prevention or detection of crime;

(b)

the apprehension or prosecution of offenders; or

(c)

the assessment or collection of a tax or duty or an imposition of a similar nature,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).”

Schedule 2, para 1(1)(a)(iii) indicates that “The listed GDPR provisions” includes Article 15(1) and (3).

Where a Court is satisfied that there has been an infringement of the data subject’s rights, the court may make an order for the purposes of securing compliance with the data protection legislation (section 167 of the DPA 2018).

It is well established that the recitals to a directive or regulation are an aid to its interpretation. The recitals to the UK GDPR include the following:

“(1)

The protection of natural persons in relation to the processing of personal data is a fundamental right…

(2)

The principles and rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data….

(3)

Directive 95/46/EC…seeks to harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities…

(26)

The principles of data protection should apply to any information concerning an identified or identifiable natural person…The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable…

(63)

A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing…Every data subject should therefore have the right to know and obtain communications in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing.”

I add for completeness that section 18(1) of the Commissioners for Revenue and Customs Act 2005 provides that Revenue and Customs officials may not disclose information held by the Revenue and Customs in connection with a function of the Revenue and Customs. However, subsection (3) provides that this obligation is subject to any other enactment permitting disclosure.

The Article 4(1) definition of “personal data” (para 58 above) contains four cumulative elements, namely that there is “any information” “relating to” “an identified or indefinable” “natural person”. There is no dispute that the material in this case constitutes information and no dispute that (in so far as it does relate to him), the Claimant is identified or identifiable and a natural person. The key issue for present purposes is the scope and meaning of “relating to”.

A similar phrase was used in the earlier legislative provisions. The Directive defined personal data in Article 2(a) as:

“…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly by reference to an identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

Section 1(1) of the DPA 1998 used the following definition:

“‘personal data’ means data which relates to a living individual who can be identified –

(a)

from those data; or

(b)

from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intention of the data controller or any other person in respect of the individual”.

I will review the relevant domestic and EU caselaw in chronological order, not least because there is some difference in emphasis in the later authorities.

I begin with Durant v Financial Services Authority [2003] EWCA Civ 1746, [2004] FSR 28 (“Durant”) which Mr Cornwell relies upon as supporting the Defendant’s position. Durant was decided in 2003 under the DPA 1998. The appellant sought disclosure of information which he alleged was personal data relating to him held by the Financial Services Authority (“FSA”). He had sued Barclays Bank unsuccessfully and had subsequently attempted to obtain various records in connection with that dispute. He made subject access requests to the FSA, in its role as the regulator for the financial services sector. The FSA provided him with some material but declined to provide further data concerning his complaint about Barclays Bank and the FSA’s investigation of this complaint. I note the wide terms in which his case was argued on appeal. It was said that his entitlement under the DPA 1998 included any information retrieved as a result of a search under his name and anything on file which had his name on it or from which he could be identified. Further, his counsel submitted that the documentation generated by his letters of complaint to the FSA were his personal data because he was the source of the material.

Unsurprisingly, the Court of Appeal rejected these submissions, indicating that not all information received from a computer search against an individual’s name was their personal data; that the mere mention of a data subject in a document held by the data controller did not necessarily establish that it was his personal data; and just because the FSA’s investigation had emanated from his complaint did not mean, without more, that the information generated by the investigation was the claimant’s personal data (paras 28 and 30). Auld LJ (giving the leading judgment) also emphasised that a data subject’s entitlement under the DPA 1998 was to be provided with their personal data, not with original or copy documents as such (para 26).

In the course of setting out those conclusions, Auld LJ discussed the circumstances in which information would “relate to” the data subject. At para 27 of his judgment he observed that the purpose of the subject access right conferred (then) by section 7 of the DPA 1998 was to enable the data subject to check whether the controller’s processing unlawfully infringed his right to privacy and, if it did, to take steps to protect it; and that it was likely in most cases that only information that named or directly referred to the data subject would qualify. At para 29, Auld LJ considered that “personal data” was to be given a narrow meaning and that this approach was supported by the definition’s expressly stated inclusion of expressions of opinion and indications of intention (para 76 above), whereas, if the concept had the broader meaning that the appellant proposed, this wording would have been otiose.

