Drones and Data protection
This is a blog post about the responsibilities of drone operators in relation to personal information. Drone pilots often obsess over things like pylons and airports but don’t consider the impact of drones and data protection. However, you need to know that if you film from a drone, the law sees the footage as being in a different category with specific legal requirements associated.
It’s not something I had really thought about until I was asked by a client what my Data Protection Policy was. I just shrugged and thought ‘It be Reet’. I thought it would be useful to look at data protection issues.
Take a look at your PfCO. It says it in bold writing at the bottom. The images you take with a drone are probably subject to Data Protection Regulation. But what does that mean and why? What are your responsibilities?
Drones and Data Protection: Definition
It’s very clear that the information commissioners office (ICO) sees drone footage as something in its own category. Basically if you are in business with a drone you have to have some procedures in place to protect you legally.
Are you are above board and within the law? Do your clients realise they have extra requirements imposed on them too? Would your business survive a legal challenge?
The main point the ICO are making with drones is that they are more powerful than your normal camera and more prone to intruding on the privacy of others not involved in your project. Yesterday for example I was flying in Halifax making some film clips at a college. In spite of Margaret Thatcher’s best efforts, Halifax is a pretty busy town. Despite the 50M rule being observed we still had the potential of capturing people in their back gardens.
Drones and Data Protection: Considerations
This is a – clear case of an identifiable person emerging from the context.
- If you are a drone pilot and you take images which could lead to a living individual being identified then data protection is relevant.
- If something you film could lead to the same then it’s also relavent. If you record a picture of someones car in a certain place or similar it could lead to them being identified i.e. the context identifies them, albeit indirectly.
- If you store these images on a hard disk, then you are a data controller. If you work in a drone team you may well be a data processor of personal information. What a massive pain.
The good news is that if you make films for artistic or journalistic purposes with conventional cameras then you are generally exempt from the rules. This is not the case with drone footage when it is used in this way though. If you work on TV you need to know this.
However, drones have their own category and if you take still or moving pictures with a drone it is subject to section 7.3 of the CCTV code.
Drones and Data Protection : Procedures
Drones are a hot topic. Thanks to the proliferation of idiots who fly drones they are very present on the Daily Mail-o-meter.
I’ve read through the various bits of legislation concerning data protection, and there are a few bits that seem new to me. They were not really included in the CAA training. We are all familiar with making physical risk assessments, but it seems like it is probably necessary to conduct privacy impact assessments too. I’ve started mine.
The purpose of these assessments are to show that you have a clear plan to minimise intrusion and work out the necessity of the flight itself. Examples of ways you can minimise the risk, are
- Writing into policy at what point you are going to switch on the camera.
- Considering if continuous recording is necessary.
- Consider ways of informing people of your presence and activity and what they can do if they object.
- Assessing the ‘necessity’ of the flight. Could the task be done without a drone? (Surely NOT!)
I’ve got some procedures ready to go for this and I’m writing a policy on it too.
Drones and Data Protection: It doesn’t stop there
Once you have passed your footage over to your client, they also need to be made aware of the special status of drone footage because they become the data controller.
Once you have done the shoot, and if you are keeping the footage there is stuff to consider too. Is it necessary to store it? If you hold the information you continue to be a controller or a processor of personal data. You’ve got to work out what you are going to do with it. How are you going to store it securely and how you are going to comply with the new GDPR laws coming in as of May 2018?
Drones and Data Protection: Stuff You Need To Do Now:
Read up on the CCTV Code as above, and then gen up on data protection. You are a ‘controller’ like it or not
- Create a ‘Privacy Notice’ in which you say who you are, what you do with information and who it will be shared with.
- Identify the data controllers and their contact details in your client base
- Get comfortable with the idea of ‘Subject Access Requests’. -there are certain requirements incumbent on the subject.
- Get familiar with the new regulations in the GDPR. Most of it doesn’t apply, but some does like the the right to erasure etc.
- Find ways of letting people know drone filming will be taking place
- If you are doing some sort of event – make sure your client shares your policy with the participants
Hope that helps!