A subject access request is one of the most under-used disclosure tools available against HMRC. It is free, requires no court order and compels HMRC to confirm what personal data it holds on a client and to provide a copy of it – usually within one month. HMRC resists DSARs routinely, almost always by invoking the “crime and taxation” exemptions in Schedule 2, Part 1 of the Data Protection Act 2018. Those exemptions are real, but they are narrower, more conditional and more frequently misapplied by HMRC than its standard refusal letters suggest. This guide sets out the legal framework, the exemption mechanics in full, the case law that constrains HMRC’s reliance on them and a practical methodology for drafting and enforcing a DSAR that HMRC cannot lawfully bat away with a blanket refusal.
On this page
- Why DSARs matter in HMRC disputes
- The legal framework: Article 15 and the DPA 2018
- Civil processing vs criminal processing: which regime applies
- What HMRC personal data typically includes
- The crime and taxation exemptions in detail
- The prohibition on blanket exemption claims
- Other exemptions HMRC commonly invokes
- Case law analysis
- Drafting an effective DSAR against HMRC
- Challenging a refusal or an inadequate response
- Tactical use of DSARs in tax disputes
- Practitioner checklist
- Frequently asked questions
Why DSARs Matter in HMRC Disputes
Most practitioners reach for Freedom of Information Act requests, Schedule 36 negotiations or tribunal disclosure applications when they need to understand what HMRC actually knows and how it has reasoned its way to an assessment or a deliberate-behaviour finding. A subject access request under Article 15 UK GDPR is a different, complementary tool and in many respects a more powerful one where the client is an identifiable individual (or, by extension through a data-sharing agreement, a director whose personal data is held in connection with a company investigation).
Unlike an FOI request, a DSAR is not constrained to recorded information of general application: it reaches into HMRC’s case-working systems, its internal notes, its risk-assessment outputs and any third-party intelligence held about the individual, provided that information is “personal data” within the UK GDPR’s broad definition. Unlike a Schedule 36 information notice, a DSAR runs in the opposite direction: it is the taxpayer compelling HMRC to disclose, not HMRC compelling the taxpayer.
In practice, a DSAR against HMRC is most valuable in four scenarios: COP9 and other criminal-adjacent civil investigations, where the taxpayer needs to understand the basis and source of HMRC’s suspicion; discovery assessment and deliberate-behaviour disputes, where HMRC’s internal characterisation of the evidence (rather than its public-facing assessment letter) is often the real battleground; insolvency and director-liability matters, where HMRC’s internal risk scoring of a company or director may pre-date and explain an otherwise unexplained escalation; and offshore/CRS-driven enquiries, where the DSAR can reveal exactly what third-party data triggered the nudge letter or formal enquiry in the first place.
The Legal Framework: Article 15 and the DPA 2018
The right of subject access is set out in Article 15 of the UK GDPR (the assimilated version of Regulation (EU) 2016/679, as it forms part of domestic law under the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018). Article 15(1) entitles a data subject to obtain from the controller confirmation of whether their personal data is being processed, and, if so, access to that data together with specified information: the purposes of processing, the categories of data, the recipients or categories of recipient, the retention period, the existence of other rights, the right to complain to the Information Commissioner, the source of the data where it was not collected from the data subject and the existence and logic of any automated decision-making.
“Personal data” is defined broadly under Article 4(1) as any information relating to an identified or identifiable natural person. The Court of Justice of the European Union confirmed in Nowak v Data Protection Commissioner (C-434/16) that subjective assessments and opinions about an individual – not merely objective facts – constitute personal data where they relate to that individual by content, purpose or effect. Applied to HMRC, this means risk scores, officer notes recording impressions of credibility or cooperation, internal characterisations of behaviour as “deliberate” or evasive and case-working commentary about an individual are all personal data, even though none of it was “created for” the data subject in any conventional sense.