I pause to foreshadow at this stage that, by contrast, more recent authorities have stressed the broad nature of “personal data”. In addition, subsequent caselaw has confirmed that expressions of opinion may amount to “personal data” within the meaning of the definition in the Directive and the GDPR (where the “expression of opinion” wording contained in the DPA 1998 definition does not appear) and it was not thought necessary to reproduce that wording in the DPA 2018 definition.

At para 28 of his judgment, Auld LJ provided some guidance as to the scope of “personal data”:

“…Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree. It seems to me that there are two notions that may be of assistance. The first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in a matter or an event that has no personal connotations, a life event in respect of which his privacy could not be said to be compromised. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or events in which he may have figured or have had an interest, for example, as in this case, an investigation into some other person’s or body’s conduct that he may have instigated. In short, it is information that affects his privacy, whether in his personal or family life, business or professional capacity…”

The general proposition that whether information “relates to” the data subject may be a question of degree on a continuum of relevance is not, as I understand it, contentious. Whilst Auld LJ’s two “notions” have been cited in a number of the later cases, looked at in context, it is apparent that he was not laying down an exhaustive list of the ways in which information may “relate to” a data subject, as opposed to providing suggested indicators that were at least partly prompted by the circumstances of the particular case before the court. By way of example, Auld LJ does not refer in terms to the impact of the information in question upon the data subject; albeit his reference to the “focus” of the information may be wide enough to accommodate this. As I will return to, Ms Proops also points out that it is now clear that the purpose of the exercise of data access rights extends beyond affording protection to a data subject’s right to privacy.

Buxton LJ gave a short concurring judgment, in which he observed that: the requirement that the information should “relate to” the data subject imposed a limitation on the “otherwise very wide” definition; the guiding principle was that the DPA 1998 gave rights to data subjects to protect their privacy; and the notions identified by Auld LJ at para 28 would provide a clear guide in borderline cases (paras 78 and 79).

Durant pre-dated the “Opinion 4/2007 on the concept of personal data” provided by the Article 29 Data Protection Working Party (a body instituted under Article 29 of the Directive). It is common ground that the Article 29 Working Party’s Opinion (“the Article 29 Opinion”) is not binding upon this Court. However, it appears to me to be of value in its emphasis upon the broad nature of “personal data”; in its suggested three indicators as to when information will “relate to” the data subject, which reflect that broad approach; and in a particular example that is included in respect of the value of a house (given that the VOA’s valuations of the 32 properties is one of the contentious areas in the present case). Moreover, the three indicators identified in this document are reflected in more recent decisions of the Court of Justice of the European Union (“CJEU”) in particular in Nowak v Data Protection Commissioner [2018] 1 WLR 3505 (“Nowak”) and FF v Ősterreichische Datenschutzbehörde [2023] 1 WLR 3674 (“FF”).

The Article 29 Opinion considers that the term “any information” signals the willingness of the legislator to design a broad concept of personal data. The concept of personal data includes “‘subjective’ information, opinions or assessments”, the latter making up a considerable share of personal data processing in sectors such as banking, insurance and employment (page 6). The Opinion observes that in general terms, information can be considered to “relate” to an individual “when it is about that individual” (emphasis in the original). The text notes that the information conveyed by the data may concern an object, rather than an individual, but that it may relate indirectly to an individual by virtue of the object belonging to them, or because it is subject to particular influence by or upon an individual or it has a physical or geographical vicinity to an individual (page 9). The text then gives the following example:

“The value of a particular house is information about an object. Data protection rules will clearly not apply when this information will be used solely to illustrate the level of real estate prices in a certain district. However, under certain circumstances such information should also be considered as personal data. Indeed, the house is the asset of an owner, which will hence be used to determine the extent of this person’s obligation to pay some taxes, for instance. In this context, it will be indisputable that such information should be considered as personal data.”

The Article 29 Opinion proceeds to identify the following approach to whether information is “relating” to an identified or identifiable individual:

“… in order to consider that the data ‘relate’ to an individual, a ‘content’ element OR a ‘purpose’ element OR a ‘result’ element should be present.

The ‘content’ element is present…where…information is given about a particular person…Information ‘relates’ to a person when it is ‘about’ that person, and this has to be assessed in the light of all circumstances surrounding the case…

Also a ‘purpose’ element can be responsible for the fact that information ‘relates’ to a certain person. That ‘purpose’ element can be considered to exist when the data are used, or are likely to be used, taking into account all the circumstances surrounding the precise case, with the purpose to evaluate, treat in a certain way, or influence the status or behaviour of an individual.

