Did Virgin Trains breach data protection laws by releasing CCTV footage of Jeremy Corbyn?

Virgin Trains has “clearly breached the Data Protection Act” by releasing CCTV footage featuring Jeremy Corbyn into the public domain, a CCTV control room manager has told IFSEC Global.

Richard Branson, founder of the rail operator, landed himself in trouble with the Information Commissioner this week after tweeting out the footage, which was captured on one of his trains, and identifying the Labour leader in order to rebut his accusations that the train was “ram-packed”.

A spokesperson for the Information Commissioner’s office (ICO) said: “We are aware of the publication of CCTV images of Jeremy Corbyn and are making enquiries. All organisations have an obligation to comply with the Data Protection Act and must have legitimate grounds for processing the personal data they hold.

“Where there’s a suggestion that this hasn’t happened, the ICO has the power to investigate and can take enforcement action if necessary.”

(Prompted by the ‘Traingate’ row, Brian Pender, chairman of the Security Institute CCTV Special Interest Group, sought to answer the question ‘when is it appropriate to disclose CCTV images to a third party?‘ for IFSEC Global.)

A CCTV control room manager, who wishes to remain anonymous, told IFSEC Global: “Corbyn can be clearly identified from the footage and even if they had pixelated his face, because they have stated who it was and what he does, we know it’s him and therefore that would make no difference. Virgin Trains, in my opinion, have clearly breached the Data Protection Act.”

This could be a case of companies not engaging with their security teams to fully understand the ramifications of CCTV release.  The ICO guidelines are clear and security functions should help shape company policies to make clear how CCTV data is treated.” Letitia Emeana, corporate security professional and member, Women’s Security Society physical security board

Virgin Trains declined to respond to requests from The Independent for comment. A spokesperson did point out that it had pixelated passengers’ faces, although it did initially release a time-stamped image with some faces visible. It later withdrew the image and released a new version with faces blurred. The Labour leader’s face was never blurred in any of the images or footage.

“ICO guidelines are clear”

Letitia Emeana, a member of the Women’s Security Society physical security board, told IFSEC Global: “My personal view of this is that this could be a case of companies and some departments not engaging with their security teams to fully understand the ramifications of CCTV release.  The ICO guidelines are clear and security functions should help shape company policies to also make clear how the CCTV data or information should be treated.”

Continues Emeana, who has held several senior corporate security positions: “If the ICO info is understood and the inclusion of the security function is that of a stakeholder in the release of data, it reduces the likelihood of mishandling and dealing with evidence to refute minor media wranglings that could be dealt with within the confines of data protection.”

Guidance on CCTV and data protection published by the ICO in 2015 seems to suggest that Virgin Trains has at the very least a case to answer:  “It can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime,” says the guidance. “But it would not be appropriate to place them on the internet in most situations. It may also not be appropriate to disclose information about identifiable individuals to the media.”

Even more damningly for the company, the guidance also says that release to the public “should not generally be done by anyone other than a law enforcement agency”.

The CCTV control room manager quoted earlier, who works in public transport, outlined the processes in his own organisation to shed some light on the issue.

“We process personal information to enable us to provide a transport service to our customers, maintain our accounts and records, promote our services and manage and support our staff. We also process personal information for the purpose of safety and security, the prevention and detection of crime and prosecution of offenders, and the verification of claims, including using CCTV systems to monitor and collect visual images for these purposes.”

“Verification of  claims”

Asked whether he thought there had been a contravention of data protection laws by Virgin Trains, he said: “Well firstly we need to look at what they have registered with the ICO.”

“It can be clearly seen from this statement that CCTV can be used for the verification of claims. It does not state insurance claims and therefore could be used for the purposes of verifying complaints/claims made by passengers as to the service they have received from Virgin.

“Then we need to also look at what it can be disclosed for. We sometimes need to share the personal information we process with the individual themselves and also with other organisations.

“Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.

“Where necessary or required,” he says his organisation shares information with:

• family, associates and representatives of the person whose personal information we are processing
• current, past or prospective employers
• suppliers and service providers
• insurance companies
• business associates and professional advisers
• financial organisations
• persons making an enquiry or complaint
• educators and examining bodies
• employment and recruitment agencies
• credit reference agencies
• debt collection and tracing agencies
• central government
• police forces and security organisations
• group companies

“Nowhere does it state within this that they can release images to the media without permission of the person captured on those images.  Therefore they had every right to view the footage and use it for the purpose of verifying the claim, but should not have released the image to the press without permission.”

Asked if there had also been a contravention of the CCTV Code of Practice he added: “There is no need to even look at the CCTV Codes of Practice and this would only quote the DPA as a reference anyway.”

In a section about CCTV footage Virgin Trains’ privacy policy states: “In certain circumstances we may need to disclose CCTV images for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to the Data Protection Act.”