Drones are a great data capture tool, but some missions can raise questions or concerns about privacy and the GDPR.
So how can your organization get the information it needs without violating data protection requirements?
While this thorny topic shouldn't be seen as a barrier to building and growing a UAS program, it is important to ensure that data protection rights are respected and any potential breaches are mitigated.
Each flight should be assessed on a case-by-case basis, but proper planning and development of relevant governance, oversight and controls are a key part of developing a robust GDPR strategy.
Such a plan will consider aspects such as the purpose of the flight, the location and the type of sensors used, while the mitigation methods include storing the data correctly, providing privacy information and acquiring only the specific information of which you need.
This blog takes a deep dive into privacy and the GDPR, provides examples of specific scenarios, and explains how your organization can take steps to implement a data protection protocol, including creating data protection impact assessments.
Privacy and data protection
If your drone is equipped with a camera or listening device, you must respect other people's privacy whenever you use them.
After all, privacy and data protection are two separate rights enshrined in EU law in Article 7 and Article 8 of the Charter of Fundamental Rights.
Article 7 – The right to privacy
Everyone has the right to respect for their private and family life, their home and their communications.
This means that the deployment of drone sensors in areas bordering homes or areas where people expect to enjoy privacy must be carefully planned and risks mitigated.
Article 8 – Right to data protection
Everyone has the right to the protection of personal data concerning him.
Such data must be processed fairly for specific purposes and on the basis of the data subject's consent or another legitimate basis established by law. Everyone has the right to access the data collected about him and the right to rectify it.
Compliance with these rules is subject to the control of an independent authority
This means that when personal data of a living individual is obtained and processed by an organisation, it must be done for a specific purpose with a clear legal basis. This right is enforced through laws such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
So what is personal data?
The GDPR defines it as any information relating to an identified or identifiable natural person.
In the context of drone use, personal data includes:
- A clear movie of a person's face is recorded.
- An individual can be identified in other ways, such as through GPS location, visible address, car number plate and personal items, including clothing.
- Information about an individual's private life.
- Behavior and body characteristics are revealed through video or images.
- Recordings are made of an individual's voice or conversation.
- A person's thermal signature can be identified, revealing behavior.
- Intimate images are recorded that expose home life.
It is also important to consider the risk of capturing special category data, which:
- May reveal racial or ethnic origin; political opinions; religious or philosophical beliefs; Union membership.
- They are genetic data or biometric data.
- It concerns an individual's health or an individual's sexual history or orientation.
Key considerations for data protection
As the above suggests, there is a lot to consider when it comes to juggling drone use and privacy and complying with the GDPR.
In many respects, this workflow follows a three-stage lifecycle:
The key questions for each phase are presented in the table below:
|Life cycle stage||Issues to consider|
|Acquisition||• What types of data will you collect and what is the context of the flight?
• What types of sensors are you using?
• Where will you operate?
• Can you justify that a drone was the best data acquisition solution?
• How will you minimize the personal data you collect or avoid collecting personal data altogether?
|Analyses||• How will the data be analysed? Will you be using AI tools like facial recognition or event detection?
• Who else might want to use this data for other use cases?
|Action||• What will be done based on the data collected by drone-mounted sensors? Will that action affect/have an impact on individuals?
• How/when will you delete personal data that you no longer need?
• How will you keep this data safe?
How your drone sensor can affect privacy
Understanding your drone's payload and how its capabilities might affect privacy and the GDPR is one of the key factors in developing an airtight policy.
Knowing this will help reduce the risk of taking photos, recording videos or capturing audio parts that invade privacy or impact the GDPR.
Make sure you know and consider things like:
- What quality can your camera record?
- Is the resolution of the camera necessary for the purpose?
- How far can your camera zoom in?
- Can you start and stop on-demand recording during a flight?
- Can you limit the field of view to minimize potentially invasive areas?
- If you are collecting thermal data, for example, can the visual camera be turned off?
In addition to the payload, it is also important to understand the battery life and range of the drone, as the drone may be flying at altitudes or in a flight range that is likely to capture more secondary personal data than intended. This is especially true for EVLOS/BVLOS operations, for example if using the drone DJI Docks in a box remotely and/or beyond line of sight.
GDPR and privacy: scenario-based assessments
Knowing the capabilities of your sensor is important, but this is only one aspect of the data protection/privacy matrix.
Understanding the deployment scenario is also highly relevant.
