Drones1 are playing an increasing role in government service delivery. Potential uses include law enforcement, emergency and disaster management, infrastructure inspections and environmental monitoring.
Queensland government agencies2 which capture video and audio recordings using a drone must ensure that their collection, storage, use and disclosure of the recording complies with the Queensland Privacy Principles (QPPs) in the Information Privacy Act 2009 (Qld) (IP Act).
Not all information collected by a drone will qualify as personal information. Personal information is any information about an individual who can be identified.3 If the information is not personal information, it does not attract the protections in the IP Act.
An individual’s image or voice is unique to that particular individual. Whether a recording of an individual’s image or voice could reasonably identify that individual will depend on the quality of the recording. Quality is determined by factors including the image size and resolution, position of the person to the camera, and the degree to which the individual’s face or other identifying characteristics are visible.
What an individual was doing, where they were at a particular time or what they said is clearly information about the individual as it reveals a fact or opinion about them. Even if the information is about something other than an individual – a piece of land, for example – it can still be about an individual if there is a sufficient connection between the fact or opinion and the individual to reveal something about the individual.
Florin Shire Council uses drones to survey its population of rodents of unusual size (ROUS), an invasive animal under the Fire Swamp Act 1987. While the information collected is about ROUS, it is subsequently matched with Council’s property records and used to identify individuals who are unlawfully keeping ROUS. Information that a resident has not complied with animal management legislation is the personal information of that individual.
Building in privacy protections from the start is less expensive or time-consuming than trying to retrofit them later. Conducting a Privacy Impact Assessment (PIA) when planning or initiating a project allows you to identify how the project may impact an individual’s privacy and how the agency can mitigate those impacts. The privacy impacts of using a drone include:
Refer to Undertaking a Privacy Impact Assessment for more information.
When an agency collects personal information it must ensure that the collection is for a lawful purpose directly related to a function or activity of the agency and that the collection is necessary to achieve that purpose.4 The means by which personal information is collected must also not be unfair or unlawful.
Agencies must have a clear and specific purpose for which they will use information collected by the drone. Unless an agency knows what it intends to do with the personal information it collects, it cannot readily assess or assert its necessity or articulate how it relates to the performance of one of its functions or activities.
One of the consequences of using drones is that the surveillance can record information incidental to that necessary to fulfil the intended purpose. For example, if an agency were to use drones to survey local parks for noxious weeds, it could collect images of any individuals in the park at that time. Accordingly, it is important to have a clearly defined purpose for the surveillance and that this purpose is directly related to a function or activity of the agency.
Regardless that it was not the agency’s intention to capture images beyond that required for the function or activity, once it is in the agency’s possession, the privacy principles governing storage and security, use, disclosure and overseas transfer nonetheless will then apply to any personal information in these incidental images.
Notwithstanding the fact that the agency did not actively set out to record incidental images, there are still steps agencies can take to minimise the potential for there to be unneeded imagery. Agencies should look at where and when the drones will be deployed. In the example of using drones to survey local parks for noxious weeds, an agency could minimise what personal information it collects by deploying the drone at a time when the park is least busy or avoiding more popular areas of the park such as a playground or off-leash dog area.
Providing good communication on the agency’s use of drones in terms of time, date, area and intended purpose can assist in minimising the capture of incidental personal information.
QPP 5 requires agencies to collect personal information by lawful and fair means.
For collection to be lawful, it must be done in accordance with the law. Agencies may need to seek legal advice on applicable laws when using a drone. For example, an agency may need to comply with:
QPP 5 also requires agencies collecting personal information to make the individual aware of certain information. A challenge when using drones is how to provide this information when there is often no direct interaction with the individual concerned. Reasonable steps could include:
A community engagement strategy can assist agencies to make well-informed decisions. It is a practical tool that assists in identifying affected stakeholders, what aspects can be influenced by stakeholders, and how the agency can best meet stakeholders’ communication needs.
Refer to QPP 5 – what to tell people when collecting personal information and QPP 5 – collection notices for more information.
QPP 11 requires agencies to protect personal information from misuse, loss and unauthorised access, modification and disclosure.
Drones collect information in one of two ways:
Both methods have vulnerabilities. If a drone with on-board storage becomes lost or captured by an unauthorised third party, so too will any information it carries. If the drone transmits information through a wireless connection, this connection can be intercepted and used to access or modify the information in transmission. Adequate safeguards such as password protection and encryption should be utilised to address these vulnerabilities.
Other safeguards could include:
Agencies can only use and disclose personal information for the purpose it was collected or for one of the secondary purposes set out in QPP 6. These secondary purposes include:
Clear policies and procedures for the operation of an agency's drone program will help ensure that staff are aware of their obligations and understand how information collected by the drone can be handled. These policies and procedures should include:
If an agency will contract a third party to operate the drone or to outsource its management of information collected by the drone, it may need to take all reasonable steps to ensure that the contracted service provider is contractually bound to comply with the privacy principles.
Once bound, the contracted service provider is responsible for any privacy breaches. If the contracting agency does not take all reasonable steps to bind the contracted service provider, the contracting agency will be responsible for any breach of privacy arising from the actions of the contracted service provider.
Refer to Binding contractors to the IP Act for more information.
Current as at: July 1, 2025