Piyo: I fly drones for inspections and photography. When I collect video/images with my drone, what privacy laws apply? Can I use facial recognition? How do I store the data?
Poppo: Excellent question. Privacy is increasingly important in NZ drone operations. Let me explain the Privacy Act, surveillance rules, facial recognition limits, and data storage obligations.
Privacy Act & Drone Operations
Data Storage & Security Best Practices
Encryption Standards
Minimum encryption for sensitive drone data:| Data Type | Encryption Standard | Tool Example |
|---|---|---|
| Video files (footage containing people) | AES-256 (military-grade) | VeraCrypt, BitLocker, macOS FileVault |
| Personal metadata (names, addresses) | AES-256 | Password manager + encrypted drive |
| Client information | AES-128 minimum (consumer-grade acceptable) | Encrypted folders, cloud encryption (Google Drive, OneDrive) |
| Backup/archive | AES-256 recommended | External encrypted drive, encrypted cloud storage |
Storage Location Options
| Option | Security Level | Cost | Recommendation |
|---|---|---|---|
| Local encrypted drive (external HDD) | High | varies — check with relevant providers | Good for active projects |
| Local encrypted SSD | Very High | NZ$300-800 | Best for fast access |
| Cloud storage (encrypted, NZ-hosted) | Medium-High | NZ$20-100/month | Good for backups & redundancy |
| Cloud storage (Amazon/Google, unencrypted) | Low | NZ$0-20/month | Not recommended for sensitive data |
| USB stick (encrypted) | Medium | NZ$50-100 | Easy to lose; backup only |
- 3 copies of data (original + 2 backups)
- 2 different storage media (local + cloud)
- 1 copy offsite (cloud backup in case house fire destroys local copies)
- Primary: Encrypted SSD in locked cabinet
- Backup 1: Encrypted external HDD (stored separately, not on-site)
- Backup 2: Encrypted cloud storage (offsite backup)
Data Retention Guidelines
How long to keep drone footage:| Data Type | Minimum Retention | Maximum Retention | Notes |
|---|---|---|---|
| Client project footage (delivered) | Until client receives copy | 1-2 years after project | Keep for warranty/liability proof |
| Client project raw files | 6 months after delivery | 1-2 years | Delete after client confirms satisfaction |
| Security footage (routine monitoring) | 7-30 days | 60 days maximum | Automatic deletion is best practice |
| Security footage (incident recorded) | Until investigation closed | 2-3 years or per legal requirement | Law enforcement may request retention |
| Test/training footage | Not required | 30 days recommended | Delete when not needed |
| Marketing footage (with consent) | For business use | 5-10 years | Can retain while actively marketing |
Access Control
Who can access drone data:- Primary operator (always has access)
- Client (for their project files only)
- Staff (only if they have legitimate work need)
- Law enforcement (only if legal warrant/court order)
- Insurance/auditors (only for compliance verification)
- Password-protect storage devices
- Use role-based access (different employees see different files)
- Audit log access (if possible) – track who viewed what, when
- Encrypt files so even if device is stolen, data is unreadable
Privacy Officer & Documentation
Required Documentation (For Compliance)
If you handle personal information via drones, document:
- Privacy policy (written document)
- What drone data you collect
- Why you collect it (lawful purpose)
- How you protect it (security measures)
- How long you keep it (retention policy)
- Who can access it (access controls)
- Share with clients & staff
- Data breach response plan (in case of data loss/theft)
- Who to notify (client, Privacy Commissioner if serious)
- Timeline for notification (usually within 72 hours for serious breaches)
- How to remediate (fix the problem)
- Privacy assessment (for high-risk operations)
- Document why you need to collect personal data via drones
- Identify privacy risks
- Describe mitigation measures
- Justify proportionality (is surveillance necessary?)
"XYZ Drone Services collects video imagery during professional drone operations. Personal information (images of identifiable individuals) is collected only with consent and for the specified purpose. Data is encrypted, stored securely, and deleted within 12 months of project completion unless client requests longer retention. Individuals have the right to request access to personal information and correct inaccuracies. Questions about privacy? Contact [privacy@xyzdroneservices.nz]."
Privacy Commissioner & Complaints
If someone files a privacy complaint against you:- Privacy Commissioner will contact you (initial investigation)
- You must respond with your data handling explanation (within 10 business days typically)
- Commissioner investigates (interviews, reviews procedures)
- Finding issued – Commissioner determines if you violated Privacy Act
- If violation found – You may be ordered to:
- Apologize to affected person
- Pay compensation (NZ$1,000-$50,000+ depending on severity)
- Change practices going forward
FAQ
Q: Is filming someone in public (from drone) without consent a privacy violation?A: Yes, if they're identifiable. Being in public doesn't eliminate privacy expectations (High Court ruling). Disclose drone use, don't record faces without consent, especially from above.
Q: Can I use facial recognition to identify event guests automatically?A: No, not without explicit consent. Privacy Commissioner treats facial recognition as biometric data (highly sensitive). Get written permission first.
Q: How long must I keep drone footage for legal protection?A: 1-2 years minimum (covers most liability claims). After that, delete per your retention policy. Keeping longer requires justified business purpose.
Q: What if footage shows a crime on neighboring property—can I share with police?A: Yes. Law enforcement can request footage for investigations. You can voluntarily share with police (lawful purpose). Document the request in writing.
Q: Can I share event footage on social media (Instagram, TikTok, YouTube)?A: Only if you have explicit written consent from recognizable people in the footage. "I attended your event" doesn't imply consent to publish online. Get permission or blur faces.
Q: Is drone surveillance of my own property a privacy violation?A: Generally no (you own it), but if it captures neighbors' property or public areas, follow disclosure guidelines. Document your security purpose clearly.
Q: Do I need CCTV notice signs for a surveillance drone?A: Yes, recommended (shows transparency). Post "Drone Surveillance in Progress" or "CCTV in Operation" signs so people know they may be recorded.
Q: What's the penalty for Privacy Act violations?