The UK Information Commissioner’s Office (the ICO) has ruled that Virgin Trains East Coast (Virgin) did not break data protection law when it published CCTV images of the UK’s Labour party leader, Jeremy Corbyn. Virgin released the footage last year following Mr Corbyn’s comments that a Virgin train he was travelling on from London to Newcastle was “ram-packed”. The footage shows Mr Corbyn walking past empty seats.

Following its investigation, the ICO found that Virgin had a “legitimate interest” to release the footage of Mr Corbyn: “namely correcting what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests”. The ICO acknowledged that Virgin could not have achieved this without publishing Mr Corbyn’s image.

The ICO did find, however, that Virgin breached the law when it published images of other passengers on the same service. It stated that Virgin should have taken better care to obscure the faces of other passengers on the train. Publication of their images was unfair and a breach of the first principle of the UK Data Protection Act that personal data shall be processed fairly and lawfully.

The ICO stopped short of formal regulatory action against Virgin to reflect “the exceptional circumstances of the breach”. It noted that it was “a one-off incident, and the people identified were unlikely to suffer serious distress or detriment”. However, the ICO did stress that Virgin “has not been let off the hook” and will strengthen its data protection training and policies and ensure it has easy access to pixelation services should the need arise again.