….

A third kind of ‘relating’ to specific persons arises when a ‘result’ element is present. Despite the absence of a ‘content’ or ‘purpose’ element, data can be considered to ‘relate’ to an individual because their use is likely to have an impact on a certain person’s rights and interests, taking into account all the circumstances surrounding the precise case…it is not necessary that the potential result will be a major impact. It is sufficient if the individual may be treated differently from other persons as a result of the processing of such data.” (Emphasis in the original.)

I can refer to Edem v The Information Commissioner [2014] EWCA Civ 92 relatively briefly. The Court of Appeal, unsurprisingly, agreed with the decision of the Upper Tribunal (Administrative Appeals Chamber) which had allowed an appeal from the First-tier Tribunal’s (“FtT”) determination that the names of three members of staff at the FSA did not constitute their personal data. The FtT had fallen into error in trying to apply the “notions” referred to at para 28 of Durant (para 82 above). As Moses LJ explained, the “notions” were Auld LJ’s “explanation as to why the information and documents in which Mr Durant’s name appeared were not personal data relating to him”; whereas in a case such as Edem where the narrow question was whether the individuals’ names were personal data, they had no relevance (para 20). Moses LJ endorsed the Information Commissioner’s Office Data Protection Technical Guidance as accurately setting out the effects of the statutory scheme in terms of what is personal data (para 21). I refer to the more recent iteration of this guidance at paras 119 – 121 below.

Mr Cornwell places particular reliance upon the CJEU’s decision in YS v Minister voor Immigratie, Integratie en Aisel [2015] 1 WLR 609 (“YS”), decided under the Directive. The three applicants, who were third-country nationals whose applications for residence permits had been dealt with by the Netherlands authorities, each requested copies of the “minute” relating to the decision made on their applications. The minute was an internal document drawn up by the case officer responsible for making the draft decision. In addition to personal information about the applicant, the minute contained material about the procedural history, the applicable legal provisions and an assessment of the relevant information in the light of the applicable law. The requests were rejected and the applicants appealed. The questions asked by the referring Court included whether a legal analysis, as set out in the respective minutes, could be regarded as personal data within the meaning of Article 2(a) of the Directive. The CJEU confirmed that the minutes contained personal data relating to (amongst other things) the applicants’ name, date of birth, nationality, gender, ethnicity, religion and language, but held that although the legal analysis might contain personal data, it was not in itself personal data (paras 38 – 39).

The core of the CJEU’s reasoning was as follows:

“40.

As the Advocate General noted in essence in point 59 of her opinion…such a legal analysis is not information relating to the applicant for a residence permit, but at most, in so far as it is not limited to a purely abstract interpretation of law, is information about the assessment and application by the competent authority of that law to the applicant’s situation, that situation being established inter alia by means of the personal data relating to him which that authority has available to it.”

The Advocate General’s reasoning at para 59, which the Court endorsed was as follows (with paras 57 – 58 also set out in order to give context):

“57.

…I do not find it helpful to distinguish between ‘objective’ facts and ‘subjective’ analysis. Facts can be expressed in different forms…For example, a person’s weight might be expressed objectively in kilos or in subjective terms such as ‘underweight’ or ‘obese’. Thus, I do not exclude the possibility that assessment and opinions may sometimes fall to be classified as data.

58.

However, the steps of reasoning by which the conclusion is reached that a person is ‘underweight’ or ‘obese’ are not facts, any more than legal analysis is.

59.

Legal analysis is the reasoning underlying the resolution of a question of law. The resolution might be in the form of advice, an opinion or a decision (and thus may, or may not, be legally binding). Apart from the facts on which it is based (some of which might be personal data), that analysis contains the explanation for the resolution. The explanation itself is not information relating to an identified or identifiable person. At most, it can be categorised as information about the interpretation and application of the pertinent law with regard to which the legal position of any individual is assessed and (possibly) decided. Personal data and other elements of fact may very well be inputs in the process leading to answering that question but that does not make the legal analysis itself personal data.”

It appears to me that this passage is of assistance in understanding what the Advocate General and, in turn, the Court had in mind when referring to “legal analysis”; in essence it appears to be the decision-maker’s reasoning process. I also note that at para 49 (which appears just before she proceeded to set out her reasoning and conclusions), the Advocate General said that she did not think it necessary to provide “an exhaustive definition of ‘personal data’, ‘legal analysis’ or any other form of analysis. It suffices to focus on whether the legal analysis included in the minute is personal data”.

