Are Virgin trains on track for a data protection breach?
- AuthorChristopher Buck
After Jeremy Corbyn complained of overcrowding on Virgin trains, CCTV footage was released by the railway company showing Corbyn walking past empty seats before seating himself on the floor. It is believed that the intention was to disprove Corbyn’s claims of a “ram-packed” train. However, there is now an investigation being undertaken by the Information Commissioner as to whether there has been a breach of data protection in releasing the CCTV footage.
Possible breach of Data Protection Act (DPA)
Inquiries are being made as to whether Virgin broke the rules of the Data Protection Act in releasing both videos and stills from the 3 hour journey from London to Newcastle. The stills and videos both showed Corbyn and at first one showed the un-blurred faces of other passengers. This image was later removed and images and videos which had blurred out the other passengers’ faces were uploaded instead. At no point was Corbyn’s face blurred out.
Corbyn appears to have been trying to make the point that trains are overcrowded. He attempted to execute this by being shown to have to sit on the floor of the carriage as a result of the busy train. Virgin has, in releasing images to the contrary, attempted to disprove Corbyn’s claims. Instead, they may find they have opened themselves up to an allegation of breach of data protection.
How may Virgin have breached the DPA?
Corbyn, as a passenger of the train, was technically a data subject and, as such, was protected by the laws on data protection.
The Information Commissioner’s Office (“ICO”) have confirmed that they “are aware of the publication of CCTV images of Jeremy Corbyn and are making inquiries. All organisations have an obligation to comply with the Data Protection Act (“DPA”) and must have legitimate grounds for processing the personal data they hold.”
Where the ICO’s code of practice deals with data protection, it is detailed that the disclosure of footage must be “consistent with the purpose(s) for which the system was established”. The code continues and goes on to say that “it would not be appropriate to place them (surveillance images) on the internet in most situations. It may also not be appropriate to disclose information about identifiable individuals to the media.”
Previous serious DPA breaches have been subject to fines of as much as £500,000. In order to avoid being found guilty of breaching the DPA you must show you have legitimate grounds for publishing images.
There also appears to be the distinct possibility that Virgin has breached its own policy which states CCTV footage will only be used to:
- “prevent, deter and detect crime;
- apprehend and prosecute offenders, and provide evidence to take civil action in the courts;
- help provide a safer environment for our staff;
- protect public safety;
- help to provide improved customer service, for example by enabling staff to see customers requiring assistance;
- monitor operational and safety related incidents; and
- assist with the verification of claims.”
Virgin have reportedly confirmed they are aware of their obligations.
If you have any queries in relation to data protection or require advice on the same, please do not hesitate to contact our experienced Intellectual Property department who would be delighted to assist. You can email me directly on firstname.lastname@example.org or call one of our team on 01908 660 966.