As the “#traingate” juggernaut gathered pace along the tracks of political intrigue, some may have missed the ICO’s announcement that it is investigating Virgin Trains’ decision to release CCTV footage of the Labour leader Jeremy Corbyn walking through carriages on the 11am from London to Newcastle. The investigation seems to have been prompted by a complaint from Mr Corbyn’s camp.
By way of reminder, the row centres on a film released a couple of weeks ago which showed Mr Corbyn sitting on the floor of the train between carriages and saying that the train was “completely ram-packed” and that he was experiencing a problem “many passengers face every day“. On Tuesday last week, Virgin Trains responded by releasing CCTV footage of him walking past free seats before the time the film was shot and then sitting down shortly afterwards (other passengers’ faces were deliberately obscured). Even Virgin Group founder Richard Branson could not resist joining the fray on Twitter (presumably also seated, on his sunbed on Necker Island). Meanwhile, Mr Corbyn explained that, while a handful of seats were available, he had not been able to sit with his wife initially and was only able to sit down later after a family had been upgraded to first class.
As the political fallout rumbles on, the ICO’s announcement is likely to be something of a sideshow. However, it has led to an unusual spike in Twitter-sharing of the ICO’s published guidance on CCTV usage [pdf]. Moreover, it gives rise to interesting questions on the legalities of releasing the footage to the public.
First, a whistle stop tour of the relevant aspects of data protection law. First, it is important to note that the guidance being shared online is just that. It is not in itself statutory, nor does it render Virgin’s actions inherently unlawful.
Under the Data Protection Act 1998 (“DPA”), Virgin Trains is classified as a “data controller” as a result of it dictating the manner in which on-board images of passengers – their “personal data” within the Act’s definition, if they can be identified – are recorded and stored through CCTV cameras. The recording, storage and the eventual sharing and publication of the CCTV footage all constitute “processing” of the personal data for the purposes of the DPA.
As a data controller, Virgin Trains is required to comply with the data protection principles set out in Schedule 1 of the DPA. While all principles are to be followed, the two most pertinent ones in the #traingate case are the first and second principles. Taking the first principle, the requirement of fair and lawful processing of personal data, Virgin Trains would need in particular to show that at least one of the conditions in Schedule 2 is met. The safest condition to meet is that the data subject (i.e. Mr Corbyn) had given consent to the processing.
There is more traction, however, in the sixth condition in Schedule 2. Virgin Trains’ argument would be that the publication of the footage was necessary for the purposes of legitimate interests pursued by it as the data controller. However, this must be balanced against the requirement that the publication must not be unwarranted “by reason of prejudice to the rights and freedoms or legitimate interests” of Mr Corbyn.
In this case, Mr Corbyn’s rights in the information in the footage remaining private must be balanced against Virgin Trains’ interests. Those interests would centre on the idea that (according to Virgin) Mr Corbyn’s claims regarding the overcrowding on the train needed to be corrected and that the release of the footage showing empty seats was a necessary way of doing this. This line of argument is a potentially persuasive one. Any balancing exercise is unlikely to award too much weight to Mr Corbyn’s privacy rights as the data subject given that (a) the content of the footage is relatively anodyne and would not be classified as intrusive and (b) Mr Corbyn had already released footage of himself on the train to the Guardian newspaper. This latter point also goes to the necessity of publishing the footage as opposed to simply issuing a statement, since Virgin Trains would argue that only the footage itself could refute the claims made and restore its reputation. In short: having put the story and pictures of himself out there voluntarily, it is difficult to see how any prejudice caused to Mr Corbyn by Virgin’s counter-attack could be said to be “unwarranted“.
Moving onto the second data protection principle – “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes” – Virgin Trains would also need to show that the release of the CCTV footage was consistent with the purposes for which it had been recorded. This is more problematic and ties in with the code of practice issued by the Information Commissioner’s Office on the issue of surveillance cameras, which is the document widely shared online.
The code states that “disclosure of information from surveillance systems must be controlled and consistent with the purpose(s) for which the system was established“. It goes on to give the example of disclosing information to law enforcement agencies to prevent and detect crime but also states that “it would not be appropriate to place [the information] on the internet in most situations“. The guidance underlines the point that in many cases the overriding purpose of CCTV is to prevent and detect criminal or other improper activity, not publish material on the internet and to media organisations for reputation management (and/or, for the cynical amongst us, political and commercial) purposes.
Virgin’s argument here is likely to be that the purpose of CCTV recordings is much broader and covers the entire smooth running of its services, including monitoring of passenger behaviour and passenger numbers. In most cases this would not justify subsequently sharing online, of course, but Virgin might argue that correcting the (as they see it) false and misleading claims made by Mr Corbyn in the film he released was not fundamentally incompatible with those purposes. This argument has merit, and is made even stronger because of Mr Corbyn’s own decision to release footage of himself, which (as noted above) ostensibly reduces the level of intrusion caused by the publication.
A Virgin journalist?
Finally, an innovative argument could be made that the release of the footage does not even need to be compliant with the data protection principles. Data that is processed only for journalistic purposes is exempt from the principles if the processing is undertaken with a view “to the publication by any person of any journalistic…material“, and the data controller reasonably believes (a) that the publication is in the public interest and (b) that to comply with the Act would be incompatible with the journalistic purpose. This is why, for example, The Guardian has been able to re-share the footage and stills without fear of reprisal.
The journalistic exemption is notoriously fuzzy and it has been established that it does not only apply to media companies. The meaning of journalism has also been interpreted fairly liberally, encompassing not just traditional media stories, but the general making available of information to the public for consumption by, for instance, citizen bloggers. So could Virgin really claim it was acting in the name of public interest journalism? This is not an argument that can be written off straight away, even if it does appear a stretch to suggest that Virgin Trains’ release of the information was only for journalistic purposes. However, it is not likely to be viewed sympathetically by the ICO, which typically favours the humble citizen (“data subject”) against perceived abuses by data-controller organisations. It tends to be in the Courts that data controllers enjoy greater protection, with judges willing to adopt more pragmatic interpretations of the DPA. However, there is no suggestion that Mr Corbyn will actually be suing.
In its guidance on surveillance, the ICO says it may take enforcement action in “severe cases“. This does not appear to be such a case. However, the ICO is certainly not averse to taking exemplary enforcement against high-profile scalps, particularly in response to media reports. If the ICO decides the sharing was not justified, the sheer extent of the publication – effectively to the entire world – might raise the severity to an enforcement level.
On balance, the view here is that the ICO would be legally justified in not taking any action against Virgin Trains, either on the basis that it has not in fact been non-compliant with the DPA or that the nature of the unfair processing was minor on balance. This is especially the case given the public interest in the issue of rail overcrowding and the fact Mr Corbyn released his own film first. That being said, a more effective and DPA-compliant approach could have been adopted by Virgin Trains. This would have involved a statement refuting Mr Corbyn’s claims together with a request for his consent to publish the footage. Politically, it is hard to see how Mr Corbyn could have sensibly have turned down such a request, given the backlash this would have incurred – and Virgin might have saved itself an investigation. On the other hand, Virgin might have taken a calculated risk that the PR victory was worth every penny of any fine the ICO might throw at it.
This post was originally published on the Farrer & Co website and is reproduced with permission and thanks.