Nigel Demming v Information Commissioner & Anor [2026] UKFTT GRC 75

Background to the appeal

1. This appeal concerns a decision of the Information Commissioner (the “IC”) dated 8 July 2025, reference IC-356747-F4H7 (the “Decision”). The Decision was in connection with a request for information made to the Commissioners for His Majesty’s Revenue and Customs (“HMRC”) by the Appellant, Mr Nigel Demming, concerning corporation tax filings submitted using the online form CT600.

2. Mr Demming wrote to HMRC on 29 November 2024 to request information in the following terms: “HMRC uses the online form CT600 to collect and store corporation tax return information and computations online. For the last available financial year, I require a spreadsheet/csv file of CT600 corporation tax filings for all of the following UK registered corporations: • Limited Companies • Unincorporated Associations • Charities and Community Amateur Sports Clubs (CASCs) • Non-Profit Organisations Community Interest Groups (CICs) NOTE: 1. No data columns are to be filled in the CT600 cohort that could identify corporations or individuals. (These include company name, company number, tax reference, contact details or banking information). 2. The company name should be replaced by a sequential number, and any identifiable information replaced by a dash. All other non-identifiable information filed on the CT600 form by the individual company should be disclosed under that sequential number” For Example: Company name Registration no. Tax Reference Type of company ➔ All other CT600 form columns completed 0000001 02 0000002 07 0000003 02

3. HMRC responded on 20 December 2024 and confirmed that it held the information requested, but that it was exempt from release under section 44(1) (a) of the Freedom of Information Act 2000 (“FOIA”), an absolute exemption which is not subject to the public interest test. HMRC stated that the relevant legislation here was section 23(1) of the Commissioners for Revenue and Customs Act 2005 (“CRCA”)

4. On the same date Mr Demming requested an internal review and stated the following: “I have not asked for all the data in the CT600 tax return. I have specifically asked for the data to be de-identified and specified the columns to do so. Any other columns which pose a risk of re- identification can be treated as per the ICO anonymization code of practice. I do not accept that CT600 tax return data is exempt from the Freedom of Information Act where the information does not identify persons and therefore the exemption under section 44(1) A does not apply. Any notion that persons can be identified from de-identified data is not logical. I do not accept that in the absence of the columns which I have requested to be removed, persons can be identified from the 30 million tax returns. Particularly since the data is not in the public domain. Guess work is not identification, and with the names and contact details of the 30 million records removed definitive identification is not possible. It is within the public interest to have access to this cohort of data”.

5. Following an internal review, HMRC wrote to Mr Demming on 16 January 2025, stating that it upheld its position.

6. Mr Demming contacted the IC on 17 January 2025 to complain about the way his request for information had been handled.

7. On 8 July 2025, the IC issued the Decision. In this he decided that HMRC’s reliance on section 44(1) (a) of FOIA was correct. He concluded that: a. The requested information is held in connection with HMRC’s function of assessing and collecting tax. b. The requested information is therefore prohibited from disclosure under section 18(1) of CRC by virtue of being held in connection with a function of HMRC. c. The requested information is specifically prohibited from disclosure under section 23(1) CRCA. Abbreviations used in this decision “CRCA” means the Commissioners for Revenue and Customs Act 2005 “CT600” means the online form which HMRC uses to collect and store corporation tax return information and computations online “the Decision” means the IC’s decision dated 8 July 2025, reference IC-356747-F4H7 “FOIA” means the Freedom of Information Act 2000 . All references to sections are references to sections of this Act unless otherwise specified “HMRC” means the Commissioners for His Majesty’s Revenue and Customs, the Second Respondent “IC” means the Information Commissioner, the First Respondent “SDC” means Statistical Disclosure Control “UT” means the Upper Tribunal, Administrative Appeals Chamber Procedural matters concerning the hearing

8. The hearing was held remotely by cloud video platform (CVP). The Tribunal was satisfied that it was fair and just to conduct the hearing in this way. The Appeal

9. Mr Demming appealed the decision to the Tribunal on 9 July 2025. He gave the following grounds for his appeal: “On 29 November 2024, I made a request to HM Revenue and Customs (HMRC) under the Freedom of Information Act 2000 (FOIA) for anonymised corporation tax return data (CT600). My request explicitly required that all direct identifiers be removed and that any other data fields which pose a risk of re-identification be excluded, in accordance with the Information Commissioner's own Anonymisation Code of Practice. HMRC refused the request under section 44(1) (a) FOIA, citing section 23 of the Commissioners for Revenue and Customs Act 2005 (CRCA). The Information Commissioner upheld HMRC's reliance on this prohibition. I contend that this decision is legally flawed for the reasons set out in my attached Skeleton Argument and supporting documentation.”

