According to the ICO's Legal Team, any organisation can process that information without being prosecuted because according to them, personal information found in the public domain does not require the consent of the data controller.
So if Virgin are Company A and they've accidentally disclosed this personal information to the public domain, then Company A could possibly face prosecution by the ICO. Particularly when you bear in mind that being a member of a union is sensitive personal information and a typical CV might contain this information.
Yet according to the ICO, if Company B comes along and decides to process the information that has been disclosed, Company B cannot be prosecuted. Even if they know full well that the disclosure was accidental. If Company B processes this information then the most that can happen to them is that the ICO will tell them that they've unfairly processed personal information and not to do it again.
I'm currently challenging the ICO's view that information found in the public domain does not require the consent of the data controller.