The Information Commissioner is looking into a possible breach of data protection rules after Richard Branson's Virgin Trains released CCTV footage of Jeremy Corbyn, in order to rebut his claims their service was "ram-packed".
The railway company released video and still images from one of its trains to show there were empty seats after Mr Corbyn complained of overcrowding.
Virgin published the timestamped pictures alongside a statement chiding Mr Corbyn, who had suggested that sitting on the floor was “a problem that many passengers face every day”.
One image initially released by the company had the faces of some other passengers visible; this was later withdrawn and replaced with a blurred version. Mr Corbyn was identified in all images and his face never blurred, however.
A spokesperson for the Information Commissioner’s Office told The Independent it was looking into the incident and that organisations should be aware of their legal responsibilities under the Data Protection Act.
“We are aware of the publication of CCTV images of Jeremy Corbyn and are making enquiries,” she said.
“All organisations have an obligation to comply with the Data Protection Act and must have legitimate grounds for processing the personal data they hold.
“Where there’s a suggestion that this hasn’t happened, the ICO has the power to investigate and can take enforcement action if necessary.”
Virgin Trains’ privacy policy has a section on CCTV in which is notes it must comply with data protection laws.
“In certain circumstances we may need to disclose CCTV images for legal reasons, the policy states.
“When this is done there is a requirement for the organisation that has received the images to adhere to the Data Protection Act.”
The Information Commissioner Office’s 2015 guidance on how not to break data protection law with a CCTV system warns against posting images on the internet or giving them to the media.
“It can be appropriate to disclose surveillance information to a law enforcement agency when the purpose of the system is to prevent and detect crime, but it would not be appropriate to place them on the internet in most situations,” the guidance states.
“It may also not be appropriate to disclose information about identifiable individuals to the media.”
It adds that release to the public “should not generally be done by anyone other than a law enforcement agency”.
In “severe cases” enforcement action would be launched by the Information Commissioner, it says.
Virgin Trains declined to comment, though a spokesperson indicated the firm was mindful of its obligations with regard to the Data Protection Act and pointed out it had pixelated passengers' faces.