The Court of Appeal’s decision in Edem v Information Commissioner [2014] EWCA Civ 92 confirms the same broad approach domestically: a person’s name and information clearly “about” or “linked to” them, is personal data without any requirement that it carry independent biographical significance. This matters because HMRC’s refusal correspondence sometimes still echoes the now-superseded test from Durant v Financial Services Authority [2003] EWCA Civ 1746 – the idea that information must have the data subject as its “focus” or carry “biographical significance” to count as personal data. That test does not survive Edem and Nowak and any HMRC response that relies on it, even implicitly, is applying the wrong legal standard.
Civil Processing vs Criminal Processing: Which Regime Applies
A threshold question that is frequently overlooked is which data protection regime actually governs the processing in dispute. The DPA 2018 implements two materially different regimes side by side. Part 2 applies the UK GDPR to general processing – this is the regime under which HMRC’s routine civil compliance work, enquiries, discovery assessments and Schedule 36 information-gathering sit, and it is the regime that contains the Schedule 2 exemptions discussed in this guide. Part 3 implements a separate “law enforcement processing” regime (transposing the EU Law Enforcement Directive) for processing carried out by competent authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Part 3 contains its own, broadly analogous but not identical, right of access and its own restriction grounds.
Why this matters: a DSAR addressed generally to “HMRC” may, on HMRC’s case-working facts, span both regimes – civil enquiry material processed under Part 2 and material generated once a matter is referred into a dedicated criminal investigation (for example, once HMRC’s Fraud Investigation Service moves a case onto a criminal track) potentially processed under Part 3. The exemption analysis in this guide concerns Part 2 processing, which covers the overwhelming majority of HMRC personal data in civil tax disputes, COP9 civil-track cases and discovery assessment disputes. Where a case has crossed into a genuinely criminal investigative footing, practitioners should specifically ask HMRC to confirm which regime it says applies to the data held, since the applicable access right and restriction grounds differ and HMRC cannot simply default to the Part 2 crime and taxation exemption to cover Part 3 processing without explaining why.
What HMRC Personal Data Typically Includes
Before drafting a DSAR it is worth having a realistic picture of what HMRC is likely to hold on an individual taxpayer, because a request that is too narrowly framed will be met with a narrowly framed response. In our experience advising on DSARs run alongside enquiries, investigations and tribunal appeals, HMRC personal data commonly includes:
- Case-working notes and officer commentary recorded on HMRC’s caseworking systems (CONNECT-flagged risk outputs, Enterprise Tax Management Platform records and legacy systems depending on the tax involved);
- Risk-assessment scores and the categorisation applied to the taxpayer (for example, classification as high-risk, the trigger for a nudge letter or flags generated by automated cross-referencing against third-party data);
- Internal referral notes – for example, a civil compliance officer’s note recommending referral to the Fraud Investigation Service or a recommendation for COP9 rather than a standard enquiry;
- Correspondence between HMRC officers discussing the taxpayer’s case, including assessments of credibility, cooperation or the strength of the taxpayer’s explanations;
- Third-party intelligence received about the taxpayer, including data obtained under the Common Reporting Standard, Land Registry data, card-processor data, informant or whistleblower reports and data shared by other government departments or law enforcement bodies;
- Records of decisions, including the reasoning behind a discovery assessment, a deliberate-behaviour finding or a penalty calculation;
- Call recordings and notes of telephone contact with the taxpayer or their representatives.
A request that specifically lists categories such as these, rather than asking generically for “all personal data”, is both more likely to elicit a complete response and harder for HMRC to meet with a generic refusal.
The Crime and Taxation Exemptions in Detail
The DPA 2018 provides two distinct exemptions relating to crime and taxation, both found in Schedule 2, Part 1. They closely follow the equivalent exemptions that existed under the 1998 Act regime and HMRC relies on them more often than any other exemption in responding to DSARs. Understanding their precise scope – which rights they disapply, in what circumstances and subject to what conditions – is the single most important piece of technical knowledge in this area.
Crime and Taxation – General (Paragraph 2)
This exemption applies where the controller processes personal data for one of three purposes: the prevention or detection of crime; the apprehension or prosecution of offenders; or the assessment or collection of a tax or duty. Critically, it does not apply automatically merely because the processing falls within one of those purposes. It applies only to the extent that complying with the relevant UK GDPR provision would be likely to prejudice that purpose. This is a prejudice test, not a category-based carve-out and the burden of establishing prejudice rests with HMRC as the controller seeking to rely on the exemption.
