Drones and the Privacy Principles

Drones¹ are playing an increasing role in government service delivery. Potential uses include law enforcement, emergency and disaster management, infrastructure inspections and environmental monitoring.

Queensland government agencies² which capture video and audio recordings using a drone must ensure that their collection, storage, use and disclosure of the recording complies with the Queensland Privacy Principles (QPPs) in the Information Privacy Act 2009 (Qld) (IP Act).

Personal information

Not all information collected by a drone will qualify as personal information. Personal information is any information about an individual who can be identified.³ If the information is not personal information, it does not attract the protections in the IP Act.

An individual’s image or voice is unique to that particular individual. Whether a recording of an individual’s image or voice could reasonably identify that individual will depend on the quality of the recording. Quality is determined by factors including the image size and resolution, position of the person to the camera, and the degree to which the individual’s face or other identifying characteristics are visible.

What an individual was doing, where they were at a particular time or what they said is clearly information about the individual as it reveals a fact or opinion about them. Even if the information is about something other than an individual – a piece of land, for example – it can still be about an individual if there is a sufficient connection between the fact or opinion and the individual to reveal something about the individual.

Privacy by design

Building in privacy protections from the start is less expensive or time-consuming than trying to retrofit them later. Conducting a Privacy Impact Assessment (PIA) when planning or initiating a project allows you to identify how the project may impact an individual’s privacy and how the agency can mitigate those impacts. The privacy impacts of using a drone include:

• secondary use: information collected for one purpose is then used for another purpose
• lack of transparency: individuals are not made aware that they are under surveillance and do not understand what the information will be used for.
• intrusiveness: depending on where surveillance activities take place and what they capture, practices may be considered unreasonably intrusive and disproportionate to the purpose they are trying to achieve; and
• over-collection: surveillance activities may generate and capture more information than is necessary.

Refer to Undertaking a Privacy Impact Assessment for more information.

Collection

When an agency collects personal information it must ensure that the collection is for a lawful purpose directly related to a function or activity of the agency and that the collection is necessary to achieve that purpose.⁴ The means by which personal information is collected must also not be unfair or unlawful.

Agencies must have a clear and specific purpose for which they will use information collected by the drone. Unless an agency knows what it intends to do with the personal information it collects, it cannot readily assess or assert its necessity or articulate how it relates to the performance of one of its functions or activities.

Incidental collection

One of the consequences of using drones is that the surveillance can record information incidental to that necessary to fulfil the intended purpose. For example, if an agency were to use drones to survey local parks for noxious weeds, it could collect images of any individuals in the park at that time. Accordingly, it is important to have a clearly defined purpose for the surveillance and that this purpose is directly related to a function or activity of the agency.

Regardless that it was not the agency’s intention to capture images beyond that required for the function or activity, once it is in the agency’s possession, the privacy principles governing storage and security, use, disclosure and overseas transfer nonetheless will then apply to any personal information in these incidental images.

Notwithstanding the fact that the agency did not actively set out to record incidental images, there are still steps agencies can take to minimise the potential for there to be unneeded imagery. Agencies should look at where and when the drones will be deployed. In the example of using drones to survey local parks for noxious weeds, an agency could minimise what personal information it collects by deploying the drone at a time when the park is least busy or avoiding more popular areas of the park such as a playground or off-leash dog area.

Providing good communication on the agency’s use of drones in terms of time, date, area and intended purpose can assist in minimising the capture of incidental personal information.

Lawful and fair collection

QPP 5 requires agencies to collect personal information by lawful and fair means.

For collection to be lawful, it must be done in accordance with the law. Agencies may need to seek legal advice on applicable laws when using a drone. For example, an agency may need to comply with:

• Civil Aviation Safety Regulations 1988 (Cth) Part 101 in relation to aerial drones
• Invasion of Privacy Act 1971 (Qld) in relation to audio recording of private conversations
• section 227A of the Criminal Code 1899 (Qld) concerning observations or recordings in circumstances where a reasonable adult would expect to afforded privacy
• Maritime Safety Queensland and Australian Maritime Safety Authority requirements for underwater drones; and/or
• Major Events Act 2014 (Qld) in relation to operating an aircraft above a major event area.

Making people aware of the collection

QPP 5 also requires agencies collecting personal information to make the individual aware of certain information. A challenge when using drones is how to provide this information when there is often no direct interaction with the individual concerned. Reasonable steps could include:

• posting a news item or media release on the agency’s website
• posting content on the agency’s social media accounts
• placing physical signage around the area under surveillance
• distributing flyers to the letterboxes of affected households; and/or
• running a newspaper and/or radio advertisement; and/or
• putting up a banner at the ‘launch site’.

A community engagement strategy can assist agencies to make well-informed decisions. It is a practical tool that assists in identifying affected stakeholders, what aspects can be influenced by stakeholders, and how the agency can best meet stakeholders’ communication needs.

Refer to QPP 5 – what to tell people when collecting personal information and QPP 5 – collection notices for more information.

Security of personal information

QPP 11 requires agencies to protect personal information from misuse, loss and unauthorised access, modification and disclosure.

Drones collect information in one of two ways:

• recordings are stored on-board (for example, on a memory card or hard drive); or
• recordings are transmitted back to a central device where they are then stored.

Both methods have vulnerabilities. If a drone with on-board storage becomes lost or captured by an unauthorised third party, so too will any information it carries. If the drone transmits information through a wireless connection, this connection can be intercepted and used to access or modify the information in transmission. Adequate safeguards such as password protection and encryption should be utilised to address these vulnerabilities.

Other safeguards could include:

• limiting the staff who can access stored recordings to those who ‘need to know’
• maintaining an audit log of who accesses stored recordings and when it was accessed; and
• establishing clear protocols for responding to requests for access to, or copies of, recordings (for example, who has authority to release recordings in response to a request from a law enforcement agency).

Use and disclosure of personal information

Agencies can only use and disclose personal information for the purpose it was collected or for one of the secondary purposes set out in QPP 6. These secondary purposes include:

• the individual it is about expressly or impliedly consented to the use or disclosure
• the use or disclosure is reasonably necessary to lessen or prevent a serious risk to an individual or to the public
• the use or disclosure is authorised or required under a law; and
• the use or disclosure is reasonably necessary for a law enforcement activity

Clear policies and procedures for the operation of an agency's drone program will help ensure that staff are aware of their obligations and understand how information collected by the drone can be handled. These policies and procedures should include:

• the purpose of the drone program
• what information is collected
• how information will be stored and how long information will be retained
• how requests to disclose or use information for another purpose will be managed
• who is permitted to access the information; and
• who the appropriate contact is within the agency, should staff or members of the public have questions about the program.

Outsourcing

If an agency will contract a third party to operate the drone or to outsource its management of information collected by the drone, it may need to take all reasonable steps to ensure that the contracted service provider is contractually bound to comply with the privacy principles.

Once bound, the contracted service provider is responsible for any privacy breaches. If the contracting agency does not take all reasonable steps to bind the contracted service provider, the contracting agency will be responsible for any breach of privacy arising from the actions of the contracted service provider.

Refer to Binding contractors to the IP Act for more information.