After all, there may be circumstances or aspects of using your proposed drone that don't involve data protection or privacy concerns, but you need to consider this and weigh the issues and risks, just in case.
If your sensors collect data that doesn't identify individuals or invades their privacy, there's likely to be no data protection risk.
In this scenario, it is still worth documenting your assessment and subsequent reasoning to conclude that there is no risk to your data. This should be shared with the relevant data protection officer if your organization has one.
However, if your sensors will be collecting data that could identify individuals, you'll need to conduct a scenario-based risk assessment to decide how the mission can be successfully completed or take steps to address these potential breaches. Mitigation strategies will be discussed later in this blog.
This assessment should follow a structured and methodical approach, with relevant policies, procedures and checklists balancing the risks with the specific scenario and mitigation methods.
Organizations should keep records of all data processing activities related to drones, including the purpose of the data collection, the categories of data collected and the measures taken to protect personal data.
Do you need a DPIA for aerial imaging?
If potential privacy/GDPR issues are reported as part of pre-flight preparations, it is prudent, or even mandatory, to create a DPIA (Data Protection Impact Assessment).
A DPIA is a process that organizations can use to identify and mitigate data protection risks associated with a particular project and is a tool used to ensure compliance with the GDPR data protection rules.
A DPIA typically:
- Describes the nature, scope, context and purposes of the processing;
- Evaluate measures of necessity, proportionality and compliance;
- Identify and assess risks to people;
- Identify any additional measures to mitigate those risks.
The output of a data protection impact assessment should include a report documenting the above. This can be used to demonstrate compliance with GDPR data protection rules and to provide due diligence evidence in the event of a data protection incident.
Each DPIA should be saved to allow you to use existing DPIAs for future work by implementing default safeguards and risk mitigations – or by highlighting if a new job goes beyond the scope of existing DPIAs and a new one is needed.
Developing a library of DPIAs can also improve transparency by publishing information about planned operations and is evidence that you have considered the risks and are taking steps to combat these issues.
It is also good practice to conduct an after action review to identify any process improvements or safeguards that could be considered.
For more information on DPIAs, visit the website of the Information Commissioner's Office.
Privacy and GDPR: mitigation methods
If data protection is an issue, it is imperative that mitigation processes are in place.
Below are some of the best tips to help you stay on the right side of privacy/GDPR rules.
Understand your registration system
We've covered this before, but it's important to know the capabilities of your payload.
It is also important to be able to turn any recording system on and off when appropriate.
Unless necessary and proportionate, recording should not be continuous.
Limit data collection: Relevant data only
Organizations should collect only the data necessary for the specific purpose for which the drone is being used. This includes the type of data and the duration for which the data is collected.
To limit data, geofencing could be implemented on the drone to ensure the technology is limited to specific areas of operation.
Store data securely and no more than necessary
Ensure that all data collected is stored securely and protected from unauthorized access, alteration or destruction. This includes measures such as encryption, firewalls and access controls.
Keep data for the shortest time necessary for its purpose and dispose of it appropriately, when you no longer need it.
Organizations should be transparent about the data they collect, process and store and provide individuals with information about their rights, including the right to access, rectify and delete their personal data.
If an individual requests access to the data you have collected about them using a drone or if they request that the data be deleted, you will need to respond to their request in accordance with the rules of the GDPR.
This could include providing them with a copy of the data you have collected or ensuring that data is deleted from your systems in a timely manner.
Provide privacy information
A key problem with using drones is that, on many occasions, people are unlikely to realize they are being recorded or be able to identify who is in control. If you are a data controller, you are faced with the challenge of providing privacy information if you decide to purchase and use such systems.
The following table provides a summary of the information that you must provide.
|What information do we need to provide?||Personal Data Collected from Individuals||Personal data obtained from other sources|
|Your organisation's name and contact details||✓||✓|
|The name and contact details of your representative||✓||✓|
|The contact details of the data protection officer||✓||✓|
|The purposes of the treatment||✓||✓|
|The legal basis of the treatment||✓||✓|
|Legitimate interests in processing||✓||✓|
|The categories of personal data obtained||✓|
|The recipients or categories of recipients of the personal data||✓||✓|
|Details of personal data transfers to any third countries or international organizations||✓||✓|
|The retention periods of personal data||✓||✓|
|The rights available to individuals with respect to processing||✓||✓|
|The right to withdraw consent||✓||✓|
|The right to lodge a complaint with a supervisory authority||✓||✓|
|The source of the personal data||✓|
|Details of any legal or contractual obligation to provide personal data||✓|
|Details of the existence of an automated decision-making process, including profiling||✓||✓|
You need to find innovative ways to provide this information to people whose information is recorded and be able to justify your approach.