Where the exemption is properly engaged, it disapplies a specific list of rights and obligations, not the whole of the UK GDPR. For a controller in the position of having generated the data itself (referred to in ICO guidance as “controller A”), the exemption can extend to: the right to be informed and the transparency obligations (Articles 13–14); the subject access right itself (Article 15(1)–(3)); the right to rectification (Article 16); the right to erasure (Article 17(1)–(2)); the right to restrict processing (Article 18(1)); related notification obligations (Article 19); the right to data portability (Article 20(1)–(2)); the right to object (Article 21(1)); the data protection principles so far as they relate to the rights above (Article 5); the personal-data-breach notification duty to the data subject (Article 34(1) and (4)); and the transparency/fair-processing and purpose-limitation principles in full (Article 5(1)(a) and (b)).
Where a second controller (“controller B”) receives data from controller A and processes it for one of the same three purposes – the paradigm example being a bank passing a suspected-fraud file to a law enforcement body, which then processes that data for its own investigation – the exemption available to controller B is narrower: it covers only the transparency obligations (Articles 13–14), the subject access right (Article 15(1)–(3)) and the corresponding data protection principles, to the same extent that controller A was exempt. The practical HMRC analogy is a third party (a bank, an accountant, an employer) sharing data with HMRC for the purposes of an investigation: HMRC’s own exemption as recipient is, in principle, no broader than the exemption available to the party that disclosed the data to it.
Crime and Taxation – Risk Assessment Systems (Paragraph 3)
The second, narrower exemption applies specifically to a classification applied to a data subject as part of a risk-assessment system. To engage it, the risk-assessment system must be operated by a government department, a local authority or another authority administering housing benefit and must be operated for the assessment or collection of a tax, duty or similar imposition or for the prevention or detection of crime involving the unlawful use of public money or an unlawful claim for payment of public money. This is the provision most directly relevant to HMRC’s Connect system and any successor risk-profiling platform.
The test for engaging this exemption is narrower than the general exemption: it applies only to the extent that compliance would prevent the risk-assessment system from operating effectively, not merely to the extent that it would cause some lesser prejudice. Where engaged, it disapplies the transparency obligations (Articles 13–14), the subject access right (Article 15(1)–(3)) and the corresponding data protection principles – a materially shorter list than the general crime and taxation exemption.
| Feature | Para 2 – Crime & Taxation (General) | Para 3 – Risk Assessment Systems |
|---|---|---|
| Who can rely on it | Any controller processing for crime prevention/detection, prosecution or tax assessment/collection | Government departments, local authorities, housing benefit authorities operating a risk-assessment system |
| Test | Likely to prejudice the relevant purpose | Would prevent the system operating effectively (narrower) |
| Scope of disapplied rights (controller A) | Arts 13–14, 15, 16, 17, 18, 19, 20, 21 and Art 5 principles relating to the above | Arts 13–14, 15 and Art 5 principles relating to the above – no rectification/erasure/portability/objection |
| Typical HMRC use | Withholding material that would tip off a taxpayer to an active civil or COP9 investigation | Withholding the mechanics of Connect risk-scoring and classification logic |
The “To the Extent That” Qualification
The phrase “to the extent that” is doing real legal work in both exemptions, and it is the phrase HMRC’s standard refusal correspondence most often glosses over. Neither exemption disapplies the right of access wholesale, even where the controller’s purpose plainly falls within scope. The exemption bites only on the specific information whose disclosure would actually cause the relevant prejudice (or, for the risk-assessment exemption, actually undermine the system’s effective operation). A live HMRC investigation does not automatically mean every document on the file is exempt: it means HMRC must identify, document by document, which items would genuinely cause prejudice if disclosed now and disclose the rest.
The Prohibition on Blanket Exemption Claims
This is the single most exploitable weakness in HMRC’s typical DSAR handling. The authorities are unambiguous that a controller cannot discharge its burden by asserting an exemption over an entire file, an entire category of documents or an entire investigation, without engaging in a document-by-document (or at minimum, a properly particularised) analysis.
