News
Published on 9 Mar 2023
James Willoughby
Drones, GDPR And Privacy
In-depth guide on drones, GDPR and privacy. Find out how you can implement a robust data protection strategy, allowing you to collect aerial data while adhering to GDPR and respecting people's privacy. ... Read More
Data protection and privacy are important considerations when planning and conducting a drone flight;
It is crucial that your organisation takes steps to ensure data rights are respected and potential issues mitigated;
Key considerations include the type of sensors being used and their capabilities; the location of the mission; and the purpose for collecting the data;
Mitigation strategies depend on the scenario, but include transparency, providing privacy information, only collecting data relevant to the mission; and ensuring data is kept safe and retained for the shortest time necessary;
Read this blog to find out how your organisation can implement a robust data protection policy, including the creation of Data Protection Impact Assessments.
Drones are a great data capture tool, but some missions can spark questions or concerns about privacy and GDPR.
So how can your organisation capture the information it needs without falling foul of data protection requirements?
While this thorny subject shouldn't be seen as a barrier to building and growing a UAS programme, it is important to ensure that data protection rights are respected and any potential breaches are mitigated.
Each flight should be judged on a case-by-case basis, but appropriate planning and development of relevant governance, oversight and controls are a fundamental part of developing a robust GDPR strategy.
Such a plan will consider aspects like the purpose of the flight, the location, and the type of sensors being used, while mitigation methods include storing data correctly, providing privacy information, and only capturing the specific information that you need.
This blog takes an in-depth look at privacy and GDPR, provides examples of specific scenarios, and explains how your organisation can take steps to implement a data protection protocol, including creating Data Protection Impact Assessments.
Privacy And Data Protection
If your drone is fitted with a camera or listening device, you must respect other people’s privacy whenever you use them.
After all, Privacy and Data Protection are two distinct rights enshrined in EU law in Article 7 and Article 8 of the Charter of Fundamental Rights.
Article 7 - The Right of Privacy
Everyone has the right to respect for his or her private and family life, home, and communications.
This means that deploying drone sensors in areas that overlook homes or areas where people expect to enjoy privacy must be planned carefully and the risks mitigated.
Article 8 - The Right To Data Protection
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority
This means that when personal data of any living individual is obtained and processed by an organisation, it must be done for specific purposes with a clear legal basis. This right is given effect through legislation such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Personal Data
So, what is Personal Data?
GDPR defines it as any information relating to an identified or identifiable natural person.
In the context of drone use, personal data includes:
Clear footage of a person’s face is recorded.
An individual can be identified in another manner such as through the GPS location, visible address, car registration, and personal items including clothing.
Information about an individual’s private life.
Behaviour and bodily characteristics are revealed through the footage or images.
Recordings are made of an individual’s voice or conversation.
A person’s heat signature can be identified, revealing behaviour.
Intimate imagery exposing home life is recorded.
It is also important to consider the risk of capturing Special Category Data, which:
Can reveal racial or ethnic origin; political opinions; religious or philosophical beliefs; Trade Union membership.
Is genetic data or biometric data.
Is concerning an individual's health or an individual's sexual history or orientation.
Key Considerations For Data Protection
As the above suggests, there is plenty to consider when it comes to juggling drone use with privacy and adhering to GDPR.
Therefore, creating and implementing a data protection/privacy policy is a multi-faceted approach and each case needs to be judged on its merits.
In many respects, this workflow follows a three-step lifecycle:
Acquisition
Analysis
Action
Key questions for each stage are set out in the table below.
Life Cycle Stage | Issues To Consider |
Acquisition | • What types of data are you going to gather and what is the context of the flight? • What types of sensors are you using? • Where will you be operating? • Can you justify that a drone was the best data-capture solution? • How will you minimise the data related to people you will capture to the minimum necessary or avoid capturing data relating to people at all? |
Analysis | • How will data be analysed? Will you be using AI tools like facial recognition or event detection? • Who else might want to use this data for other use cases? |
Action | �• What is the thing that will be done based on the data gathered from the drone mounted sensors? Will that action affect/impact individuals? • How/when will you get rid of personal data you no longer need? • How will you keep that data safe? |
The details in the table are based on information sourced from Data Protection: Drone User Handbook (compiled using contributions from Dublin City Council and the various stakeholder groups) - and provide a good overview of the key data considerations.
How Your Drone Sensor Can Impact Privacy
Understanding your drone's payload and how its capabilities could impact privacy and GDPR is one of the key drivers to developing a watertight policy.
Knowing this will help to reduce the risk of taking photos, recording videos or capturing audio bites that invade privacy or impact GDPR.
Make sure you know and consider aspects such as:
What quality can your camera record?
Is the resolution of the camera necessary for the purpose?
How close can your camera zoom in?