The CJEU went on to observe that its approach was borne out by the objective and general scheme of the Directive:

“42.

In accordance with article 1 of the Directive, its purpose is to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data, and thus to permit the free flow of personal data between member states.”

The Court observed that the data subject was given a right of access to the data in order to undertake the necessary checks and, in this context, referred to a data subject’s rights under the Directive to be informed that processing is taking place, to request corrections to the data and to object to the processing in certain circumstances; and referred to the right to respect for private life, meaning that the person may be certain that the personal data concerning them are correct and are being processed lawfully (paras 43 and 44). It was said that the right of access was necessary “inter alia, to enable the data subject to obtain, depending on the circumstances, the rectification, erasure or blocking of his data by the controller” (para 44). The Court then concluded:

“45.

In contrast to the data relating to the applicant for a residence permit which is in the minute and which may constitute the factual basis of the legal analysis contained therein, such an analysis…is not in itself liable to be the subject of a check of its accuracy by that application and a rectification under… [the provisions of the Directive].

46.

In those circumstances, extending the right of access of the applicant for a residence permit to that legal analysis would not in fact serve the Directive’s purpose of guaranteeing the protection of the applicant’s right to privacy with regard to the processing of data relating to him, but would serve the purpose of guaranteeing him a right of access to administrative documents, which is not however covered by Direction 95/46.”

In the latter context, reference was made to the distinction drawn in EU regulations between regulations concerning public access to European Parliament, Council and Commission documents, as distinct from regulations relating to the processing of personal data by the EU institutions (para 47).

Accordingly, the Court answered this aspect of the referred questions as follows:

“48.

…article 2(a) of Direction 95/46 must be interpreted as meaning that the data relating to the applicant for a residence permit contained in the minute and, where relevant, the data in the legal analysis contained in the minute are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so qualified.”

Accordingly, the issue decided in YS was specific to the legal analysis contained in the minute. I return to the parties’ submission as to the wider significance of YS at paras 165 – 170 below.

Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121, [2018] QB 256 (“Ittihadieh”) concerned subject access requests made under section 7 of the DPA 1998. In terms of “personal data”, the direct issue before the Court of Appeal was a narrow one; the Court held that information was not disqualified from being “personal data” merely because it had been supplied to the data controller by the data subject. The Court acknowledged that the DPA 1998 was to be interpreted in conformity with the Directive (para 35). Further, that the purpose underlying the Directive, as set out in recital (2) was that data processing systems must respect natural persons’ “fundamental rights and freedoms, notably the right to privacy”. Giving the leading judgment, Lewison LJ noted that the emphasis on the right to privacy was repeated in recitals (7), (9), (10), (11) and (68) (para 36).

Lewison LJ accepted a submission that the definition of “personal data” in both the DPA 1998 and the Directive consisted of two limbs: (i) whether the data in question “relates to” a living individual; and (ii) whether that individual is identifiable from the data (para 61). Having referred to various pieces of information about an individual that would amount to “personal data”, Lewison LJ described the CJEU’s decision in YS in the following terms:

“62.

…The same is true of the name, date of birth, nationality, gender, ethnicity, religion and language, relating to a natural person who is identified by name, although it does not apply to legal analysis: YS v Minister voor Immigratie, Integratie en Asiel…Mr Pitt-Payne submitted, and again I agree, that these cases are concerned with the ‘identifiability’ limb of the definition. ”

Accordingly, whilst this observation was not part of the ratio of the case, it is of note that Lewison LJ considered that the CJEU’s decision in YS turned on the “identifiability” requirement, rather than on the “relate to” limb of the “personal data” definition.

Lewison LJ also observed that the Court of Appeal’s view in Durant corresponded closely with that expressed by the Advocate General at para 55 of YS, where she said that she was not convinced that the definition of “personal data” should be read “so widely as to cover all of the communicable content in which factual elements relating to a data subject are embedded”. He also cited a passage from para 46 of the judgment in YS, as supporting the proposition that it is necessary to consider whether the interpretation of “personal data” in any given case would serve the purpose of the Directive (para 68).

For completeness I note that Lewison LJ explained why there was no conflict between Durant and Edem: Mr Edem had wanted the names of officials, whereas Mr Durant had wanted the entirety of any document in which he was mentioned (para 66).