10. The skeleton argument which was submitted with his appeal submitted that anonymised CT600 data does not relate to an identifiable person so the statutory prohibition in section 23 of CRCA does not bite and section 44(1) (a) is not engaged. He argued that the FOIA right to access information prevails, subject only to relevant qualified exemptions, of which there are none here.

11. Mr Demming also identified what he considered to be several errors in the Decision, which, in summary, were as follows: a. The IC failed properly to apply its own Anonymisation Code of Practice and instead accepted HMRC’s blanket refusal, rather than requiring partial disclosure with anonymisation or redaction. b. The IC wrongly extended the “motivated intruder” test, which is derived from data protection law for personal data of natural persons, to anonymised corporate data where there is no basis in law for doing so. c. The IC wrongly accepted that self-identification by a company or its employees is enough to engage section 23 CRCA. d. The Decision does not address whether further redaction or aggregation could mitigate any residual re-identification risk. e. The IC wrongly relied on the Tribunal precedent of O’Shea v IC & HMRC (EA/2023/0164) as the facts are materially different here.

12. The relief sought by Mr Demming is that he would like the Decision set aside and a new Decision Notice ordering HMRC to take steps to release the information requested in an appropriately anonymised and partially redacted form that removes any realistic risk of re-identification using the IC's own Anonymisation code of practice. The IC’s Response to the appeal

13. The IC filed a Response dated 8 August 2025. He submitted that the appeal should be dismissed and made the following points: a. The Appellant does not dispute the IC’s conclusion that the requested information, if held, would be held by the HMRC in connection with the public authority’s function relating to the general management and collection of tax. b. It is therefore not in dispute that the requested information would, if held, therefore be prohibited from disclosure under section 18(1) CRCA by virtue of being held in connection with a function of the HMRC. c. Under s.23(1) CRCA, information prohibited from disclosure by virtue of section 18(1) CRCA is specifically designated as exempt from disclosure under s.44(1) (a) FOIA if its disclosure “ would identify the person to whom it relates or would enable the identity of such a person to be deduced ”. d. In reaching the Decision, the IC carefully considered HMRC’s submissions regarding identification by both self-identification of the company or by its employees, bank officials, suppliers or by motivated intruders by using information available from public sources such as that available at Companies House or the Charity Commission and by using advances in technology and agreed with those submissions. e. The IC also carefully considered HMRC’s assessment of the risk of identification and conclusion that anonymisation was not possible because of the nature and granularity of the financial data when cross referenced or triangulated with other public information. He was satisfied that in this case the HMRC has properly assessed the risk of identification. Mr Demming’s reply to the IC’s Response

14. Mr Demming provided a Reply to the IC’s Response dated 9 August 2025, in which he made the following points: a. The IC’s framing of the issue omits the factual question of whether robust anonymisation can remove the statutory bar in section 23(1) CRCA and the Tribunal cannot decide this without factual evidence of anonymisation feasibility. b. The IC relies entirely on HMRC’s internal assessment of identification risk which has not been disclosed and there is no independent testing or review of anonymisation feasibility, despite this being recommended by the IC’s code of practice on anonymisation. c. The threshold for identification is higher than speculative association; there must be a real and significant possibility of identification. The public (including any motivated intruder) could not, on balance of probabilities, deduce the identity of any person from the data sought. At most there would be self-identification and this is insufficient to engage section 23(1) where no third party can make the link. d. The case of O’Shea has materially different facts and is distinguishable HMRC’s Response to the Appeal

