The Curious Case of #TrainGate

Jeremy Corbyn, the current leader of the Labour Party in the UK, took a train and did/did not sit down.  Or rather did/did not sit down on a comfy chair.

Now, for most of us, that would not be much of a story, but tonight it is the most read story on the BBC website.

And it all comes down to these images:

Virgin press officJC045 - pixilated redactede caption: CCTV footage shows Mr Corbyn returning to Coach H and sitting down at 11.43am, shortly after being filmed while sat on the floor and more than 2hrs before his final destination, Newcastle (I have removed images of other passengers)


Virgin press office caption: CCTJC016 - VTEC#12316 Camera 3#11-08-2016 10_11_37.38 redactedV footage shows Mr Corbyn walking past reserved but empty seats at 11.08am in Coach F (I have removed images of other passengers).

Anyway, the crux of it is that the Labour party implies there were no seats, and Virgin trains implies there were.  The interesting thing is that CCTV images were released into the public domain, and the (presumably) commercial thoughts that went into that decision.

Virgin Trains Privacy Policy

Is here.  And I doubt anyone has read it.  I mean, who decides which train to catch on the basis of a privacy policy?

Anyway, there’s a whole section on CCTV.  The only relevant bit seems to be ‘In certain circumstances we may need to disclose CCTV images for legal reasons.’  A bit weak for disclosing the images on their website to the whole world.  But, some clever privacy person has added:

‘We employ CCTV on our trains and in our stations in order to:

  • prevent, deter and detect crime
  • apprehend and prosecute offenders, and provide evidence to take civil action in the courts
  • help provide a safer environment for our staff
  • protect public safety
  • help to provide improved customer service, for example by enabling staff to see customers requiring assistance
  • monitor operational and safety related incidents
  • assist with the verification of claims.’

More on that later.

The Information Commissioner

The Information Commissioner’s Data protection code of practice for surveillance cameras and personal information sets out that ‘Disclosure of information from surveillance systems must be controlled and consistent with the purpose(s) for which the system was established.’.

‘The method of disclosing information should be secure to ensure they are only seen by the intended recipient.’

Now, you could argue that Virgin intended the recipient to be the whole world.  And that the system was established to assist with the verification of claims.

And there are no criminal issues: the Crown Prosecution Service is only interested if you obtain data without the consent of the data controller.  (Virgin are the data controller, and released the data, so that doesn’t work.)  Or if they sell personal data.  (They didn’t – they gave it away for free.)

The Moral of the Story

Read those privacy policies.  And don’t make a claim against Virgin Trains.  Otherwise you may find yourself on the pages of the tabloid newspapers.

Update 24 August 2016: The Guardian reports that the Information Commissioner is investigating whether the release of CCTV images by Virgin Trains breaches the Act.  Interestingly, they do not say that they did – and it all comes down to interpretation of the Rules.  Given that the bold paragraph is in Virgin’s privacy policy, it will be interesting to see whether this is enough to not be caught by the Rules.  Watch this space, and in the meantime, the EU General Data Protection Regulation is soon to be upon us (at least for the time in which the UK is part of the EU).  With penalties of 4% of worldwide turnover, it would be interesting to see if such a PR gamble would take place under the new regime.