What does this cover?
The Office of the Data Protection Commissioner (ODPC) has released a guidance note (Guidance Note) relating to drones, including recommendations on steps that users can take to ensure that they comply with the Data Protection Acts 1998 and 2003 (the Acts). The same rules that apply to users of CCTV and Body Worn Cameras (BWCs) apply to users of drones.
In order to ensure compliance with the Acts, the ODPC expects data controllers to carry out detailed assessments which should demonstrate that the personal data captured by drones is justified, proportionate, reasonable and transparent. These assessments should seek to balance the use of drones against an individual's fundamental right to privacy and data protection.
Section 2(1)(c)(iii) of the Acts require that data shall be "adequate, relevant and not excessive" for the purpose for which it is collected. Under this principle, drones equipped with different technologies for data collection (camera, thermal imaging, GPS, altimeter, motion, radio frequency equipment and other sensors) should only collect information that is necessary for achieving the purpose pursued by this collection. Drone operators should ensure that the collection and processing of personal data is minimised and only images of the quality or resolution necessary is captured. It is also important to remember that data captured may become personal data after capture if it is combined with other data. In order to be in compliance with the Acts, drone operators should consider what measures could be applied in order to limit unnecessary capturing and processing of personal data including using a lower resolution camera, only using still images rather than video images, using a live stream rather than recording, or not using photographic imagery at all.
Under Section 2D of the Acts it is necessary to do as much as possible to identify that recording is taking place, by whom, for what purpose and with whom the data may be shared. If necessary, this information should be made clear to the general public in the area in which the drone operates by means of conspicuous signage, advertising posters, leaflet handouts, local newspaper and multi-channel/mode media campaigns and so on – whatever is necessary in order to ensure individuals are adequately and clearly informed before and during the flight, and that valid consent has been obtained The dates and times of the flights, the flight path and the types of personal data (e.g. imagery, radio, geometry, location etc.) that may be collected should accurately be described, along with the contact details of the operator and the data controller. Drones should also be visible.
Storage and Retention
All personal data captured by drones should be stored in an appropriately secured environment and access to the data should be controlled, logged and monitored. This may mean storing imagery or footage on a secure or encrypted medium accessible only to authenticated and authorised users. The Guidance Note also refers to the requirement of data controller's justifying the retention period and any imagery or video footage containing personal data that is not needed, or where it has been inadvertently captured, should be deleted. Where a drone operator is undertaking work on behalf of a client, the personal data transmitted and captured by the drone should be secured while in their possession and not retained after handover to a client. Alternatively, it may be possible to use anonymisation techniques. This may take the form of blurring or pixilation of facial images or registration plates.
Where unauthorised access or capture of this personal data has taken place a “breach” may have occurred and steps to secure the data, inform those involved and perhaps contact the ODPC may be required. Similar to the requirements set out in our CCTV summary, data controllers should have policies, procedures and training in place so that staff can take the appropriate action should a data breach occur.
The Household Exemption
The processing of personal data kept by an individual and concerned solely with the management of his/her personal, family or household affairs or kept by an individual for recreational purposes is exempt from the provisions of the Acts. This exemption, sometimes called the “household exemption”, would generally apply to the handling of the personal data of private persons, as long as this takes place for personal, non-commercial purposes. However the household exemption is limited in scope as seen clearly in the case of František Ryneš(C-212/13) where the CJEU found that video surveillance by an individual of a public area outside his home fell under the Data Protection Directive. The CJEU found that as the CCTV also monitored a public space, it did not amount to the processing of data in the course of a purely personal or household activity, for the purposes of the “household exemption”. Therefore, anyone intending to use a drone should ensure that it does not inadvertently capture personal data from third persons as this will mean that the provisions of the Acts apply.
To view the Guidance Note on the use of Drones, please click here.
What action could be taken to manage risks that may arise from this development?
There are several practical steps drone operators can take to ensure that they comply with the Acts including:
- Carry out required assessments including a risk assessment and a privacy impact assessment (PIA) prior to using drones. The PIA should consider the people and organisations involved, the purpose of the operation, the type of drone and the combination of sensing technology used, identifying the risks to personal data protection, the necessary safeguards to address those risks, and the measurement and adjustment of those safeguards when in use;
- Put a written drone usage policy in place to include reference to the collection, processing, retention and security of personal data being processed;
- Ensure you have the consent of the individuals whose personal data you will capture, by making timely use of notifications, signage, media, or publicity;
- Ensure that the drones are operated only with the sensor equipment necessary to achieve the purposes for which they are intended, and only record the personal data required to achieve the purpose(s) intended and for which consent has been obtained;
- Have robust security and access controls in place ensuring only authorised persons have access to the images.
- Ensure that any transfer of personal data is secured and is possible with the consent already obtained;
- Consider mechanisms that automatically blur faces when they are inadvertently filmed during a data collection, or other means to ensure that unintended capture of personal data is avoided, or removed before further processing occur;
- Use a software programme that automatically deletes the remaining personal data collected once the task is completed;
- Ensure that an appropriate contract is in place with any third party security company(ies); and
- Train all camera operators to ensure that they comply with the relevant policies.