Before leaving Ittihadieh, I turn to a further aspect of Lewison LJ’s judgment; the form of a subject access request. This is of relevance to Issue 1. Under the DPA 1998 (unlike the UK GDPR) a subject access request had to be made in writing and payment of a fee (not exceeding the prescribed maximum) could be required by the data controller. Lewison LJ explained that beyond these aspects, the legislation did not lay down any prescribed form for making a subject access request (para 78). A request was to be interpreted by reference to the usual principles that the Court applies in interpreting any written communication; it must be read fairly and as a whole and, as a request may be made informally, exacting standards of precision would be inappropriate (para 80).

The data subject in Nowak, a trainee accountant who had failed an accountancy examination, submitted a data subject access request seeking all of his personal data held by the professional body which had marked his paper. Some data was provided, but it refused to send him his examination script, on the basis that this was not “personal data”. The CJEU held that the written answers he had submitted in the examination and the comments of the examiner on the paper did constitute the applicant’s “personal data”. The information was linked to him as a person, as the content of his answers reflected the state of his knowledge and competence and the purpose of collecting his answers was to evaluate his professional abilities and suitability to practice as an accountant (paras 37 – 41). The examiner’s comments reflected and recorded their assessment of the candidate’s performance (paras 42 – 43).

Identifiability was not in issue. The CJEU said that the key issue for it to determine was whether the written answers provided by a candidate at a professional examination and any comments made by an examiner with regard to those answers constituted “information relating to” that candidate within the meaning of Article 2(a) of the Directive. Referring to its earlier case law, the Court noted that the scope of the Directive “is very wide and the personal data covered by that Directive is varied” (para 33). The judgment continued:

“34.

The use of the expression ‘any information’ in the definition of ‘personal data’ within article 2(a) of Directive 95/46 reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective, but also subjective, in the form of opinions and assessment, provided that it ‘relates’ to the data subject.

35.

As regards the latter condition, it is satisfied where the information, by reason of its content, purpose or effect, is linked to a particular person.”

Pausing there, I note that this passage reflects the approach of the Article 29 Opinion (paras 86 – 87 above), save that the third indicator is described as “effect” rather than “result”, but there does not appear to be a material distinction between the two. It also confirms that the Directive’s definition of “personal data” is wide enough to encompass subjective opinions and assessments, without the need for the additional wording that appeared in the DPA 1998 definition (paras 76 and 80 above).

During the course of identifying why the examination answers constituted “personal data”, the CJEU referred to the use that would be made of such information; it would be “liable to have an effect on his or her rights and interests, in that it may determine or influence, for example, the chance of entering the profession aspired to or of obtaining the post sought” (para 39). The key reason why the Court concluded that the examiner’s comments also amounted to the examinee’s “personal data” related to its impact: “the purpose of these comments is, moreover, precisely to record the evaluation by the examiner of the candidate’s performance, and those comments are liable to have effects for the candidate” (para 43). This was a little different to the reasoning of the Advocate General, who had considered that the examiner’s comments were personal data because they were “typically inseparable” from the script itself, such that there was a “close link” between the examination script and any corrections made on it” (paras 62 – 63).

The Court went on to conclude, at para 56, that giving a candidate the right of access to their answers and the examiner’s comments on their script would serve the purposes of the Directive “of guaranteeing the protection of that candidate’s right to privacy with regard to the processing of data relating to him (see, a contrario, YS v Minister voor Immigratie, Integratie en Asiel… paras 45 and 46)”. The reference to YS appears to do no more than note that a contrary conclusion was reached in the circumstances of YS, as to whether giving the applicants access to the data they sought would serve the Directive’s objective. In and of itself I do not agree with Ms Proops that this is an expression of disagreement with the Court’s reasoning in YS.

However, Ms Proops is on firmer ground in pointing out that the analysis that supported the conclusion in Nowak that the purposes of the Directive were served by regarding this information as “personal data”, did not rest on the rights of a data subject to rectification and erasure, but more broadly on the data subject being entitled to check the lawfulness of the processing of their data and, for example, raise objection in respect of the controller’s storage or retention of their data or its provision to third parties (paras 47 – 50).

The Advocate General’s opinion was to similar effect, in particular at paras 26, 34 and 38 – 41, which included the following:

“38.

