Data Protection Commissioner
Data Protection Commissioner

Guidance on the use of Drones

 

Introduction

Drones are aircraft without a human pilot on board, which are guided by a remote pilot. These aircraft are also sometimes called Remotely Piloted Aircraft Systems (RPAS) or Unmanned Aerial Vehicles (UAV). While drones have long been deployed for military purposes, civilian use is fairly recent. Civil drones may be used to collect information about people's private lives. Unless such systems are used with proper care and consideration, they can give rise to concern that the individual's home or private life is being invaded. It is possible that use of such aircraft may cause privacy concerns among the public as a result of equipment which may be added to the drones. This may include sensors of various types including smart cameras, specific sensors, detection equipment and radio-frequency equipment.

Additional guidance on CCTV systems which is relevant to the use of camera systems on drones, is also provided by this Office[1]

Operation and usage of Drones is primarily regulated by the Irish Aviation Authority[2]. https://www.iaa.ie/ It is up to drone operators to comply with these regulations. This information is maintained and is updated over time so it is important that operators are up to date in their knowledge of these regulations, along with any considerations they need to undertake regarding the Data Protection Acts.

 

Legitimate use of drones in a domestic Setting

The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Data Protection Acts. This exemption, sometimes called the “household exemption”, would generally apply to the handling of the personal data of private persons, as long as this takes place for personal, non-commercial purposes.

However, a recent decision of the Court of Justice of the European Union (CJEU) in December 2014 (C-212/13)[3]  (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62013CJ0212) found that video surveillance by an individual of a public area outside his home fell under the Data Protection Directive. The Court found that as the CCTV also monitored a public space, it did not amount to the processing of data in the course of a purely personal or household activity, for the purposes of the “household exemption”.

As a result, anyone intending to use a drone should ensure that it does not inadvertently capture personal data from third persons as this will mean that thet Data Protection Acts will apply and drone operators will have to ensure that the safeguards and obligations set out below are met. Personal data would include, for instance, facial images or car registration plates.

 

Use of drones in a commercial setting

The use of Drones is extending into a number of other sectors, for instance:
  • Emergency services, such as An Garda Síochána, Fire Service, Ambulance Service or volunteer rescue teams
  • Aerial mapping
  • Infrastructure surveys
  • Aerial photography
  • Journalism
  • Advertisement
 

Proportionality - What data can be captured?

Section 2(1)(c)(iii) of the Acts require that data shall be "adequate, relevant and not excessive" for the purpose for which they are collected. This means that the data from such processing should be limited to what is strictly necessary to achieve a specific purpose (s). Under this principle, drones equipped with different technologies for data collection (camera, thermal imaging, GPS, altimeter, motion, radio frequency equipment and other sensors) should only collect information that is necessary for achieving the purpose pursued by this collection.
For example, a camera on a drone which serves to take aerial photographs of landscapes should not be used for recording faces or other personal information.
At all times, drone operators should ensure that their collection and processing of personal data is minimised to only that necessary or as a consequence of the job being undertaken. Similarly, only those images of the quality or resolution necessary should be captured.  Where personal data is likely to also be captured by sensor equipment  operators should consider what other measures may be required to limit unnecessary capture and processing. This may take the form of usage of a lower resolution camera; only using still images rather than video images; using a live stream rather than recording; or not using photographic imagery at all if in fact say a heat or measurement survey is being undertaken.
It is important that the drone operator is aware of the data collected by the drone and how it operates. It is also important to note that data captured may become personal data after capture if it is combined with other data. So, whilst camera systems are the most obvious use of drones, other sensors may record non-personal data that when combined with other data may identify individuals. E.g., if radio data has been collected for instance, operators should ensure that no equipment identifiers or radio content are stored alongside location.
 

Transparency – notifying the public

In the case of drones, individuals may not be aware that they are being recorded or that a drone is equipped with recording equipment. Under Section 2D of the Acts it is necessary to do as much as possible to identify that recording is taking place, by whom, for what purpose and with whom the data may be shared.
If necessary, the information should be made clear to the general public in the area in which the drone will operate by means of conspicuous signage, advertising posters, leaflet handouts, local newspaper and multi-channel/mode media campaigns and so on – whatever is necessary in order to ensure individuals are adequately and clearly informed before and during the flight, and that valid consent has been obtained.
The dates and times of the flights, the flight path and the types of personal data (e.g. imagery, radio, geometry, location etc) that may be collected should accurately be described, along with the contact details of the operator and the data controller. Drones should be visible and identifiable visually.
 