Can you start and stop recording on-demand during a flight?
Can you limit the field of view to minimise potentially intrusive areas?
If you are collecting thermal data, for instance, can the visual camera be turned off?
As well as the payload, it is also important to understand the drone's battery life and range, as the drone could fly at altitude or in a flight range that risks more secondary capture of personal data than anticipated. This is especially true of EVLOS/BVLOS operations, such as if you are operating the DJI Dock drone in a box remotely and/or beyond visual line of sight.
GDPR And Privacy: Scenario-based Assessments
Knowing your sensor's capabilities is important, but this is just one aspect of the data protection/privacy matrix.
Understanding the deployment scenario is also extremely relevant.
After all, there may be circumstances or aspects of your proposed drone use that don’t engage data protection or privacy issues – but, you need to consider this and assess the issues and risks, just in case.
If your sensors collect data which do not identify people or invade their privacy, then chances are there is no data protection risk.
In this scenario, it is still worth documenting your assessment and your subsequent reasoning for concluding that there are no data risks. This should be shared with the relevant data protection officer - if your organisation has one.
However, if your sensors will collect data that could identify people, you will need to conduct a scenario-based risk assessment to decide on ways that the mission can be completed without issues or taking steps to address these potential breaches. Mitigation strategies will be discussed later in this blog.
This assessment should follow a structured and methodic approach, featuring the relevant policies, procedures, and checklists which balance the risks with the specific scenario and mitigation methods.
Organisations should keep a record of all drone-related data processing activities, including the purpose of data collection, the categories of data collected, and the measures taken to protect personal data.
Do You Need A DPIA for Aerial Imaging?
If potential privacy/GDPR issues are flagged as part of the pre-flight preparations, it is prudent - or even required - to create a DPIA (Data Protection Impact Assessment).
A DPIA is a process that organisations can use to identify and mitigate the data protection risks associated with a particular project, and is a tool used to help ensure compliance with GDPR rules around data protection.
A DPIA typically:
Describes the nature, scope, context and purposes of the processing;
Assesses necessity, proportionality and compliance measures;
Identifies and assesses risks to individuals;
Identifies any additional measures to mitigate those risks.
The output of a DPIA should include a report documenting the above. This can be used to demonstrate compliance with GDPR rules around data protection and to provide evidence of due diligence in the event of a data protection incident.
Each DPIA should be saved to enable you to use existing DPIA's for future jobs by implementing pre-defined safeguards and risk mitigations - or highlighting if a new job exceeds the scope of existing DPIA's and a new one is required.
Developing a library of DPIAs can also improve transparency through the publication of information about planned operations, and is evidence that you have considered the risks and are taking steps to combat these issues.
It is also good practice to conduct an after action review to identify any improvements to processes or safeguards that might need to be considered.
For more information on DPIAs, visit the Information Commissioner's Office website.
Privacy And GDPR: Mitigation Methods
If data protection is an issue, it is crucial that mitigation processes are put in place.
Below are some top tips to help you keep on the right side of privacy/GDPR rules.
Understand Your Recording System
We've mentioned it already, but it is important to know the capabilities of your payload.
It is also important that you can switch on and off any recording system, when appropriate.
Unless it is necessary and proportionate, recording should not be continuous.
Limit Data Collection: Relevant Data Only
Organisations should only collect data that is necessary for the specific purpose for which the drone is being used. This includes the type of data and the duration for which the data is collected.
To limit data, geofencing could be deployed on the drone to ensure the technology is restricted to specific areas of operation.
Storing Data Safely And No Longer Than Necessary
Ensure that any data that has been collected is stored securely and is safe from unauthorised access, alteration, or destruction. This includes measures such as encryption, firewalls, and access controls.
Retain data for the shortest time necessary for its purpose and dispose of it appropriately, when you no longer require it.
Be Transparent
Organisations should be transparent about the data they collect, process, and store, and provide individuals with information about their rights, including the right to access, rectify, and delete their personal data.
If an individual requests access to the data that you've collected about them using a drone, or if they request that the data be deleted, you'll need to respond to their request in compliance with GDPR rules.
This might include providing them with a copy of the data you've collected, or ensuring that the data is deleted from your systems in a timely manner.
Providing Privacy Information
A key issue with using drones is that, on many occasions, individuals are unlikely to realise they are being recorded or be able to identify who is in control. If you are a controller, you must address the challenge of providing privacy information if you decide to purchase and use such systems.
The table below provides a summary of what information you must provide.
