I am obviously no expert in this but I was wondering earlier around the legal implications for Steve Gibson in all this.
So he owns Boro and also owns the golf course resort thingy.
So I am not sure if under Data Protection laws if the resort it legally permitted to provide the CCTV images of people on public property.
I ran this past my Legal Council...
Legally, this is actually quite an interesting question and it turns on a few separate issues:
- Who owns/controls the CCTV system?
- What was the footage originally collected for?
- Was the sharing “necessary and proportionate”?
- Was the footage of a public place or private land?
- Was it then used for a disciplinary/sporting purpose?
If the golf resort (owned by Steve Gibson) provided CCTV footage to Middlesbrough F.C., the key point is that UK GDPR/Data Protection Act 2018 does not automatically prohibit sharing CCTV footage between related businesses. It depends on the lawful basis and purpose.
A few important legal principles:
- CCTV footage containing identifiable people is “personal data”
- The resort would be a “data controller”
- Sharing footage with another organisation is “processing”
- That processing needs a lawful basis under UK GDPR
The most likely lawful basis would be:
- “legitimate interests”
or
- prevention/detection of misconduct, crime, or protecting business interests
Now, where it becomes more legally delicate is this:
If the cameras were installed for:
- security,
- crime prevention,
- health & safety,
…but the footage was later used for:
- football disciplinary investigations,
- monitoring employees/players,
- sporting sanctions,
then the question becomes whether that secondary use was compatible with the original purpose.
That does happen lawfully all the time in practice:
- employers use CCTV for disciplinary investigations,
- retailers use CCTV for staff misconduct,
- police request private CCTV,
- clubs use training-ground footage internally.
But there are limits.
The ICO (Information Commissioner’s Office) guidance generally says organisations should:
- tell people CCTV may be shared,
- have privacy notices,
- only disclose when necessary,
- minimise excessive disclosure,
- retain audit trails.
Your “public property” point is important too.
If the footage captured:
- a public road,
- pavement,
- public car park,
- or public space outside the resort,
that does not remove GDPR obligations. Public-space CCTV is still personal data if individuals are identifiable.
However, if the resort cameras were simply capturing an area adjacent to their premises incidentally, that is usually lawful if proportionate.
Where things could become problematic legally is if:
- the footage was obtained under false pretences,
- there was no clear lawful basis,
- the sharing was excessive,
- it was used for purposes completely unrelated to the original CCTV purpose,
- or there was informal sharing between “Steve Gibson the businessman” and the football club without proper corporate governance.
That last point is probably the most interesting one legally.
Because even if Steve Gibson owns both entities, they are still almost certainly separate legal entities. The resort cannot simply say:
“same owner, so we can share whatever we want.”
There still needs to be:
- a lawful basis,
- documented processing rationale,
- proportionality,
- and compliance procedures.
In reality though, unless the disclosure was clearly abusive or irrational, regulators usually give organisations quite a lot of latitude where:
- misconduct is being investigated,
- reputational damage is involved,
- or there are safeguarding/security concerns.
So the answer is:
- it is not automatically unlawful,
- but it absolutely is regulated,
- and there are definitely scenarios where improper sharing could breach UK GDPR/Data Protection Act principles.
From a football perspective, the bigger issue may actually be:
- employment law,
- evidential fairness,
- surveillance proportionality,
- and whether the club obtained/used the evidence appropriately,
rather than some dramatic criminal GDPR breach.