Data controllers and data processors

Where processing is not carried out directly by the controller, (drone owner/operator) this processing should be governed by a contract or legal act that requires the processor to act only on instructions from the controller.
 

Storage and retention

Section 2(1)(c)(iv) of the Data Protection Acts states that data "shall not be kept for longer than is necessary for" the purposes for which they were obtained.  A data controller needs to be able to justify this retention period. For example imagery and video footage containing personal data that is no longer needed, or where it has been inadvertently captured should be deleted. It may alternatively be possible to use anonymisation techniques. This may take the form of blurring or pixilation of facial images or registration plates for instance. Care should be taken where anonymisation is undertaken as other data held alongside, such as equipment or radio identifiers or location data may allow re-identification when combined with the anonymised data.
 

Security

Section 2(1)(d) of the Data Protection Acts requires that “ appropriate security measures shall be taken” in relation to data. Any data captured should be stored in a appropriately secured environment. Access to the data should be controlled, logged and monitored. This may mean storing imagery or footage on a secure or encrypted medium and only to authenticated and authorised users.
Where a drone operator is undertaking work on behalf of a client, the personal data transmitted and captured by the drone should be secured while in their possession and not retained after handover to a client. Personal data in data transmitted to a “base station” should also be similarly secured. Operators and controllers should remain vigilant about “eaves dropping”, remote control interference and other forms of possible attack when they are remotely operating their vehicles.
Where unauthorised access or capture of this personal data has taken place a “breach” may have occurred and steps to secure the data, inform those involved and perhaps contact the data protection authority may be needed. Operators and data controllers should have policies, procedures and training in place, so that staff can take the appropriate action should a data breach occur.
 

Access requests

Under Section 4 of the Act any person whose image is recorded on a drone system has a right to seek and be supplied with a copy of their own personal data from the footage. To exercise that right, a person must make an application in writing. The data controller may charge up to €6.35 for responding to such a request and must respond within 40 days.
When complying with an access request; data of parties other than the requesting individual should be redacted prior to supplying a copy of the data to the requestor. E.g. pixelated, blurred or darkened out in the case of images or stills. In the event of a request for camera footage the requester should provide the data controller with a reasonable indication of the timeframe of the recording being sought - i.e. they should provide details of the approximate time and the specific date(s) on which their image was recorded. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a drone system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.
 

Supply of Data to An Garda Síochána

The same issues that arise from CCTV capture and processing also apply to personal data that may be captured and processed during drone usage. Please refer to the guidance on CCTV systems with regards to supply of data to An Garda Síochána
 

Covert Surveillance

Please refer to the guidance on CCTV systems with regards to covert surveillance

Recommended steps:

There are several practical steps you can take to ensure that you comply with the data protection regulations when using drones;

  • Ensure you have the consent of the individuals whose personal data you will capture, by making timely use of notifications, signage, media, or publicity
  • Ensure that the drones are operated only with the sensor equipment necessary to achieve the purposes for which they are intended, and only record the personal data required to achieve the purposes intended and for which consent has been obtained
  • Have robust security and access controls in place ensuring only authorised persons have access to the images. Ensure that any transfer of personal data is secured and is possible with the consent already obtained
  • Consider mechanisms that automatically blur faces when they are inadvertently filmed during a data collection, or other means to ensure that unintended capture of personal data is avoided, or removed before further processing occurs
  • Use a software programme that automatically deletes the remaining personal data collected once the task is completed

Those using drones for commercial purposes should also;

  • Ensure that a Privacy Impact Assessment (PIA) is completed prior to the use of same. This is effectively an audit of the proposed use of drone technology and takes account of the people and organisations involved, the purpose of the operation, the type of drone and the combination of sensing technology used, identifying the risks to personal data protection, the necessary safeguards to address those risks, and the measurement and adjustment of those safeguards when in use.
  • If required, ensure appropriate contracts are in place
  • Put a written Drone Usage Policy in place; which includes reference to the uses that may be made of the data processed retention and security of personal data being processed.
  • Ensure they comply with the proportionality and transparency rules outlined above.

The data protection issues which arise from the use of drones were also extensively examined by the Article 29 Working Party (which is a Working Party of European Data Protection Commissioners). This opinion can be located at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2015/wp231_en.pdf

 

END – Dec 2015