In Gurieva & Anor v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) – widely cited in practice as Guriev – Warby J refused to allow a private investigation firm to rely on a blanket assertion that an entire file was covered by exemptions, including legal professional privilege, holding that the firm had provided no proper evidential basis for the claim and that document-by-document analysis of the kind required was the ordinary and expected approach, not a disproportionate burden. The Court of Appeal in Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74 reinforced the same principle in the LPP context: a blanket assertion of privilege over a file, without the underlying analysis the law requires, is not a lawful basis for withholding disclosure.
Applied to HMRC, this means a refusal letter that states, in substance, “this material is exempt under the crime and taxation exemption because there is an open investigation” is legally inadequate on its face. HMRC must show its working: which specific documents or parts of documents are said to cause prejudice, what the nature of that prejudice is and why disclosure now (rather than after the investigation concludes or in redacted form) would cause it. Where HMRC’s response does not do this, the correct response is not to accept the refusal but to challenge the adequacy of the exemption analysis itself, independently of whether the underlying exemption might, on proper analysis, apply to some of the material.
Other Exemptions HMRC Commonly Invokes
Legal Professional Privilege – Schedule 2, Part 4, Paragraph 19
HMRC will also resist disclosure of material it characterises as privileged, whether its own internal legal advice or advice provided to the taxpayer that has come into HMRC’s possession. The same document-by-document burden of proof applies and the same blanket-claim prohibition from Gurieva applies with full force. Two further limitations are worth keeping in mind. First, the “man of business” exception confirmed in Kerman v Akhmedova [2018] EWCA Civ 307 means that where a lawyer is performing a factual, administrative or business function – rather than giving or receiving legal advice or preparing for litigation – the resulting communications are not privileged merely because a solicitor was involved. Second and frequently decisive in tax matters, R (Prudential plc) v Special Commissioner of Income Tax [2013] UKSC 1 confirms that legal advice privilege does not extend to advice given by accountants, however indistinguishable in substance from legal advice. Where HMRC’s file includes correspondence with or about, a client’s accountant rather than a solicitor, privilege is very unlikely to be a legitimate basis for withholding it.
Self-Incrimination – Schedule 2, Part 1, Paragraph 20
A narrower exemption applies to personal data that would reveal evidence of the commission of an offence by the data subject, where disclosure would expose the data subject to proceedings for that offence (the logic being that the GDPR access right should not become a backdoor route to a different and inappropriate kind of compelled self-disclosure). In practice this exemption is rarely a basis for HMRC to withhold material that the taxpayer is, by definition, already aware forms part of their own affairs; it is more commonly relevant where the data subject is a third party whose own potential liability would be exposed.
Third-Party Data – Schedule 2, Part 3, Paragraph 16
Where complying with a DSAR would necessarily reveal personal data relating to another identifiable individual – an informant, a co-director, a business associate – the controller need not disclose that third party’s data without their consent unless it is reasonable in all the circumstances to do so without consent. This is frequently the real basis for HMRC withholding the identity of a complainant or the source of a tip-off, and it is the provision considered in DB v General Medical Council [2016] EWHC 2331 (QB), discussed further below. The exemption is, however, a basis for redacting identifying third-party detail, not for withholding the substance of information that relates to the data subject merely because it is mixed with third-party material. HMRC must still disclose the data subject’s own personal data with only the third party’s identifying detail redacted, unless the third-party material is genuinely inseverable.
Case Law Analysis
Edem v Information Commissioner [2014] EWCA Civ 92
The Court of Appeal held that a person’s name is personal data unless it is so common that, without further context, the individual remains unidentifiable and confirmed that information can be personal data simply because it is “obviously about” or “linked to” an individual – rejecting the FSA’s argument that names of caseworkers handling a complaint required some additional biographical content. Edem is the leading domestic authority for the proposition that HMRC cannot insist on a narrow, biographical-significance reading of “personal data” when responding to a DSAR.