15. HMRC filed a Response dated 29 August 2025, in which it said that the central issue in this appeal was whether it was possible for HMRC to respond to the request in a way that does not engage section 23(1) CRCA. It also sought to address some of the issues raised by Mr Demming in his Reply to the IC’s Response and made the following points: a. The corporation tax records with which the request is concerned clearly attract taxpayer confidentiality and their disclosure is prohibited by section 18(1) CRCA. It will therefore engage the absolute exemption at section 44(1) (a) FOIA if either of the conditions at section 23(1) (a) or (b) CRCA applies. b. Section 23 (1) (a) applies to the information in the format in which it is held by HMRC and section 23(1) (b) applies to the information in the format sought by Mr Demming. While the terms of the Request indicate a concern that the information held should be transformed prior to release in such a manner as to obfuscate the identity of those persons to which the records relate, in fact the Request cannot be satisfied without enabling the deduction of the identity of such persons. c. Redaction of unique identifies from the list of tax returns sought is not sufficient to exclude the risk of either self-identification or deduction; both risks are unavoidable because the request seeks information about individual tax returns. d. An individual taxpayer could recognise features of their own corporation tax return and identify it as their own even if the information was provided in the form requested. This provides a complete answer to the appeal. In support of this HMRC relies on O’Shea v IC & HMRC [2023] UKFTT 01005 (GRC) which states at §15: “It is not necessary for HMRC to demonstrate that an information requester or any other person would be in a position to identify a person to whom requested information relates in order to withhold that information in reliance on section 23 of the CRCA. It is merely necessary to show that a person (a legal entity) would be in a position to identify the person to whom the requested information relates. This would also include self-identification.” e. The risk of deduction arises through mosaic effects, including from information already in the public domain, information which may foreseeably come to light (including through self-identification) and other information not in the public domain/ This risk is heightened and illustrated by—but does not arise exclusively from—the availability of modern tools to effect ‘jigsaw identification’ by drawing together these disparate pieces of information and making probabilistic deductions. It agrees with the IC that the requested information “is a rich source of highly sensitive financial data […] [e]ven where this information does not match exactly, the richness of the data available is likely to enable identification, particularly of high-profile organisations”. f. In relation to anonymisation, the format requested is a pseudonymised dataset, in which unique identifiers are “replaced by a sequential number ”. Categorically, the reversal of pseudonymisation cannot be excluded, whether by deduction of the pseudonym or self-identification by a given taxpayer g. The Request seeks information about individual tax returns: without aggregation, this information cannot be anonymised in such a way as to remove the possibility of re-identification or self- identification. To the extent that the Appellant seeks information aggregated by type or category, section 23(1) CRCA is engaged. h. Aggregated information about corporation tax returns is already freely available through HMRC’s publication scheme. The process of compiling and releasing official statistics reflects careful attention to the very risks that section 23(1) CRCA is designed to avoid. In particular, HMRC data standards reflect a methodological standard maintained by the Government Analysis Function known as Statistical Disclosure Control (“SDC”), defined as “the application of methods to reduce the risk of disclosive information about data subjects”. These official statistical publications represent the safe transformation of taxpayer information compatibly with SDC methodologies. While there may be occasions when requests for further breakdown of aggregated data can be fulfilled, release of individual-level data, as required by this Request, would never meet SDC standards. Mr Demming’s Reply to HMRC’s Response

16. Mr Demming filed a Reply to HMRC’s Response dated 30 August 2025. In it he made the following points: a. the correct test under section 23(1) (b) CRCA is whether there is a realistic prospect that third parties could deduce identities from the anonymised dataset, not whether a taxpayer could recognise their own entry. The issue for the Tribunal is therefore whether anonymisation can sufficiently remove the risk of identification such that section 23(1) is not engaged. b. Section 23(1) (b) requires that disclosure would “ enable the identity … to be deduced .” That necessarily contemplates deduction by persons other than the taxpayer themselves. If HMRC’s approach were correct, anonymisation would always fail, as any subject can always recognise their own data. That would render the statutory limitation in s.23(1) meaningless and inconsistent with the principle in CSA v SIC [2008] UKHL 47 that properly anonymised data may be disclosed. c. HMRC’s submissions about “mosaic” and “jigsaw” identification are speculative. HMRC must demonstrate that realistic re-identification risks exist. d. The “motivated intruder” tests applies only to personal data of natural persons. e. HMRC conflates pseudonymisation with anonymisation; Mr Demming seeks the latter. f. The fact that HMRC applies SDC techniques to publish aggregated corporation tax statistics proves that safe anonymisation is achievable. HMRC’s view that that “ individual-level data … would never meet SDC standards ” (Response §39) is a policy view, not a statutory prohibition. Parliament did not intend to ban all anonymised microdata; if it had, s.23(1) (b) would be redundant. g. He concluded that “ (i) HMRC’s reliance on “self-identification” is a misinterpretation of CRCA s.23(1) ; (ii) HMRC has not demonstrated a realistic risk of third-party deduction; (iii) Proper anonymisation is feasible and was contemplated by the request; (iv) HMRC breached its duty under FOIA s.16 by refusing to explore anonymisation options.” Legal Framework

