Piyo (Beginner Pilot)

Piyo: I fly drones for inspections and photography. When I collect video/images with my drone, what privacy laws apply? Can I use facial recognition? How do I store the data?

:::

Poppo (Compliance Expert)

Poppo: Excellent question. Privacy is increasingly important in NZ drone operations. Let me explain the Privacy Act, surveillance rules, facial recognition limits, and data storage obligations.

:::

Privacy Act & Drone Operations

Data Storage & Security Best Practices

Encryption Standards

Minimum encryption for sensitive drone data:

Data Type Encryption Standard Tool Example
Video files (footage containing people) AES-256 (military-grade) VeraCrypt, BitLocker, macOS FileVault
Personal metadata (names, addresses) AES-256 Password manager + encrypted drive
Client information AES-128 minimum (consumer-grade acceptable) Encrypted folders, cloud encryption (Google Drive, OneDrive)
Backup/archive AES-256 recommended External encrypted drive, encrypted cloud storage

Recommendation: Use AES-256 encryption for any files containing identifiable people or sensitive business data.

Storage Location Options

Option Security Level Cost Recommendation
Local encrypted drive (external HDD) High varies — check with relevant providers Good for active projects
Local encrypted SSD Very High NZ$300-800 Best for fast access
Cloud storage (encrypted, NZ-hosted) Medium-High NZ$20-100/month Good for backups & redundancy
Cloud storage (Amazon/Google, unencrypted) Low NZ$0-20/month Not recommended for sensitive data
USB stick (encrypted) Medium NZ$50-100 Easy to lose; backup only

Best practice: 3-2-1 Backup Rule
  • 3 copies of data (original + 2 backups)
  • 2 different storage media (local + cloud)
  • 1 copy offsite (cloud backup in case house fire destroys local copies)

Example setup:
  1. Primary: Encrypted SSD in locked cabinet
  2. Backup 1: Encrypted external HDD (stored separately, not on-site)
  3. Backup 2: Encrypted cloud storage (offsite backup)

Data Retention Guidelines

How long to keep drone footage:

Data Type Minimum Retention Maximum Retention Notes
Client project footage (delivered) Until client receives copy 1-2 years after project Keep for warranty/liability proof
Client project raw files 6 months after delivery 1-2 years Delete after client confirms satisfaction
Security footage (routine monitoring) 7-30 days 60 days maximum Automatic deletion is best practice
Security footage (incident recorded) Until investigation closed 2-3 years or per legal requirement Law enforcement may request retention
Test/training footage Not required 30 days recommended Delete when not needed
Marketing footage (with consent) For business use 5-10 years Can retain while actively marketing

Important: Document your retention policy in writing. This shows Privacy Commissioner you have intentional data management, not just "keeping everything forever."

Access Control

Who can access drone data:
  1. Primary operator (always has access)
  2. Client (for their project files only)
  3. Staff (only if they have legitimate work need)
  4. Law enforcement (only if legal warrant/court order)
  5. Insurance/auditors (only for compliance verification)

Everyone else: NO ACCESS Implementation:
  • Password-protect storage devices
  • Use role-based access (different employees see different files)
  • Audit log access (if possible) – track who viewed what, when
  • Encrypt files so even if device is stolen, data is unreadable

Privacy Officer & Documentation

Required Documentation (For Compliance)

If you handle personal information via drones, document:

  1. Privacy policy (written document)

  • What drone data you collect
  • Why you collect it (lawful purpose)
  • How you protect it (security measures)
  • How long you keep it (retention policy)
  • Who can access it (access controls)
  • Share with clients & staff

  1. Data breach response plan (in case of data loss/theft)

  • Who to notify (client, Privacy Commissioner if serious)
  • Timeline for notification (usually within 72 hours for serious breaches)
  • How to remediate (fix the problem)

  1. Privacy assessment (for high-risk operations)

  • Document why you need to collect personal data via drones
  • Identify privacy risks
  • Describe mitigation measures
  • Justify proportionality (is surveillance necessary?)

Example privacy policy paragraph:

"XYZ Drone Services collects video imagery during professional drone operations. Personal information (images of identifiable individuals) is collected only with consent and for the specified purpose. Data is encrypted, stored securely, and deleted within 12 months of project completion unless client requests longer retention. Individuals have the right to request access to personal information and correct inaccuracies. Questions about privacy? Contact [privacy@xyzdroneservices.nz]."

Privacy Commissioner & Complaints

If someone files a privacy complaint against you:
  1. Privacy Commissioner will contact you (initial investigation)
  2. You must respond with your data handling explanation (within 10 business days typically)
  3. Commissioner investigates (interviews, reviews procedures)
  4. Finding issued – Commissioner determines if you violated Privacy Act
  5. If violation found – You may be ordered to:

  • Apologize to affected person
  • Pay compensation (NZ$1,000-$50,000+ depending on severity)
  • Change practices going forward

Prevention: Follow Privacy Act principles proactively; you won't have complaints.

FAQ

Q: Is filming someone in public (from drone) without consent a privacy violation?

A: Yes, if they're identifiable. Being in public doesn't eliminate privacy expectations (High Court ruling). Disclose drone use, don't record faces without consent, especially from above.

Q: Can I use facial recognition to identify event guests automatically?

A: No, not without explicit consent. Privacy Commissioner treats facial recognition as biometric data (highly sensitive). Get written permission first.

Q: How long must I keep drone footage for legal protection?

A: 1-2 years minimum (covers most liability claims). After that, delete per your retention policy. Keeping longer requires justified business purpose.

Q: What if footage shows a crime on neighboring property—can I share with police?

A: Yes. Law enforcement can request footage for investigations. You can voluntarily share with police (lawful purpose). Document the request in writing.

Q: Can I share event footage on social media (Instagram, TikTok, YouTube)?

A: Only if you have explicit written consent from recognizable people in the footage. "I attended your event" doesn't imply consent to publish online. Get permission or blur faces.

Q: Is drone surveillance of my own property a privacy violation?

A: Generally no (you own it), but if it captures neighbors' property or public areas, follow disclosure guidelines. Document your security purpose clearly.

Q: Do I need CCTV notice signs for a surveillance drone?

A: Yes, recommended (shows transparency). Post "Drone Surveillance in Progress" or "CCTV in Operation" signs so people know they may be recorded.

Q: What's the penalty for Privacy Act violations?

MmowW for NZ Drone Privacy Compliance: Privacy management is integral to professional drone operations. MmowW tracks: consent records (who authorized filming), data retention dates (when to delete), access logs (who viewed what), security encryption status. At NZ$8.60 per drone per month, you maintain a complete privacy audit trail proving compliance with NZ Privacy Act. Collect data responsibly. Protect privacy. Stay compliant.