Drones1 are playing an increasing role in government service delivery. Potential uses include law enforcement, emergency and disaster management, infrastructure inspections and environmental monitoring.
Queensland government agencies which capture video and audio recordings using a drone must ensure that their collection, storage, use and disclosure of the recording complies with the privacy obligations in the Information Privacy Act 2009 (Qld) (IP Act).
Not all information collected by a drone will qualify as personal information. Personal information is any information about an individual who is or can reasonably be identified.2 If the information is not about a reasonably identifiable individual, it falls outside the definition of personal information and does not attract the protections afforded by the IP Act.
An individual’s image or voice is unique to that particular individual. Whether a recording of an individual’s image or voice could reasonably identify that individual will depend on the quality of the recording. Quality is determined by factors including the image size and resolution, position of the person to the camera, and the degree to which the individual’s face or other identifying characteristics are visible. If it is uncertain whether the recording will be of sufficient quality to identify an individual, agencies should err on the side of caution by treating the information as personal information and handling it in accordance with the privacy principles.
What an individual was doing, where they were at a particular time or what they said is clearly information about the individual as it reveals a fact or opinion about them. Even if the information is about something other than an individual – a piece of land, for example – it can still be about an individual if there is a sufficient connection between the fact or opinion and the individual to reveal something about the individual.3
Florin Shire Council uses drones to survey its population of rodents of unusual size (ROUS), an invasive animal under the Fire Swamp Act 1987. While the information collected is about ROUS, it is subsequently matched with Council’s property records and used to identify individuals who are unlawfully keeping ROUS. Information that a resident has not complied with animal management legislation is the personal information of that individual.
Building in privacy protections from the start is less expensive or time-consuming than trying to retrofit them later. Conducting a Privacy Impact Assessment (PIA) when planning or initiating a project allows you to identify how the project may impact an individual’s privacy and how the agency can mitigate those impacts. The privacy impacts of using a drone include:
One of the steps in conducting a PIA is to identify and consult with stakeholders. Consultation is an opportunity to address community concerns and build trust by showing that the agency has designed the project with privacy in mind.
Please see OIC’s guideline: Undertaking a Privacy Impact Assessment for further information.
When an agency collects personal information it must ensure that the collection is for a lawful purpose directly related to a function or activity of the agency and that the collection is necessary to achieve that purpose.5 The means by which personal information is collected must also not be unfair or unlawful.
It is imperative that agencies have a clear and specific purpose for which they will use information collected by the drone. Unless an agency knows what it intends to do with the personal information it collects, it cannot readily assess or assert its necessity or articulate how it relates to the performance of one of its functions or activities.
One of the consequences of using drones is that the surveillance can record information incidental to that necessary to fulfil the intended purpose. For example, if an agency were to use drones to survey local parks for noxious weeds, it could collect images of any individuals in the park at that time. Accordingly, it is important to have a clearly defined purpose for the surveillance and that this purpose is directly related to a function or activity of the agency.
Regardless that it was not the agency’s intention to capture images beyond that required for the function or activity, once it is in the agency’s possession, the privacy principles governing storage and security, use, disclosure and overseas transfer nonetheless will then apply to any personal information in these incidental images.
Regardless of how an agency obtains personal information – deliberately or unintentionally – the recording becomes a document of an agency to which individuals have a right to seek access.
Notwithstanding the fact that the agency did not actively set out to record incidental images, there are still steps agencies can take to minimise the potential for there to be unneeded imagery. Agencies should look at where and when the drones will be deployed. In the example of using drones to survey local parks for noxious weeds, an agency could minimise what personal information it collects by deploying the drone at a time when the park is least busy or avoiding more popular areas of the park such as a playground or off-leash dog area.
Providing good communication on the agency’s use of drones in terms of time, date, area and intended purpose can assist in minimising the capture of incidental personal information.
The way in which an agency collects personal information must be lawful and fair.6
In order for collection to be lawful, it must be done in accordance with the law. Agencies may need to seek legal advice on applicable laws when using a drone. For example, an agency may need to comply with:
The way that an agency collects personal information must not be an unreasonable intrusion into an individual’s personal affairs.8 ‘Personal affairs’ references an individual’s domestic environment as opposed to public or work areas.
Factors that may inform whether the collection of personal information is an unreasonable intrusion include:
When an agency collects personal information from the individual it is about, it must take all reasonable steps to provide that individual with certain information.9
Sometimes referred to as a ‘collection notice’, this information must be provided at or before the time of collection or, if that is not practicable, as soon as practicable after.
A collection notice must make individuals aware of:
A common-sense practice11 with collection notices about surveillance activities is to include information about an individual’s right to seek access to the recordings and the process for requesting this access.
In some limited circumstances agencies are not required to provide a collection notice, for example, when delivering emergency12 or health services13 or where the agency is satisfied on reasonable grounds that noncompliance is necessary in order to achieve or carry out a law enforcement function14.
A challenge when using drones is how to provide a collection notice when there is often no direct interaction with the individual concerned. A communication strategy may include:
What constitutes ‘reasonable steps’ will depend on factors such as the nature of the information being collected and how the agency will use and disclose the information.
A community engagement strategy can assist agencies to make well-informed decisions. It is a practical tool that assists in identifying affected stakeholders, what aspects can be influenced by stakeholders, and how the agency can best meet stakeholders’ communication needs.
Agencies are required to protect personal information from misuse, loss and unauthorised access, modification and disclosure.15
Drones collect information in one of two ways:
Both methods have vulnerabilities. If a drone with on-board storage becomes lost or captured by an unauthorised third party, so too will any information it carries. If the drone transmits information through a wireless connection, this connection can be intercepted and used to access or modify the information in transmission. Adequate safeguards such as password protection and encryption should be utilised to address these vulnerabilities.
Other safeguards that should be considered include:
Agencies must take all reasonable steps to ensure that an individual can find out the type of personal information it holds and the main purposes for which this information is used.16
This enables the community to exercise their right of access to information held by government by making it easier for them to find out what personal information the agency might hold about them.
Agencies commonly meet this obligation by publishing a list of its personal information holdings on its website, most commonly in a ‘privacy plan’. Agencies should ensure that this list is updated to include details of the personal information it collected by using drones.
For guidance on managing requests for access to drone recordings, please see OIC’s Guideline: Managing access to Digital Video Recordings.
Agencies can only use personal information for a purpose other than that for which it was collected17 or disclose the personal information to a third party18 if one of the permitted exceptions in the IP Act applies.19
Permitted exceptions include:
Clear policies and procedures for the operation of an agency's drone program will help ensure that staff are aware of their obligations and understand how information collected by the drone can be handled. These policies and procedures should include:
If an agency will contract a third party to operate the drone or to outsource its management of information collected by the drone, it must take all reasonable steps to ensure that the contracted service provider is contractually bound to comply with the privacy principles.22
Once bound, the contracted service provider is responsible for any privacy breaches. If the contracting agency does not take all reasonable steps to bind the contracted service provider, the contracting agency will be responsible for any breach of privacy arising from the actions of the contracted service provider.
For more information about the privacy considerations when outsourcing, please see OIC’s guidance on the privacy considerations when entering into a service arrangement.
Current as at: June 16, 2018