Or, if doing so is very difficult or would require a disproportionate effort, document this information so that it is readily available.
Some examples could include:
- Formally register your drone with the Civil Aviation Authority (CAA);
Make sure you are seen clearly when in flight. This means people will know who is in charge of your drone.
People should also be aware of who, when and how the drone is being used and for what purpose. Placing signage in the area where you use a drone explaining its use can help with this.
This allows them to adjust their privacy expectations, be prepared and maintain control over their privacy by acting accordingly.
Where possible, obtain consent before collecting personal data with a drone. This can be done through a written or verbal agreement.
As part of operational procedures, all identifiable data collected inadvertently, such as license plates, house numbers and faces, must be anonymised (obfuscated) to ensure GDPR compliance.
Organizations should ensure that personnel involved in drone operations are trained in data protection laws and regulations and how to handle personal data in compliance with those laws.
Think before sharing photos and videos
Avoid sharing anything that might be unfair or harmful to anyone.
Think carefully about who might see your photos and videos, especially before posting them on social media. Apply the same common-sense approach you would with images or videos recorded on a smartphone or digital camera.
Conduct regular risk assessments
Organizations should conduct regular risk assessments to identify potential vulnerabilities and threats to personal data. This includes assessing the risk of data breaches and unauthorized access.
Act quickly in the event of a data breach
Notification to supervisory authority: In the event of a data breach, organizations must notify the supervisory authority of the data breach without undue delay and, where possible, no later than 72 hours after becoming aware of it.
GDPR example scenarios
These examples are scenario-specific and show steps taken to ensure compliance with potential data protection issues.
A surveyor uses a drone in a residential area to inspect for damage to a roof. The surveyor wants to use a drone because the high resolution images allow for a safer and cheaper way to work.
In line with the principles of data protection law, the surveyor carries out a risk-based assessment before deployment. They consider how to fly the drone in a way that does not affect people's rights and freedoms. To avoid inadvertent filming of the residents, the surveyor begins recording only at elevations and does not record any other private property, with particular attention to the roof.
Surveyor also ensures that where possible they provide individuals with links to their privacy information or website via temporary signage and that all operators are fully trained and registered in accordance with Civil Aviation Authority (CAA) requirements. ).
A local authority wants to deploy a drone over a beach resort to monitor public beaches for crowd movement and littering. Of course, any visitors to the beaches cannot reasonably expect to be recorded, especially if they are swimming, sunbathing or if children are present.
The local authority must provide strong justification for any registration, based on the sensitivity of the processing. They should take a risk-based approach by carrying out a DPIA before using the technology. This will help assess necessity and proportionality.
If the registration is done in a manner that is in accordance with the rights of individuals and the rules of aviation, the local authority is required to provide the public with the appropriate information about the registration. They should also include information about who is responsible, how to contact them and how people can exercise their rights if necessary.
A drone flight is planned to capture video footage of a community waste awareness event. There is also a report of an outbreak of an invasive plant species in the area where the drone will operate and an investigation is needed to assess the extent of the problem.
The recorded footage will then support lenses in two categories of use cases. However, processing footage of people would not be necessary for the environmental monitoring use case.
Therefore, the drone operation will need to be planned to record footage of the community event and then perform a separate investigation pass with people excluded from the area in which the drone is operating.
A light show is proposed using drones flying in a pre-planned formation show which will be similar to a fireworks display. The sensors to be used for this purpose will be GPS and drone flight control and proximity sensors. There will be no optical sensors deployed on these drones.
The assessment at this decision point is that there is no risk to data protection or privacy as no optical sensors are used. This is documented as part of the planning for the exposure and a copy is sent to the local authority data protection officer for reference.
Privacy and data protection shouldn't derail drone operations, but they are serious issues that need to be addressed.
It is absolutely essential that drones and their sensors are used responsibly and that subsequent data is handled correctly and proportionately.
The effective and efficient integration of data protection policies requires a strategic and structured approach through adequate planning and development to ensure that procedures are in place to mitigate any risks and respect data protection rights.
Being proactive rather than reactive, anticipating and preventing invasive events before they happen, is a good approach to take.
Having these robust procedures in place ensures that your drone program can thrive and that you can collect the data you need, while acting responsibly, legally and compliantly.