Unmanned Aerial Systems (UAS) / Drones

What are Unmanned Aerial Systems (UAS) / Drones?

Drones are otherwise known as Unmanned Aerial Systems (UAS), Unmanned Aerial Vehicles (UAVs) and Remotely-Piloted Aircraft Systems (RPAS). They are lightweight unmanned aircraft commonly controlled by operators or onboard computers, which can also be controlled by operators. Drones can be used in many innovative ways, for example for photography, the geographical mapping of an area or searching for missing people. But they have raised privacy concerns due to their manoeuvrability and enhanced capabilities of taking photos, videos and sensing the environment. Using drones can result in the collection, use, or sharing of personal data, including information about individuals who are not the intended focus of the recordings.

Smaller models in particular, can be easily purchased online or on the high street by businesses and members of the public. There is a distinction between those individuals who can be considered as ‘hobbyists’ and are therefore generally using their device for purely personal activities, and those individuals or organisations who use the device for professional or commercial purposes.

In contrast, organisations using drones are clearly controllers for any personal data that the drone captures, and therefore are required to comply with data protection law.

Providing privacy information

A key issue with using drones is that, on many occasions, individuals are unlikely to realise they are being recorded or be able to identify who is in control. If you are a controller, you must address the challenge of providing privacy information if you decide to purchase and use such surveillance systems.

You need to come up with innovative ways of providing this information to individuals whose information is recorded, and be able to justify your approach. Or, if doing that is very difficult or would involve disproportionate effort, document this information in a way that is readily available. Some examples could involve:

• formally registering your drone with the Civil Aviation Authority (CAA);
• placing signage in the area you are operating a drone explaining its use; and
• having a privacy notice on a website that you can direct people to, or some other form of privacy notice, so individuals can access further information.

How do we record information responsibly?

The use of drones has the potential for ‘collateral intrusion’ by recording images of other individuals unnecessarily. This can therefore be privacy intrusive. For example:

• The likelihood of recording individuals inadvertently is increased, because of the height drones can operate at and the unique vantage point they afford.
• Individuals may not always be directly identifiable from the footage captured by drones, but can still be identified through the context they are captured in or by using the device’s ability to zoom in on a specific person.

As such, it is very important that you can provide a strong justification for their use. Performing a robust DPIA will help you decide if using a drone is the most appropriate method to solve a problem that you have identified.

It is important that you can switch on and off any recording or streaming system on a drone, when appropriate. Unless you have a strong justification for doing so, and it is necessary and proportionate, recording should not be continuous. You should look at this as part of your DPIA.

As always, you should consider the wider context you are using the drone in, rather than just the use of the drone itself. For example, does it connect or interface with other systems. You should also ensure that you store any data you have collected securely. For example, by using encryption or another appropriate method of restricting access to the stored information. This is particularly important if the drone is piloted beyond visual line of sight or crashes, and there is potential for the device and the data to be lost or stolen as a result. You should also ensure that you retain data for the shortest time necessary for its purpose and dispose of it appropriately, when you no longer require it.

You may be able to reduce the risk of intrusion of others by incorporating data protection by design methods. For example, you may be able to procure a device that has restricted field of vision, or only records after the drone has reached a certain altitude. You can incorporate data protection by design and default into your DPIA and it can form part of your procurement process.

The ICO’s Regulatory Sandbox has carried out some detailed work with Kestrix Ltd, a technology SME which uses drone-captured visual and thermal imaging to assess heat loss in buildings. The ICO helped this organisation to navigate privacy and data protection compliance, particularly in response to public concerns around drone use. You can read our full report on this work at Regulatory Sandbox Final Report: Kestrix Ltd. 

Our Tech Horizons Report 2024 has a chapter on the Commercial Use of Drones which goes into further detail about the data protection implications of this technology. 

Do I have to register my drone?

Subject to certain permissions and exemptions for certain users, there are UK requirements for people who fly or are responsible for small unmanned aircraft, including drones and model aircraft. Further information about drone registration in the UK can be found on the CAA’s Drone Safe website.