Virgin Trains versus Jeremy Corbyn: who would prevail in an ICO investigation?

I have been asked by IFSEC Global to comment on Virgin Trains releasing images of Jeremy Corbyn taken from the train’s CCTV system.

There have been a number of comments in the media on the lawfulness of the release of images which in my view are not correct. There have been repeated references to the ICO’s published guidance on CCTV usage.

I suggest that the Data Protection Act 1998 (DPA) is one of the most complex pieces of legislation the security industry has ever faced. As security, no matter how you package it, is an intrusion into a person’s privacy, it is important that those responsible for its implementation should have more than a passing acquaintanceship with it.

It is a danger for practitioners to base their knowledge of this complex legislation – which to a large extent prescribes how they should do their jobs – solely on numerous guidance documents and advice from those whose only knowledge of the legislation has been gleaned from the ICO’s online guidance. It is just guidance and does not carry any legislative weight.

It would seem obvious that Jeremy did not give his specific consent but I can imagine that many lawyers would relish the chance of arguing that, through his behaviour, he did consent

What appears to be not in dispute is that Virgin Trains is the data controller because it has determined “the manner and the purpose” of the processing of the CCTV images on its trains. A data controller is required to comply with the DPA.

It has decided to release images of Jeremy to the press, with the images of other passengers pixelated out, in response to the release of images to the newspapers by Jeremy or his colleague(s) to support the allegation that there were no seats on the train.

The first principle states that personal data will be processed fairly and lawfully. In order to achieve that Virgin have to satisfy one of the conditions in Schedule 2 DPA. There are six of these, but only one needs to be satisfied.

Consent is a popular one, but I have always recommended that data controllers should try to satisfy another one. Consent is fraught with difficulty – if you want to know why then email me at: chris@bandgassociates.com

Did Jeremy give his consent? I don’t know, but I am informed that Virgin’s privacy policy clearly states that images will be collected on board trains and at stations controlled by Virgin.

It further states that they will not “share or distribute any of the information you provide to us to unaffiliated third parties without receiving your consent”. Consent for this purpose has to be informed and specific.

It would seem obvious that Jeremy did not give his specific consent but I can imagine that many lawyers would relish the chance of arguing that, through his behaviour, he did consent. I wouldn’t mind having a go at that.

Whilst that discussion lumbers on, let us look to satisfy another condition. Remember they only need to satisfy one.

The sixth condition of schedule 2 addresses the use of personal data for the legitimate interests of the data controller as long as it does not prejudice the rights and freedoms or legitimate interests of the data subject.

Virgin have a legitimate interest in protecting its ‘brand’.

James Wickes of CloudView makes the point admirably in a comment beneath a story on the topic. He clearly demonstrates that the brand is under threat.

Jeremy made the issue public and Virgin has defended its rights. This is a balancing act and I suggest that the information tribunal/court would find in favour of Virgin.

I cannot see under the circumstances how Jeremy would win the argument that the publication of his images by Virgin prejudiced his rights.

CCTV is commonly used for crime prevention and detection purposes, but I know from my limited experience that it is also used for health and safety and measuring footfall

The second principle is likely to be a bigger stumbling block:

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

Virgin Trains needs to demonstrate that the release of the images of Jeremy is in line with the purposes for which they have been captured. The guidance referenced above advises: “disclosure of information from surveillance systems must be controlled and consistent with the purpose(s) for which the system was established.”

CCTV is commonly used for crime prevention and detection purposes, but I know from my limited experience that it is also used for health and safety and measuring footfall. I am sure that many readers could come up with numerous other examples.

If Virgin could successfully argue that the purpose of their CCTV is much broader than crime prevention and detection and that they were protecting their brand, then given that Jeremy Corbyn began the release into the public domain of his images, the intrusion into his privacy, I suggest, is greatly diminished.

Worst-case scenario

As an aside, if the above arguments turn out to have no basis, what is the worst-case scenario?

Jeremy has reported the matter to the Information Commissioner’s Office (ICO). The ICO investigates and considers that Virgin breached the DPA.

Virgin accepts that they have. The ICO advises them not to do it again. They may even serve a notice on them.

Unless Jeremy can demonstrate that he has suffered a ‘TORT’ ( a civil wrong ), what else can happen? Under the reported circumstances would the Virgin brand take a hit because the ICO slapped them on the wrists?

Balance that against the fact that Virgin did a great job in defending itself (and again, see James Wickes’ posting at the foot of this article), I suggest that Virgin would win by a knockout.