17. Section 1 FOIA creates a duty to disclose information held by public authorities.

18. The duty to disclose information held by public authorities is subject to exemptions. There are two types of exemption: absolute and qualified. An exemption will be “qualified” where, if the exemption is engaged, the relevant public interests must be balanced to determine whether the public interest in maintaining the exemption outweighs the public interest in disclosure pursuant to section 2 FOIA. An absolute exemption will not require the balancing of the public interests.

19. Section 44(1) (a) FOIA provides that: “(1) Information is exempt information if its disclosure (otherwise than under this Act ) by the public authority holding it— (a) is prohibited by or under any enactment, […] “

20. Section 44(1) is an absolute exemption which does not require the balancing of public interests.

21. Section 18(1) CRCA provides that— “Revenue and Customs officials may not disclose information which is held by the Revenue and Customs in connection with a function of the Revenue and Customs, […]”

22. The scope of section 18(1) CRCA in the FOIA context is restricted by section 23(1) CRCA, the purpose of which “ is to delimit the application of ”: section 44(1) FOIA […] in relation to information whose disclosure is prohibited under section 18 CRCA Gordon v HMRC [2025] UKUT 159 (AAC) .

23. Section 23(1) CRCA provides that— “(1) Revenue and customs information relating to a person, the disclosure of which is prohibited by section 18(1) [CRCA], is exempt information by virtue of section 44(1) (a) [FOIA] if its disclosure— (a) would specify the identity of the person to whom the information relates, or (b) would enable the identity of such a person to be deduced. […]” The Role of the Tribunal

24. The Tribunal’s remit is governed by section 58 FOIA. This requires the Tribunal to consider whether the decision made by the Commissioner is in accordance with the law or, where the IC’s decision involved exercising discretion, he should have exercised it differently. If we are satisfied that the IC’s decision notice is in error of law or involves an inappropriate exercise of discretion then we will allow the appeal and may substitute a decision notice for that of the IC. The Tribunal may receive evidence that was not before the IC and may make different findings of fact from the IC. Issues

25. The key issue before the Tribunal is whether the IC’s Decision that HMRC was entitled to rely on section 44(1) (a) FOIA was made in accordance with the law.

26. It was common ground that the requested information, if held, would be held by the HMRC in connection with the public authority’s function relating to the general management and collection of tax and thus prohibited from disclosure under section 18(1) CRCA by virtue of being held in connection with a function of the HMRC.

27. The outstanding issue was therefore whether the IC was correct to conclude that section 23(1) CRCA applied. This required consideration of whether disclosure would specify the identity of the person to whom the information relates or would enable the identity of such a person to be deduced. It also requires consideration of the factual issue raised by Mr Demming, which is whether the anonymisation sought would mean that neither condition in section 23(1) was met and it does not apply

28. If section 23(1) does apply, the disclosure of the requested information would be prohibited by an enactment, meaning that section 44(1) (a) of FOIA is engaged. Evidence

29. The Tribunal considered an OPEN bundle of documents (198 pages). The Tribunal had the benefit of a skeleton argument and supplemental skeleton argument from Mr Demming and a skeleton argument from HMRC.

30. The Tribunal also read a witness statement and heard evidence from Ross Sutherland, Head of Information Rights at HMRC.

