“We are aware of the publication of CCTV images of Jeremy Corbyn and are making enquiries". So said the ICO’s spokesperson at the height of the recent empty seats on Virgin Trains row.
In this blog I explore two questions:
- Is there a procedure that could allow Virgin to publish the CCTV footage of Mr Corbyn?
- Did the publication of the actual footage breach the Data Protection Principles?
The facts surrounding the released footage are still contested. Mr Corbyn claims that when he boarded the train in London he was unable to find two unreserved seats; his spokespersons have suggested that the published CCTV footage did not relate to that time. Virgin, by contrast, state that the CCTV footage relates to the time the train left London.
I don’t want to get into a dispute about such facts. The purpose of this blog is to bring out the data protection elements that illustrate how a data controller could deal with a data subject who attracts press headlines with a story, concerning his own personal data, that is simply wrong.
Consequently, I am assuming the CCTV footage is accurate and Mr. Corbyn’s version of events is at variance with the facts, and I am using this dichotomy to explore the issues.
Use data subject consent
There are ways for Virgin to counter Mr Corbyn’s comments in a much more “privacy friendly” way (believe it or not).
For example, Virgin could have limited its disclosure to still photographs of all the empty seats (where any individual captured in these images is pixelated) and tell the press/public that it cannot understand why Mr Corbyn was unable to find the empty seats on the train. Note that this does not publish any personal data about Mr Corbyn.
However, one can develop this approach. For instance, any press release accompanying the empty seats photos could go something like:
“Virgin Trains values the privacy of its customers very much, so we are naturally restricted on what we can say in public about a specific incident involving a passenger.
However, as you can see from the still photos there are many empty seats on the train which carried Mr Corbyn and we are puzzled how these seats were not found by Mr Corbyn. Indeed, we have 4 minutes of CCTV footage which directly contradicts Mr Corbyn’s version of events.
As we are staunch supporters of the aims and objectives of the Data Protection Act, we have asked Mr. Corbyn whether he will consent to the release of our footage. To ensure consent is fully informed, we have provided Mr Corbyn and his staff with copies of the footage on a confidential basis”.
Now at any press conference, if not before, Mr Corbyn will be asked whether he will consent to the disclosure of the CCTV footage. If he provides consent, Virgin is home and dry with its disclosure to the public.
If Mr Corbyn does not provide consent, it does not look good for a leading politician to present one side of an argument and be seen to resisting the publishing of evidence for an alternative view of events.
I would also ensure that several copies of the CCTV footage would be circulated to Mr Corbyn’s staff. This would ensure that Mr Corbyn received the consent request message as soon as possible.
Of course, if Mr Corbyn were to refuse consent, then he runs the risk that, by some divine process of osmosis, the CCTV footage could be leaked to the Press (or placed on Twitter). If this happened (perish the thought) the numbers of copies in circulation would make it rather difficult to trace who leaked it.
In general, if a data subject’s story depends on using his/her personal data to describe incorrect facts, the controller can always ask the data subject whether the controller can use his/her personal data to explain their version of events.
If the data subject refuses, then the controller says: “The data subject has refused permission for us to tell our side of the story”. This sounds (and is) far better than the more usual public comment: “it is not our policy to comment on individual cases”.
Note that the opposite can apply. If I were the individual involved with a grievance with a public body that was wholly justified, I would consider giving that public body my consent to discuss my case in public and let journalists know that consent had been given.
So any refusal of that public body to comment on the case could not be attributed to a privacy reason. It also allows journalists to ask: “why can’t you comment when you have data subject consent”.
Is Virgin in breach of the Data Protection Act?
In summary: probably not if the CCTV footage is correct. This is because of the unique circumstances of the case (i.e. Mr Corbyn is a leading politician who made public statements involving himself that appear to be at variance with the CCTV footage that relates to Mr Corbyn (e.g. I could not find a seat etc)).
So let’s do the data protection analysis starting with the fact that Virgin needs to justify the publication of Mr Corbyn’s personal data. A Schedule 2 condition is needed to release Mr Corbyn’s personal data to the public on Twitter; clearly this has to be paragraph 6 which states the following:
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject” (my emphasis).
So is there a “legitimate interest” of the data controller (Virgin) in correcting the record? Is there also a “legitimate interest” in the disclosure of personal data to third parties (e.g. the public) in order that these third parties should know the truth?
Well, given Mr Corbyn’s status and the nature of his public comments I think the answer is “yes” to both. Note that Virgin only needs one of these options because of that “or” (see paragraph 6 quote above) and the disclosure to third parties appears to be the easier one to justify.
Is it then “necessary” to publish the images on Twitter to achieve that objective? Arguably “yes”, because Mr Corbyn’s comments were about himself and received wide public exposure so it was appropriate to correct Mr Corbyn’s account directly with the public on Twitter by publishing the personal data.
Any vulnerability relates to the argument that disclosure was not necessary as Virgin could have followed the procedure described in the first part of the blog (e.g. limit the public disclosure to pictures of empty seats which is not personal data of Mr Corbyn etc).
Is there “prejudice” to a “legitimate” interest of the data subject to protect? Not if Mr Corbyn made factually inaccurate statements. I do not think a leading politician can have a reasonable expectation of privacy if he makes inaccurate public comments about himself in the context of a service which he is dissatisfied with.
Is the processing fair under the First Principle? Answer “yes” for the same reason identified in the paragraph above as Mr Corbyn should have anticipated a response from the data controller. In addition, according to the press (see references), Virgin’s privacy policy says it will use CCTV footage for the following purposes:
- prevent, deter and detect crime, and apprehend and prosecute offenders, and provide evidence to take civil action in the courts
- help provide a safer environment for our staff and protect public safety
- help to provide improved customer service, for example by enabling staff to see customers requiring assistance
- monitor operational and safety related incidents, and
- assist with the verification of claims (my emphasis).
I think processing of personal data in order to “assist with the verifications of claims” is precisely what happened.
There is no breach of the Second Principle as the purpose of obtaining has been specified in a fair processing notice to the data subject (see above). I also suspect these purposes have been specified in Virgin’s notification to the Commissioner. For instance, Notification Z9466586 for “(Virgin) West Coast Trains Limited” states “We also process personal information for the purpose …of the verification of claims, including using CCTV systems to monitor and collect visual images … for these purposes”.
That is why I suspect the incident will quietly go away when the ICO’s investigation is completed.
References
Privacy Policy quoted in the Press: https://uk.news.yahoo.com/virgin-could-broken-law-publishing-111720732.html
Publicity
Forthcoming Amberhawk courses in September & October
- All day GDPR Workshops: 26 September (London) and 7 October (Edinburgh)
- London: DP Foundation Course: 27, 28 & 29 September (BCS syllabus)
- All day PIA: 30 September (London)
- Edinburgh: DP Foundation Course: 4, 5 & 6 October (BCS syllabus)
- London: FOI Practitioner Course: Starts Oct 18
Details from www.amberhawk.com as are details for our courses for November (e.g. DP Practitioner or CISMP)