Drones and Children's Privacy Protection in the UK

Quick Answer: Children receive heightened privacy protections under UK law. The UK GDPR, Data Protection Act 2018, and the ICO's Age Appropriate Design Code all impose additional obligations when personal data of children is processed. Drone operators flying near schools, playgrounds, parks, and other areas where children are likely to be present must take particular care to avoid capturing identifiable images of minors. Where consent is the lawful basis for processing, parental consent is required for children under 13 in the UK.

Why Children's Data Demands Special Treatment

UK data protection law recognises that children are a vulnerable group who deserve specific protection regarding their personal data. Recital 38 of the UK GDPR states that children merit specific protection because they may be less aware of the risks, consequences, and safeguards concerned, and of their rights in relation to the processing of personal data.

This heightened protection has direct consequences for drone operators. A drone flying over a residential area, a park, or near a school is likely to capture images of children. Unlike adults, children cannot make informed decisions about whether to avoid an area being surveyed by a drone. They are less likely to understand that their image is being recorded, and they have no practical ability to object in real time.

The legal framework reflects this vulnerability through multiple layers of protection that drone operators must understand and respect.

The UK GDPR and Children's Personal Data

Under the UK GDPR, photographs and video footage that identify a child constitute personal data. The same data protection principles that apply to adults apply to children, but with an additional emphasis on fairness and the need for clear, age-appropriate information.

Consent and the Age Threshold

Where consent is the lawful basis for processing children's data, Article 8 of the UK GDPR sets requirements for information society services. The UK has set the age at which a child can give their own consent to 13 years, as specified in section 9 of the Data Protection Act 2018. Below this age, consent must be given by a person holding parental responsibility.

For drone operators, consent is rarely a practical lawful basis when flying in public spaces. You cannot realistically obtain consent from every child, or their parent, before flying. This means operators must typically rely on legitimate interests under Article 6(1)(f). However, when the data subjects include children, the balancing exercise required by the legitimate interests assessment must give greater weight to the child's interests, rights, and freedoms.

The Best Interests of the Child

The ICO has emphasised that the best interests of the child should be a primary consideration in any processing that involves children's data. This principle, drawn from the United Nations Convention on the Rights of the Child, is embedded in the ICO's guidance and the Age Appropriate Design Code. While the AADC is primarily directed at online services likely to be accessed by children, its underlying principles inform the ICO's approach to all processing of children's data.

Sensitive Locations: Schools, Playgrounds, and Parks

Certain locations present elevated privacy risks because children are expected to be present in significant numbers. Drone operators should exercise particular caution when flying near:

The CAA's regulations on maintaining distance from uninvolved persons under the Air Navigation Order 2016 provide an additional layer of protection, though these rules are primarily about safety rather than privacy.

Key Legislation: UK GDPR Articles 6, 8, 12-14, 35 and Recital 38 | Data Protection Act 2018, s.9 | ICO Age Appropriate Design Code | Children Act 1989 | Air Navigation Order 2016

The ICO Age Appropriate Design Code

The Age Appropriate Design Code, also known as the Children's Code, came into force in September 2021. While it is primarily aimed at providers of information society services likely to be accessed by children, its 15 standards reflect the ICO's broader expectations for how organisations should treat children's data.

Relevant standards for drone operators to consider include:

Even where the AADC does not directly apply to a drone operation, the ICO may use its principles as a benchmark when investigating complaints about children's data.

Safeguarding Considerations

Beyond data protection law, drone operators should be aware of broader safeguarding duties and expectations. Flying a drone equipped with a camera persistently near locations where children gather may attract attention from safeguarding authorities, school staff, or the police, regardless of the operator's actual intentions.

The Protection of Children Act 1978 makes it an offence to take, distribute, or possess indecent photographs of children. While standard aerial photography would not fall within this offence, operators should be aware that their presence with a camera-equipped drone near children's facilities may prompt scrutiny.

Local authorities and schools may have their own policies restricting drone flights near their premises. While these policies may not have the force of law, breaching them could lead to complaints, reputational damage, and potential investigation by the CAA or ICO.

Publishing and Sharing Images of Children

If your drone footage captures identifiable images of children and you intend to publish or share that footage, additional considerations arise. Publishing children's images online exposes them to risks including identification, tracking, and potential misuse of their images.

Before publishing any drone footage that includes identifiable children, operators should:

Social media platforms have their own policies regarding images of children, but compliance with platform rules does not discharge your obligations under the UK GDPR.

Common Misconceptions

Misconception: If children are in a public space, I can photograph them freely. Being in a public space does not remove data protection rights. Children in parks, on streets, or at outdoor events retain their rights under the UK GDPR. The public nature of the space is one factor in the proportionality assessment but does not override the special protections afforded to children.

Misconception: Only professional photographers need to worry about children's privacy. The UK GDPR applies to any data controller, whether professional or recreational. A hobbyist flying a drone over a playground and posting footage online is subject to the same rules as a commercial operator.

Misconception: Blurring faces is always sufficient. While blurring is an important privacy measure, children may be identifiable through other means: school uniforms, distinctive clothing, context, or location. A comprehensive approach to anonymisation considers all potential identifiers.

Practical Steps for Drone Operators

  1. Avoid flying over or near schools, nurseries, playgrounds, and children's sports facilities unless strictly necessary for a legitimate purpose
  2. If your flight path passes near children's locations, plan your route to minimise the area and duration of potential capture
  3. Conduct a Data Protection Impact Assessment for any operation that is likely to capture children's images systematically
  4. Apply automatic blurring or anonymisation to footage containing children wherever possible
  5. Never publish identifiable images of children without parental consent
  6. Set short retention periods for footage containing children's images and delete promptly when no longer needed
  7. Be prepared to explain your presence and purpose to concerned parents, school staff, or police officers
  8. Carry your operator ID, CAA registration, and a summary of your privacy policy when flying

Check your flight plan instantly with MmowW Drone — the compliance companion built by a Gyoseishoshi.

Start Free — Your Drone, Legally Clear 0 setup fees · cancel anytime · BigMac Price forever