31. In his oral evidence, Mr Sutherland made the following additional points: a. The IC’s Anonymisation Code is specific to the Data Protection Act and does not apply to taxpayer confidentiality. It is guidance for data releases, not a step-by-step guide to dealing with FOIA requests. b. Mr Demming’s request appears to have moved on since originally made. The original request made no reference to banding and did not request K anonymity. Instead he requested redaction of certain fields. c. Section 1 FOIA means that requests for information are for recorded information held, but the holder is not required to process, reformat, restructure or materially alter the information it holds as part of its obligations under FOIA. d. There remains a risk of indirect identifiers such as information currently in the public domain and an inherent risk in disclosing large volumes of customer data. HMRC provides controls including anonymisation through its release of official statistics.

1. The request was refused under an absolute exemption and could not be reframed in a way that could be provided. This was explained clearly to Mr Demming at the outset. Therefore, HMRC had met its duty to provide advice and assistance, so far as it was reasonable to do so. e. The question of identification does not only apply identification from the data itself, but also from information currently in the public domain. On questions from the panel, Mr Sutherland explained that there may be rare combinations of identifiers such as which tax reliefs are being claimed and in certain industries where there are smaller numbers of companies then information such as geographical location and turnover within bands may be sufficient to identify when taken together with the unique identifiers. The Appellant’s additional submissions

32. Mr Demming, in his skeleton arguments and in the hearing, made the following points. The Tribunal was grateful to him for the clear way in which he explained his position. a. He is not seeking an aggregated or summary statistic, but an anonymised micro data set where each row corresponds with an original CT600 return. The proposed anonymisation he now proposes applies K15 anonymity so that data such as turnover, number of employees and region can be banded together, as shown in the worked example at Appendix D2 of his supplementary skeleton argument. This would mean there are at least 15 identical rows from which it is impossible to identify any of the original returns or say which row corresponds to a particular return. A sequential number would be added at the end of the anonymisation process to facilitate communication with HMRC about any missing data. b. He analysed the CT600 form and said that it had 211 fields of which 104 are monetary values and 22 are direct identifiers, leaving only 78 fields which need to be considered as part of anonymisation. c. Properly anonymised CT600 data does not “relate to a person” within the meaning of CRCA section 23 . Therefore, disclosure is not prohibited by law and section 44 FOIA does not apply. d. Recital 26 of GDPR is persuasive authority that information becomes non-personal when a person is “not or no longer identifiable”. Once data is anonymised such that no identity can be deduced, statutory prohibitions no longer apply. e. CRCA section 23(2) contains examples such as obtained by or derived from taxpayer returns, but these are subordinate to and do not override section 23(1) . They cannot expand the prohibition beyond information that relates to a person. The statutory question is not whether the dataset originated from taxpayer returns but whether, after anonymisation, it still “relates to a person”. Parliament did not prohibit all “derived” data, but only data which remains identifying. If anonymisation removes identifiability the information is no longer about that person and therefore does not fall within section 23 CRCA. f. The requirement that identity can be deduced under CRCA section 23 is stricter than the “motivated intruder” analysis; speculative hypothetical or AI-based scenarios do not meet the statutory threshold. g. The Appellant’s anonymisation framework ensures no individual taxpayer is identifiable. HMRC has the capacity to apply standard anonymisation techniques. h. The evidence of Mr Sutherland does not demonstrate that identity can be deduced. It contains assertions but no analysis, exhibits, modelling or risk assessment and relies on broad unsupported statements about AI. i. HMRC did not engage with Mr Demming under its obligation in section 16 of FOIA, giving assistance and/or advice about how the request could be narrowed; its questions about what the proposed anonymisation would look like have all come in the course of proceedings. j. Burden and utility have no part to play in the application of section 23 CRCA. k. Anonymisation is straightforward using existing available software. The Second Respondent’s additional submissions

