The Office of the Data Protection Commissioner (DPC) has issued new guidance on the use of drones, also known as remotely piloted aircraft systems, after the recent publication of legislation governing drones. The use of drones is primarily regulated by the Irish Aviation Authority.

The DPC has said that the Data Protection Acts would apply where the use of a drone inadvertently captures personal data (e.g. facial images or car registration plates) from third parties. The DPC also advised that when operating a drone in a commercial setting, “drone operators should ensure that their collection and processing of personal data is minimised to only that necessary or as a consequence of a job being undertaken.” In accordance with the Acts, the data collected “shall not be kept for longer than is necessary for” the purposes for which it was obtained and a data controller also needs to be able to justify this retention period. Any individual whose image is recorded on a drone also has a right to seek a copy of it. Under the Data Protection Acts an individual has a right of access to personal data held by a third party.

Along with the publication of this new guidance, the DPC has also issued the following recommended steps to ensure compliance with data protection rules when using drones:

  • Obtain consent from the individual whose personal data would be captured by making timely use of notifications, signage, media or publicity;
  • Record only personal data required to achieve the purposes intended;
  • Have robust security and access controls in place so only authorised persons have access to the image;
  • Consider mechanisms that automatically blur faces when they are inadvertently filmed during a data collection; and
  • Use a software programme that automatically deletes the remaining personal data collected once the task is completed.

With the use of drones expected to increase sharply, it is important for all drone users to comply not only with the guidance published by the DPC but the general provisions of the Data Protection Acts to ensure compliance at all times. The area is one of increased complexity and development and further regulation is expected.