Nowak v Data Protection Commissioner (C-434/16)
The CJEU held that a candidate’s exam answers and an examiner’s comments on them, are personal data, because the right of access exists to allow individuals to verify the accuracy of data and the lawfulness of its processing – not merely to access neutral factual records. Read across to HMRC, internal officer assessments of a taxpayer’s credibility, cooperation or the “deliberateness” of their conduct are personal data in exactly the same way that an examiner’s marginal comments were in Nowak.
Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74
The Court of Appeal held that the data protection regime is purpose-blind: a controller cannot refuse a subject access request on the ground that the requester’s underlying motive is litigation, regulatory proceedings or evidence-gathering for a dispute. It also confirmed that a blanket assertion of legal professional privilege over a category of documents, without proper document-level analysis, is not adequate. For HMRC purposes, this means a DSAR made by a taxpayer who is simultaneously appealing an assessment, under criminal investigation or engaged in insolvency proceedings cannot be refused or narrowed on the basis that the requester “really wants the data for the appeal/investigation/proceedings”.
Dr DB v GMC [2016] EWHC 2331 (QB)
This is the principal, narrow exception to purpose-blindness. The case concerned a complainant’s subject access request for a fitness-to-practise report that was overwhelmingly the third-party doctor’s own personal data, where the patient’s dominant purpose was plainly to use the report in a separate claim against the doctor. The High Court declined to order full disclosure in those circumstances, given the third party’s competing privacy interest and lack of consent. Applied to HMRC, the exception is genuinely narrow: it requires both that the requested material is predominantly someone else’s personal data and that the requester’s dominant purpose is to use it against that third party. A taxpayer’s DSAR for HMRC’s own internal assessment of their tax affairs does not fall within this exception merely because the taxpayer also happens to be in dispute with HMRC.
Gurieva & Anor v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB)
Warby J rejected an attempt by a private investigation firm to claim that an entire file was covered by exemptions (including legal professional privilege) without proper supporting evidence and rejected the argument that document-by-document analysis would be disproportionate, holding that this kind of analysis is the ordinary discipline the law requires of controllers. This remains the leading domestic authority for the blanket-exemption prohibition discussed above, and the case did not proceed to appeal.
Kerman v Akhmedova [2018] EWCA Civ 307
The Court of Appeal accepted that a solicitor who performs a factual or administrative role for a client – arranging insurance, assisting with asset transfers – is acting as a “man of business” rather than as legal adviser for those specific functions and that communications relating to that non-advisory role are not privileged. This is directly relevant where HMRC’s file includes correspondence between a taxpayer’s solicitor and a third party concerning practical, non-advisory matters: privilege does not attach merely because a solicitor was the author.
R (Prudential plc) v Special Commissioner of Income Tax [2013] UKSC 1
The Supreme Court held, by a majority, that legal advice privilege is confined to advice from solicitors, barristers, foreign lawyers and in-house lawyers and does not extend to indistinguishable advice given by accountants. The case arose in a tax context – a tax inspector’s notice to produce documents relating to accountants’ tax-avoidance advice – making it directly applicable to DSARs against HMRC where the file includes material generated by or shared with a client’s accountant rather than a lawyer.
DB v General Medical Council [2016] EWHC 2331 (QB)
The High Court held that where a subject access request would necessarily disclose a third party’s personal data and that third party has withheld consent, the starting presumption is against disclosure of that third-party material, displaced only where it is reasonable in all the circumstances to proceed without consent. This is the leading authority on the third-party data exemption discussed above and is the case HMRC is most likely to invoke (often without naming it) when withholding the identity of an informant or complainant.
Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd; Deer v University of Oxford [2017] EWCA Civ 121
The Court of Appeal confirmed that a controller’s search obligation is one of reasonableness and proportionality, not an obligation to “leave no stone unturned” and upheld a refusal to search a specific file where doing so would have been wholly disproportionate on the facts. This principle is now reflected on a statutory footing by section 78 of the Data (Use and Access) Act 2025, which confirms that a controller need only carry out a reasonable and proportionate search in response to a DSAR. The practical implication for HMRC DSARs is double-edged: HMRC can legitimately decline to search every system in existence on a speculative basis, but it equally cannot use “disproportionate effort” as a generic excuse to avoid searching the case-working systems that are obviously central to the dispute in hand.