…rectification and the other rights set out under article 12(b) of the Data Protection Directive, namely blocking and erasure, are not the sole aims of the right of access.

39.

Recital (41) does indeed describe the purpose of access as being that the data subject may verify in particular the accuracy of the data and the lawfulness of the proceedings. By using ‘in particular’ in most language versions, however, the legislature has indicated that the purpose goes further. For even irrespective of rectification, erasure or blocking, data subjects generally have a legitimate interest in finding out what information about them is processed by the controller.

…..

41.

…In addition, there is greater uncertainty with the passing of time…about the script still being retained. In such circumstances the examination candidate must at least be able to find out whether his script is still being retained. That right, too, presupposes that the incorporation of the examination candidate’s personal data in the script is recognised.”

The Advocate General also discussed the position of the examiner’s comments on the script, acknowledging that whilst it was hard to imagine a right of rectification, erasure or blocking of inaccurate data arising in respect of those comments, the “primary purpose of a right of access to the examiner’s corrections would be to inform the examination candidate about the evaluation of particular sections of his script” (paras 55 and 57).

As YS was cited by both the CJEU and the Advocate General (who acknowledged, at para 59, that “at first glance” the Court’s finding in YS could be transposed to the examiner’s comments), it is clear that neither regarded the reasoning or conclusion in that case as precluding the decision that the examination answers, including the examiner’s comments, were personal data.

The next in time case cited by counsel was Aven v Orbis Business Intelligence Limited [2020] EWHC 1812 (QB) (“Aven”). The claimants sought correction of the record and other remedies under the DPA 1998 in relation to one component of the “Steele Dossier”, an intelligence memorandum produced by the defendant that considered any links that might exist between Presidents Vladimir Putin and Donald Trump. The claimants were three businessmen of Russian or Ukrainian origin who were among the beneficial owners of the Alfa Group Consortium, which was referred to in the dossier. The claimants relied on five propositions that they said Memorandum 112 contained and which were their personal data. The defendant disputed that some the contentious information was the claimants’ personal data.

Warby J (as he then was) acknowledged that “personal data” was a broad term (para 14). He rejected the defendant’s submission that an individual could only show that information is his personal data if he is identifiable from the sentence in question, accepting the claimants’ approach that the contentious wording had to be approached holistically, in its context (paras 23 – 26). Ms Proops relies on this case as authority for the proposition that the question of whether or not information relates to the relevant individual is to be approached in a broad way, in the present case by reference to the nature and contents of the Enquiry.

Warby J rejected the defendant’s argument that the wording of the definition of “personal data” in the DPA 1998 indicated that “an item-by-item approach to the contents of that document must be adopted” (para 28). He cited the observation of Judge Jacobs in Farrand v Information Commissioner [2014] UKUT 310 (ACC) at para 18 that: “To ignore context would render the legislation ineffective in numerous circumstances to which it is clearly intended to apply, thereby reducing its effectiveness” (para 30). However, Warby J made clear that his decision was based upon the particular circumstances of the case before him:

“31.

There may be cases involving data sets of a more abstract or more granular kind, where the question of whether the set contains the claimant’s personal data calls for an individualised assessment of each constituent element, read in isolation from other components of the data set…it is always necessary to identify what is and is not the proper context for any given statement or item of data. At any rate, I am satisfied that what I have called the holistic approach should be applied to Memorandum 112. The document…is a coherent narrative…it would be artificial to read any individual sentence in isolation from the remainder of the document.”

Warby J referred briefly to Durant and to Ittihadieh, noting that they were consistent with his conclusions and indicating that “whether information comprises personal data depends on where it falls in a continuum of relevance or proximity to the data subject”. He said that the propositions identified in Durant had been developed “to guide those confronted with claims based on the notion that all information in any document that makes mention of an individual is that individual’s personal data” and that they were of “scant relevance” to the issue that he had to decide (para 33).

I refer to FF in more detail from para 126 below. It was decided after the end of the implementation period (31 December 2020 at 23.00 hours) and thus it is not binding of this Court: section 6(1)(a) of the European Union (Withdrawal) Act 2018. However, section 6(2) provides that the Court may have regard to such a judgment. The parties were also agreed that the effect of section 6(3) and (4) is that earlier CJEU judgments were binding upon this Court (although not on the Court of Appeal or Supreme Court).

