If you feel your bank, insurance company, or any other financial firm has treated you unfairly, you have the right to ask them for the personal information they hold about you. This is called a Data Subject Access Request (DSAR). In this blog we explore the importance of DSARs as a tool to protect your interests, and we go on to discuss the recent and important court case about a DSAR: Ashley v HMRC…
Data Subject Access Request (DSAR)
A DSAR is a request you can make to any organisation, such as your bank or lender, to find out what personal information they hold about you and how they use it. This right is protected under laws like the UK GDPR, giving you the power to access, correct, or even delete your data in some cases. For example, people sometimes submit DSARs to their banks to gather information if they suspect they were mis-sold a financial product – such as a loan, mortgage, or car finance deal – or if they believe they were lent money irresponsibly.
Through a DSAR, you can ask for details like copies of loan applications, records of advice given, or information about how decisions were made regarding your account. The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights. They provide guidance to both individuals and organisations about DSARs and ensure that companies comply with data protection laws.
For example, Mr O (full surname not given, as he’s a real person) complained to Gain Credit LLC (trading as Lending Stream) that they had provided him with loans without checking whether he could afford them. Mr O also asked for a copy of all his information held with Lending Stream by submitting a DSAR to them, but Lending Stream didn’t respond to the DSAR. Concerned about Lending Stream’s lack of response, Mr O referred his concerns to the ICO.
Making its findings in Mr O’s case, the ICO said:
“I have considered the information available in relation to this complaint and I am of the view that Gain Credit LLC has not complied with their data protection obligations. This is because you have not received an appropriate response to your subject access request within the statutory timeframe”
The ICO went on to say that if Mr O is worried that information is being withheld from him, then he would, “…have the right to take the matter to court. The court has the power to make an order requiring Gain Credit LLC to provide information if it is found to have been unreasonably withheld.”[1]
We do not know whether Mr O pursued Lending Stream through the Courts. But we do know about a well-known person in the UK (Mike Ashley) taking HMRC to court about the way HMRC responded to a DSAR, which we will talk about next.
What Happened in Ashley v HMRC?
The recent court case, Ashley v HMRC, is a big deal for anyone making DSAR requests. Here’s what happened, what the judge said, and what it means for you.
Mike Ashley, a well-known businessman, asked HMRC (the UK tax authority) for all the personal information they held about him during a tax dispute. HMRC only searched one department, gave him bits and pieces of information, and tried to keep a lot back by saying it was protected for tax reasons. Ashley wasn’t happy and took them to court.
What Did the Court Say?
The judge mostly sided with Ashley and made several important points:
- You Get the Full Picture: The court said HMRC was wrong to only look in one department. If your request is wide, the company must check all parts of the business that could have your data – even if that means talking to other teams or branches.
- No Hiding Behind Internal Rules: Just because a company splits up its departments, that doesn’t mean they can limit your request. The judge said any internal practice of treating two divisions as separate entities cannot alter the scope of that DSAR request. If your data is there, you should get it, no matter where it’s held.
- No Excuses About Time or Effort: HMRC complained it would take too long to search everywhere. The court said that’s not a good enough reason to refuse. Big organisations are expected to have systems in place to handle these requests properly.
- Not Just Snippets – You Need Context: The judge criticised HMRC for giving Ashley only bits of information with no explanation. The court said the response must be “concise, transparent and intelligible,”[2] so you can actually understand what’s going on and use the information to defend your rights. Giving you just your name or a few lines from a document isn’t enough.
- Exemptions Must Be Proven, Not Just Claimed: HMRC tried to keep information back by saying it was protected for tax reasons. The judge said they needed real evidence that releasing the information would cause serious problems – not just vague worries or guesses. If a company wants to keep something back, they must give a solid reason and show how it would really cause harm.
What This Means for You
If you ask your bank, insurer, or any financial company for your data:
- Expect a Proper Search: They can’t just look in one place or one department. They must check everywhere your information might be.
- You Should Get the Full Story: They must give you enough information, with context, so you understand how decisions were made about you – especially if it affects your money.
- They Can’t Use Internal Rules as an Excuse: If your data is held by a different team or branch, that doesn’t matter. They still have to give it to you.
- They Can’t Refuse Just Because It’s Hard Work: Companies are expected to be organised enough to handle these requests.
- If They Withhold Information, They Must Explain Why: If they say they can’t give you something, they need to give a real, specific reason – not just a blanket statement.
Why This Matters
If you think a financial company has treated you unfairly – maybe you’ve been overcharged, denied a claim, or given a bad deal – a DSAR can help you find out what really happened behind the scenes. Thanks to Ashley v HMRC, you have a stronger right to get all the information you need, not just what the company wants to give you.
If you’re not happy with how a financial company responds to your DSAR, Ashley v HMRC shows you have the right to push back and ask for a proper, honest answer.
Glossary
Data Subject Access Request (DSAR)
A Data Subject Access Request (DSAR) is when someone asks an organisation to show them all the personal information it holds about them. You can use a DSAR to see what data a company has on you, why they have it, and who they’ve shared it with. You can also ask for your information to be changed or deleted. Anyone can make a DSAR, and organisations usually have to reply within one month.
UK GDPR
UK GDPR stands for the United Kingdom General Data Protection Regulation. It’s a law that sets rules for how organisations must handle personal data-meaning any information that can identify a living person. UK GDPR gives people more control over their data and sets out how organisations must keep it safe and use it fairly. It’s based on the original EU GDPR, but was kept in UK law after Brexit, alongside the Data Protection Act 2018.
Information Commissioner’s Office (ICO)
The Information Commissioner’s Office (ICO) is the UK’s independent authority that makes sure organisations follow data protection laws like the UK GDPR. The ICO helps protect people’s personal information and privacy, can investigate complaints, and has the power to fine organisations if they break the rules. It also provides advice and guidance to both the public and businesses.
HM Revenue and Customs (HMRC)
HMRC is the UK government department responsible for collecting taxes, paying some benefits like Child Benefit, and enforcing customs rules. It plays a key role in funding public services by collecting money from individuals and businesses. HMRC also handles things like statutory sick pay and maternity pay and ensures people follow tax and customs laws.
[1] https://www.financial-ombudsman.org.uk/decision/DRN-3084344.pdf
[2] https://www.judiciary.uk/wp-content/uploads/2025/01/Ashley-v-HMRC.pdf