Drafting an Effective DSAR Against HMRC
A DSAR that is vague, generic or framed around litigation strategy invites a narrow and unhelpful response. The following drafting principles consistently produce better outcomes in our experience:
- State the statutory purpose, not the tactical one. Frame the request around verifying the accuracy and lawfulness of HMRC’s processing – the actual statutory purpose of Article 15 – rather than referring to an ongoing appeal, enquiry or investigation. Under Dawson-Damer, HMRC cannot lawfully refuse on the basis of a litigation motive, but there is no tactical benefit in inviting an argument about it.
- List specific categories of data rather than relying on a generic request for “all personal data”. Reference case-working notes, risk-assessment outputs and classifications, internal referral and escalation notes, third-party intelligence received, call recordings and the source of any information not obtained directly from the data subject (engaging the Article 15(1)(g) right specifically).
- Identify the relevant systems where known – Connect outputs, the specific case reference, the relevant office or team – to forestall a “disproportionate search” response under the Ittihadieh standard.
- Ask HMRC to confirm which regime applies – Part 2 (UK GDPR/general processing) or Part 3 (law enforcement processing) – if there is any prospect the matter has moved to a dedicated criminal investigation footing.
- Pre-empt the blanket-exemption response by expressly putting HMRC on notice, in the request itself, that any reliance on an exemption must be supported by document-by-document reasoning in line with Gurieva and Dawson-Damer and that a blanket refusal will be treated as non-compliant.
- Fix the statutory clock in the request itself. State the one-month deadline for response under Article 12(3) UK GDPR, note that any extension must be reasoned by reference to the complexity or volume of the request and expressly reserve the right to complain to the Information Commissioner under section 165 DPA 2018 and to apply to the court for a compliance order under section 167 DPA 2018, without further notice, if the deadline is missed.
- Address third-party data realistically. Where the request will necessarily touch third-party material (a complainant, a co-director), acknowledge this and ask for redaction of identifying detail rather than withholding of the substance, to make it harder for HMRC to justify a blanket withholding under paragraph 16, Schedule 2, Part 3.
Challenging a Refusal or an Inadequate Response
Where HMRC’s response is a blanket refusal, an unreasoned exemption claim or simply late, several routes are available, in escalating order of formality:
- Write back identifying the specific deficiency. Request the document-by-document reasoning that Gurieva and Dawson-Damer require and set a reasonable deadline for a substantive response.
- Complain to the Information Commissioner’s Office. The ICO can investigate and, where appropriate, issue an enforcement notice. ICO complaints are free and do not require legal representation, but resolution can take months, which limits their usefulness where a tribunal deadline is looming.
- Apply to court under sections 167–168 of the DPA 2018. The County Court (or the High Court) can order a controller to comply with a DSAR where satisfied that the controller has failed to do so. This route is faster than an ICO complaint and can be combined with an application for compensation under Article 82 UK GDPR / section 168 DPA 2018 where the failure has caused damage or distress. Vidal-Hall v Google Inc [2015] EWCA Civ 311 remains the cleaner authority that distress alone, without any pecuniary loss, is recoverable as non-material damage; Lloyd v Google LLC [2021] UKSC 50 narrowed the wider landscape rather than supporting it, confirming that mere loss of control of data, without proof of distress or material damage, is not itself compensable and restricting representative claims based on uniform, unproven harm across a class. Any compensation claim following a DSAR failure should be evidenced by the individual’s actual distress or loss, not framed as automatic compensation for the breach itself.
- Raise the failure within the substantive tax dispute itself. Where HMRC’s failure to provide DSAR material is relevant to a live tribunal appeal – for example, because it bears on the genuineness of a discovery or HMRC’s internal characterisation of behaviour – raising the point with the tribunal, alongside or instead of a separate DSAR enforcement action, can be the more efficient route.
Tactical Use of DSARs in Tax Disputes
Beyond pure compliance, a DSAR is a genuine evidence-gathering tool and should be planned as part of the overall case strategy rather than treated as an afterthought once a dispute escalates. Some practical applications we use routinely:
- Testing the “discovery” narrative. Where HMRC asserts a discovery assessment was triggered by a specific piece of information becoming newly available, internal case notes obtained by DSAR can confirm or undermine the timeline HMRC relies on, which is often decisive to a staleness or validity challenge.
