The public release of CCTV videos and images by Virgin Trains of Jeremy Corbyn and, initially, of its other customers’ faces, poses important questions about the use of the technology by organisations and the responsibilities that they owe to the public.

To recap, in order to publicly defend itself against an allegation made by the Labour leader that the service he was travelling on was “ram packed”, resulting in him having to sit on the floor, the train company publicly released video footage and time stamped images to show that there were, allegedly, empty seats available at the time.

One of the images depicted the faces of other passengers, although this was later withdrawn and replaced with a blurred version. Mr Corbyn was identified in all of the images, face un-blurred.

One might think that Virgin Trains, feeling unfairly accused, should be entitled to defend itself; the question is at what cost and could it have done so in a more proportionate manner?

The Information Commissioner’s Office (‘the ICO’), the office responsible for the enforcement of the Data Protection Act 1998 (‘the DPA’), is looking into the incident and has stated: “all organisations have an obligation to comply with the DPA and must have legitimate grounds for processing the personal data they hold.”

So what does the DPA, the law designed to control how personal information is used by organisations, businesses or the government, say?

Well, among the data protection principles enshrined in the DPA are obligations on organisations to make sure that information is used fairly and lawfully, for limited specifically stated purposes, used in a way that is adequate, relevant and not excessive and handled according to people’s data protection rights.

Further, The ICO has published a code of practice under the DPA covering the use of CCTV and it states that:

“Disclosure of information from surveillance systems must be controlled and consistent with the purpose(s) for which the system was established. 

For example, it can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime, but it would not be appropriate to place them on the internet in most situations. It may also not be appropriate to disclose information about identifiable individuals to the media.” 

When it released the initial unblurred image Virgin Trains disclosed to the public that identifiable Virgin Trains customers were travelling on a specific route at a specific time. This information was published presumably without their consent or prior notification and communicates a myriad of truths about their personal lives to the world at large. 

In its haste to defend itself, Virgin Trains appears to have neglected to consider its customers’ right to privacy. It ought to have taken advice before, rather than after, publishing as would appear to be the case.

Further, it appears that Virgin Trains was in breach of its own policies in publishing the information which, according to The Guardian, are limited to where it is “necessary to seek assistance from the public in connection with a criminal investigation” or where it might improve the “safety of the railway or prevent railway accidents of incidents”.

Surely, Virgin Trains cannot argue that Mr Corbyn’s claims in relation to its train service met the above criteria.

Interestingly, Mr Corbyn’s face was never blurred; it can certainly be argued that he waived any reasonable expectation of privacy, having instigated the stunt.

However, this does not undo the apparent breach by Virgin Trains of the DPA in addition to its own policies by using the footage for a purpose it was not intended. The classier approach by Virgin Trains may have been to publish details of the train’s capacity on that trip, or even to invite Mr Corbyn to be interviewed about his journey.

This incident has highlighted the need for some important retraining on the data protection principles for organisations.

Julia Wookey is a solicitor at Howard Kennedy.