Staying The Right Side Of The Tracks

17 July 2017

Virgin Trains were recently found not to have breached Jeremy Corbyn’s rights under the Data Protection Act (DPA) when they posted CCTV pictures of him on one of their trains he had famously criticised. With bad news travelling fast and without many, or any, barriers to stop its spread, this case throws up interesting questions as to how far can you go to defend yourself when you are being attacked. 

It’s a fine line to tread between speedily and robustly defending yourself and overstepping the line and exposing yourself to more problems.

The DPA places a number of obligations on companies, including that they must process personal data fairly and lawfully. One of a company’s obligations under the DPA is to tell people how their data will be processed, so in responding to any attack, attention must be paid to what you have already said you will do with people’s data. If what you want to do with that data isn’t in your terms and conditions and/or privacy policy, then you will need to show a legitimate interest for what you are going to do with it. 

It is this which Virgin Trains successfully relied on.

The ICO found that Virgin Trains was entitled to correct what it deemed to be misleading news reports that were potentially damaging to its reputation and commercial interests and that, in the particular circumstances of this case, this could not have been done without publishing Mr Corbyn’s image. The fact that Mr Corbyn had already released a video and could expect Virgin Trains to respond in kind, were also factors in the ICO’s determination.

Virgin Trains was though found to have breached the DPA rights of other passengers included in the photographs, because it had no reason to publish their images. The ICO stopped short of any formal regulatory action in this case, but made it clear that this was a serious issue.

So if you are being attacked by someone and need to defend yourself or your company’s reputation, don’t assume that all of the attacker’s data or images which you hold can be used against them. You must have a legitimate interest in publishing any data/images and act proportionately, only going so far as necessary to satisfy your legitimate interest. If you can defend yourself without disclosing personal data or photographs, then you must not disclose them.

You must also ensure that you are not exposing yourself to any defamation, privacy or DPA complaints, by the person who is attacking you or by third parties who may be inadvertently caught up in the dispute, such as Mr Corbyn’s fellow passengers.

Taking swift advice on options available to you and the risks of misusing personal data is the best approach when your reputation is under attack. An instinctive reaction involving the disclosure of personal data can result in the derailing of your reputation defence.   

Receive our monthly newsletter

About the Author

Ben Hobbs


Ben specialises in reputation protection. His work covers defamation, privacy, harassment and intellectual property rights.

+44 (0)20 7034 9000
Our 24 hour number
+44 (0)20 7034 9000
Legal information

© 2021 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.