- Probing deliberate-behaviour findings. Internal officer commentary obtained by DSAR frequently reveals the actual basis (or absence of basis) for a “deliberate” characterisation, which can differ materially from the reasoning set out in the formal assessment letter.
- Identifying the data source behind a nudge letter or enquiry. Where a client wants to understand whether a discrepancy was flagged by CRS data, a third-party tip-off or a generic Connect risk score, the Article 15(1)(g) source-of-data right is the most direct route to an answer.
- Insolvency and director-liability cases. Internal risk classifications of a director, obtained before a Personal Liability Notice or disqualification referral, can illuminate whether HMRC’s escalation decision was properly evidenced or effectively pre-determined.
Run alongside, rather than instead of, the substantive dispute, a DSAR adds a disclosure channel that HMRC cannot close down simply by asserting privilege or litigation immunity, because (as Dawson-Damer confirms) the existence of a parallel dispute is not, of itself, a lawful basis for refusal.
Practitioner Checklist
- Confirm whether the processing in dispute sits under Part 2 (UK GDPR) or Part 3 (law enforcement processing) of the DPA 2018.
- Frame the DSAR around verifying accuracy and lawfulness of processing – never around litigation purpose.
- List specific data categories: case notes, risk scores, referral notes, third-party intelligence, call recordings, automated decision logic.
- Put HMRC on notice that any exemption claim must be supported by document-by-document reasoning (Gurieva; Dawson-Damer).
- Scrutinise any LPP claim for the “man of business” point (Kerman) and the no-LPP-for-accountants point (Prudential).
- Where third-party data is withheld, push for redaction of identifying detail rather than wholesale withholding (DB v GMC).
- If the response is inadequate, escalate via ICO complaint (s.165 DPA 2018) or a section 167 DPA 2018 court application and consider an Article 82 compensation claim only where genuine distress or loss can be evidenced (Vidal-Hall), not merely the fact of the breach itself (Lloyd v Google).
- Integrate any disclosure obtained into the substantive tax dispute – discovery validity, deliberate-behaviour findings, PLN escalation decisions.
Frequently Asked Questions
Can HMRC refuse a subject access request outright?
No. The crime and taxation exemptions only disapply the right of access to the extent that compliance would be likely to prejudice the assessment or collection of tax or the prevention or detection of crime, in relation to specific information. HMRC must assess the request item by item and disclose everything not genuinely covered by an exemption.
Does the crime and taxation exemption cover an entire HMRC investigation file?
Not automatically. Following Gurieva v Community Safety Development (UK) Ltd [2016] EWHC 643 (QB) and Dawson-Damer v Taylor Wessing LLP [2017] EWCA Civ 74, a controller cannot make a blanket claim over a category of documents or an entire file. HMRC must identify which specific documents or parts of documents, would be prejudiced by disclosure and disclose the remainder.
Can HMRC refuse a DSAR because the requester is involved in litigation or an appeal?
No, save in a narrow exception. UK GDPR is purpose-blind: a controller cannot refuse or limit a subject access request merely because the requester appears to be motivated by litigation or an HMRC dispute. The narrow exception in Dr DB v GMC [2016] EWHC 2331 (QB) applies only where the request is overwhelmingly aimed at a third party’s data and the dominant purpose is litigation against that third party.
Does HMRC have to disclose internal risk-assessment notes generated by the Connect system?
In principle, yes, unless HMRC can show disclosure would prevent its risk-assessment system from operating effectively – the specific test under the paragraph 3 exemption, which is narrower than the general crime and taxation exemption and must also be applied document by document. Generic assertions that disclosure would “undermine Connect” are not sufficient.
Is legal advice from my accountant protected from disclosure in an HMRC DSAR?
No. Following R (Prudential plc) v Special Commissioner of Income Tax [2013] UKSC 1, legal advice privilege is confined to advice from solicitors, barristers and other qualified lawyers. Tax advice given by an accountant is not privileged and cannot be withheld from a DSAR on that basis.