Remember Jeremy Corbyn in his pre-cult figure days? (Okay, I know he has always been a cult figure to some – but I mean before the election and Glastonbury and so on). Remember the CCTV footage of him slouching about in a vestibule on a busy Virgin train? If so, you will probably remember that Virgin responded to the suggestion of overcrowding by publishing CCTV footage from the train journey to show that there were seats available. Did it breach the DPA in doing so?
The ICO explained the answer in a blog post today by its Head of Enforcement, Steve Eckersley. In short: Virgin did not contravene Mr Corbyn’s rights under the DPA. It had a legitimate interest in responding to his team’s story, and his team had already published footage of him on that train journey anyway. No problem under condition 6(1) from Schedule 2 here.
But Virgin did contravene the DPA by publishing footage of other passengers. There was no need to do so: as the ICO explains, they were just minding their own business. Virgin should have pixellated them out or obscured their faces. So, a partial contravention, but no enforcement action.
Nothing particularly surprising about the analysis or outcome here, but it is a good worked example of the ICO’s approach to the legitimate interests test, which will be an extremely important issue under the GDPR.
And if you’re a data controller asking whether you can publish at least some personal data to rebut at a published complaint about you, take heart. The answer* is: Jez you can!**
* Depending on the circumstances blah blah.
** Lame, I know. Sorry.
Robin Hopkins @hopkinsrobin