Showcasing the Best of Welsh Business

Virgin Trains Found Not to have Breached Data Protection Laws


This article has been submitted by Greenaway Scott

The Information Commissioner’s Office (ICO) has ruled that Virgin Trains did not breach data protection laws when they published images of Mr Jeremy Corbyn on one of their trains.

The issue arose last year when Mr Corbyn posted a video of himself on a Virgin train stating that he was unable to find a seat. The video contained footage of Mr Corbyn sitting on the floor due to the stated overcrowding. Virgin Trains however responded by releasing CCTV footage which showed that there were a number of empty seats on the train, which Mr Corbyn had walked past before sitting on the floor.

The question of whether Virgin Trains had breached data protection laws arose due to Virgin Train’s requirement to comply with the Data Protection Act (DPA) in respect of Mr Corbyn’s personal data. The data and images released were personal data as defined within the DPA, and personal data must be processed only in accordance with the principles set out in the DPA. An organisation must have legitimate grounds for processing the personal data they hold and the ICO have powers to investigate and take enforcement action if there is a suggestion that personal data has not been processed in accordance with the principles set out in the DPA.

The ICO accepted that Virgin Trains had a legitimate interest in releasing the images as it was correcting misleading news reports that were potentially damaging to its reputation and commercial interests. The ICO also noted that Mr Corbyn should have different expectations as to his privacy as he did in fact release the first video and he could expect Virgin Trains to respond in kind. Virgin Trains however did breach the DPA by showing the faces of some of the other passengers on the train. The ICO did not proceed with enforcement action, however they recommended Virgin Trains strengthen its data protection training for everyone.

Data protection is going to be extremely important for businesses to consider over the coming months with the introduction of the EU General Data Protection Regulation, which will have effect from 25 May 2018. It is therefore important that all businesses are reviewing and implementing data protection training for its staff as soon as possible, to ensure everyone is aware of their obligations in relation to personal data.