What information do we need to provide? | Personal data collected from individuals | Personal data obtained from other sources |
The name and contact details of your organisation | ✓ | ✓ |
The name and contact details of your representative | ✓ | ✓ |
The contact details of your data protection officer | ✓ | ✓ |
The purposes of the processing | ✓ | ✓ |
The lawful basis for the processing | ✓ | ✓ |
The legitimate interests for the processing | ✓ | ✓ |
The categories of personal data obtained | ✓ | |
The recipients or categories of recipients of the personal data | ✓ | ✓ |
The details of transfers of the personal data to any third countries or international organisations | ✓ | ✓ |
The retention periods for the personal data | ✓ | ✓ |
The rights available to individuals in respect of the processing | ✓ | ✓ |
The right to withdraw consent | ✓ | ✓ |
The right to lodge a complaint with a supervisory authority | ✓ | ✓ |
The source of the personal data | ✓ | |
The details of whether individuals are under a statutory or contractual obligation to provide the personal data | ✓ | |
The details of the existence of automated decision-making, including profiling | ✓ | ✓ |
You need to come up with innovative ways of providing this information to individuals whose information is recorded, and be able to justify your approach.
Or, if doing that is very difficult or would involve disproportionate effort, document this information in a way that is readily available.
Some examples could involve:
Formally registering your drone with the Civil Aviation Authority (CAA);
Having a privacy notice on a website that you can direct people to, or some other form of privacy notice, so individuals can access further information.
Visibility
Make sure you can be clearly seen when you’re out flying. This means people will know who’s responsible for your drone.
People should also be aware of whom, when and how the drone is being used and for what purpose. Placing signage in the area you are operating a drone explaining its use can help with this.
This allows them to adjust their privacy expectations, be prepared and keep control over their privacy by acting accordingly.
Where possible, obtain consent before collecting personal data with a drone. This can be done through a written or verbal agreement.
Blurring
As part of your operational procedures, any identifiable data which is inadvertently collected, such as car number plates, house numbers and faces, should all be anonymised (blurred) to ensure compliance with GDPR.
Train Personnel
Organisations should ensure that personnel involved in drone operations are trained on data protection laws and regulations and on how to handle personal data in compliance with these laws.
Think Before Sharing Photos and Videos
Avoid sharing anything that could be unfair or harmful to anyone.
Think carefully about who could see your photos and videos – especially before posting them on social media. Apply the same common-sense approach that you would with images or video recorded on a smartphone or digital camera.
Conduct Regular Risk Assessments
Organisations should conduct regular risk assessments to identify potential vulnerabilities and threats to personal data. This includes assessing the risk of data breaches and unauthorised access.
Act Swiftly In The Event Of A Data Breach
Notify the supervisory authority: In case of a data breach, the organizations should notify the supervisory authority about the data breach without undue delay and, where feasible, not later than 72 hours after having become aware of it.
GDPR Example Scenarios
These examples (sourced from the Information Commissioner's Office website) are scenario-specific, showing the steps taken to ensure compliance with potential data protection issues.
Example One
A building surveyor uses a drone in a residential area to inspect damage to a roof. The surveyor wishes to use a drone because the high-resolution images allow for a safer and more cost effective way of working.
In keeping with the principles of data protection law, the surveyor makes a risk-based assessment prior to deployment. They assess how to fly the drone in a way that does not affect the rights and freedoms of individuals. In order to prevent the unintended filming of residents, the surveyor only begins recording at altitude, and does not record any other private property, with the focus being on the roof.
The surveyor also ensures that, where possible, they provide individuals with links to their privacy information or website via temporary signage, and that any operators are fully trained and registered in keeping with Civil Aviation Authority (CAA) requirements.
Example Two
A local authority wishes to deploy a drone over a seaside resort to monitor public beaches for crowd movement and littering. Naturally, any visitors to the beaches may not reasonably expect to be recorded, especially if they are swimming, sunbathing or there are children present.
The local authority needs to make a strong justification for any recording, based on the sensitivity of the processing. They should take a risk-based approach by carrying out a DPIA before using the technology. This will help assess necessity and proportionality.
If recording does occur in a manner that is compliant with individuals rights and aviation rules, the local authority is required to provide the general public with appropriate information about the recording. They would also need to include information about who is responsible, how to contact them, and how individuals can exercise their rights if needed.
Summary
Privacy and data protection should not derail drone operations, but they are serious issues which need consideration.
It is absolutely essential that drones and their sensors are used responsibly and the subsequent data is handled correctly and proportionality.
The effective and efficient integration of data protection policies requires a strategic and structured approach through appropriate planning and development to ensure that procedures are in place to mitigate any risks and respect data protection rights.
Being proactive rather than reactive, by anticipating and preventing invasive events before they happen, is a good approach to take.
Having these robust procedures in place ensures your drone programme can thrive and you can collect the data you need, while acting responsibly, legally, and compliantly.
To discuss any of the topics mentioned in this article, or to find out how heliguy™ can support your drone programme, including drone supply, training, and repairs, contact us.