33. The Second Respondent in its skeleton argument and at the hearing made the following points: a. The qualifying words “ relating to a person” apply to the function in relation to which the information is held, rather than to the information itself. See Gordon v IC & HMRC [2020] UKUT 92 (AAC) at paragraph 11-14. b. The UT case of Gordon v IC & HMRC [2025] UKUT 159(AAC) and in particular paragraphs 76-98 of that decision, provides an authoritative analysis of section 18 and section 23 CRCA. c. The case of O’Shea means that self-identification is sufficient to bring identification within section 23(1) (a). d. The request has evolved over the life of the proceedings. e. The obligation under section 1 of FOIA does not apply to requests to make new datasets. f. The transformations proposed by the Appellant are not sufficient to address the risks of either (i) self-identification or (ii) identification by others. The prospect of identification is self-evident from the nature of the data. Mr Hanstock noted that when HMRC releases information using SDC, information is never released at micro customer level because of the possibility of identification. g. Mr Sutherland’s evidence explains the risks and that the prospect of triangulation, mosaic identification or self-identification within the dataset cannot be excluded. It also explains the considerable lengths to which HMRC must go before making official statistical releases. Eliminating the risk of identification in response to this request would require anonymisation to the point of the data having no meaning beyond that which is already publicly available through official statistical releases. h. The radically transformed dataset imagined by the Appellant is not one that is held by HMRC, save to the extent that it is already made available through official statistical release and would take very extensive time to produce. The resultant dataset would either be meaningless, already available or enable the deduction of the identity of at least one taxpayer. Discussion and conclusions

34. It was common ground between the parties that the requested information, if held, would be held by the HMRC in connection with the public authority’s function relating to the general management and collection of tax and thus prohibited from disclosure under section 18(1) CRCA by virtue of being held in connection with a function of the HMRC.

35. We therefore need to consider whether section 23(1) CRCA applies and operates so that the information sought is exempt for the purposes of section 44(1) .

36. We accepted the argument raised by HMRC that the qualifying words “ relating to a person” apply to the function in relation to which the information is held, rather than to the information itself, relying on the 2020 UT case of Gordon .

37. In relation to whether disclosure would specify the identity of the person to whom the information relates so as to bring it within section 23(1) (a), HMRC’s position was that the information in the form in which it is held by HMRC would be caught by section 23(1) (a) on identification and information in the form sought by Mr Demming would be caught by section 23(1) (b) on deduction.

38. We were persuaded by HMRC’s argument that the case of O’Shea means that identification in these circumstances can include self-identification. Although O’Shea is a decision of a First-tier Tribunal and thus not binding on us, we consider that it is persuasive. In light of this authority, we preferred HMRC’s formulation to Mr Demming’s argument that self-identification could not be included. Mr Demming did not point to any authority which contradicted this position.

39. We also considered that a key distinction which emerged from the evidence of Mr Sutherland, who we found to be an impressive and cogent witness, was between identification and/ or deduction which could occur on the basis of the data disclosed alone and/or that which could occur from the data held when taken in combination with data already in the public domain. We were persuaded by Mr Sutherland’s evidence that the anonymisation process suggested by Mr Demming did not and could not take account of the latter category of information, so even if it was possible to anonymise the data itself in isolation, the risk of identification by mosaic from other available information would remain.

40. Similarly, we were persuaded that redaction of unique identifiers from the list of tax returns sought would not be sufficient to exclude the risk of either self-identification or deduction; both risks are unavoidable because the request seeks information about individual tax returns. An individual taxpayer could recognise features of their own corporation tax return and identify it as their own even if the information was provided in the form requested, for example because of rare combinations of identifiers. We therefore find as a question of fact that the anonymisation proposed by Mr Demming would not be sufficient to exclude identification or deduction of the identity of individual corporation taxpayers.

41. Having concluded that disclosure of the data requested (a) would specify the identity of the person to whom the information relates and/or (b) would enable the identity of such a person to be deduced, we therefore conclude that section 23(1) of CRCA is engaged. This means that the information sought is exempt information under section 44(1) of FOIA and should not therefore be disclosed because its disclosure is prohibited by another enactment, namely the CRCA.

42. We note that the request as originally made by Mr Demming is different from what he now seeks, but that we are concerned with the original request because this is the one dealt with in the IC’s decision which is currently under appeal. The request was for redacted data, and we agree with HMRC that the obligation under section 1 of FOIA does not require the transformation or processing of data into a particular format.

43. We were not persuaded that HMRC had failed to engage with Mr Demming in relation to its obligations under section 16 of FOIA, as it had clearly identified in its initial response to the request the reason why the request could not be narrowed further, namely because of the application of section 23(1) . We also note that it signposted Mr Demming to statistics which are already published and HMRC’s Information Disclosure Guidance.

44. For these reasons we dismiss the appeal. Signed : Judge Harris Date: 15 January 2026

Full judgment