Unlike the earlier authorities that I have cited, FF was determined under the GDPR. The CJEU cited with approval the approach to “personal data” and to “relates to” that the Court had identified at paras 34 – 35 of Novak (para 105 above).

The ICO has published guidance on the concept of “personal data” under the GDPR, entitled “What is personal data?” (the “ICO Guidance”). The meaning of “relates to” is addressed at pages 22 - 26. The thrust is similar to the Article 29 Opinion in that the text explains that data may be “personal data” by virtue of its content, its purpose or its impact. Having referred to data that is obviously about a particular individual or their activities, the text continues:

“Alternatively, data may be personal data because it is clearly ‘linked’ to an individual as it is about his or her activities and you are processing it for the purpose of determining or influencing the way in which that individual is treated. Data may also be personal data if it is biographically significant or has a particular individual as the focus.”

Pausing there, I note that the “notions” identified in Durant are included as some of the ways that data may constitute personal data, but the text also highlights that information may amount to personal data because it is used to make a decision about the individual or it otherwise affects the way that the individual is treated.

The ICO Guidance recognises that data may be personal data where the content is about their activities, rather than about the individual themselves; and where the data is not in itself personal data but will become so in certain circumstances “where it can be linked to an individual to provide particular information about that individual”. The text goes on to say that if the data is used, or is likely to be used “to learn, evaluate, treat in a certain way, make a decision about, or influence the status or behaviour of an individual”, then it is personal data. A number of examples are then given, some of which are of potential relevance to the present situation:

“…data about a house is not, by itself, personal data.

Context is important here. Information about a house is often linked to an owner or resident and consequently the data about the house will be personal data about that individual.

Example

Information about the market value of a particular house may be used for statistical purposes to identify trends in the house values in a geographical area. The house is not selected because the data controller wishes to know anything about the occupants, but because it is a four bedroom detached house in a medium-sized town. As soon as the data about a house is either:

•

linked to a particular individual, for example, to provide particular information about that individual (for example, his address); or

•

used in deliberations and decisions concerning an individual (even without a link to the individual’s name, for example, the amount of electricity used at the house is used to determine the bill the individual household is required to pay),

then that will be personal data.

…..

Example

The value of a house is used to determine an individual’s liability for Council Tax, or to determine their assets or in proceedings following divorce. This is then personal data because the data about the house is clearly linked to the individual or individuals concerned.” (Emphasis in original)

I was taken to Surrey Searches Limited v Northumbrian Water Limited [2024] EWHC 1643 (Ch) (“Surrey Searches”) as a recent example of the application of the “personal data” concept. One of the issues before the Court was whether the defendants were obliged to make certain information available to the claimant personal search companies for free or for no more than a reasonable charge. The claimant companies compiled personal search reports on particular properties for sale to clients, such as solicitors’ firms acting for property purchasers. They argued that the information in question was “environmental information” within the meaning of the Environmental Information Regulations 2004 (“EIR”). The defendants were water and sewerage companies and commercial providers of water and drainage information search reports. The Court had to determine whether information responsive to questions about buildover agreements and about internal flooding constituted “personal data”, so that, pursuant to regulation 13 of the EIR it was not disclosable (paras 724 – 725). The reports did not identify any specific individual but each report related to a specific property, identifying it by its address and postcode (para 729).

Richard Smith J referred to the judgments in Durant, Edem, Ittihadieh and Aven. He also quoted from the ICO Guidance, including the examples regarding information relating to a particular house which I have set out at para 121 above, describing it as useful. The Judge found that the buildover information was not personal data, whereas information about internal flooding was personal data (paras 736 and 738). Richard Smith J said that the buildover information did not say anything meaningful about the lives of the owner or occupier; it did not indicate what, if any, steps had been taken after the approval was given, nor who had sought the approval; it was unlikely that the information would be used by property developers to make decisions relating to the owners and occupiers; and it was unlikely that the information would be used by third parties to make valuation decisions. He contrasted this with the responsive information in respect of internal flooding which concerned a current risk to the property which had the potential to seriously impact on the owners and occupiers’ domestic or working lives and conditions; and carried with it potentially serious financial consequences, in terms of decisions made by others relating to mitigation measures, sale, value, security and insurance.

Accordingly, both the content of the respective data in terms of the extent to which it was linked to the particular owners and occupiers and its potential impact, including in terms of financial consequences, were material to the Court’s assessment.