The Commonwealth Department of Infrastructure, Transport, Regional Development, Communications and the Arts (the Department) recently completed public consultation on draft privacy guidelines for commercial and recreational drone operators.
Background
Drone use in Australia has grown exponentially in recent years, with operators utilising remotely piloted aircraft in areas such as search and rescue, media, surveying, logistics and home delivery services. This proliferation has caused a corresponding increase in community sensitivity to the impact of drone use on privacy.
There is no drone-specific privacy law in Australia. Rather, there is a patchwork of Commonwealth, state and territory legislation and common law which may apply to drone operations, including with respect to personal information, surveillance, trespass and nuisance.
The guidelines
The guidelines are intended as an educational tool to provide operators with a set of easy-to-understand parameters for operating drones in line with reasonable community expectations for privacy.
The Guidelines contain 6 best practice Drone Privacy Principles (DPPs) which are summarised below:
| DP1 | Informing others or obtaining consent when collecting data. | For commercial operators this includes having a communications strategy and creating an easily accessible means for individuals to express their concerns. |
| DP2 | Minimising the viewing, recording and/or collection of data. | Drone users should only record data where absolutely necessary. It is also recommended that commercial operators have a privacy policy. |
| DP3 | Using data only for the original purpose. | The guidelines refer drone users to Part 3 of the Australian Privacy Principles under the Privacy Act 1988 which govern dealing with personal information once it has been obtained. |
| DP4 | Handling data securely. | Commercial operators are advised to de-identify data once no longer needed and to use reasonable safeguards. |
| DP5 | Knowing laws and rules. | Users are reminded to fly in accordance with CASA drone safety rules. While these are not strictly privacy-related, compliance may enhance privacy (for example by staying at least 30 metres from bystanders when flying). |
| DP6 | Being aware of the Privacy Act and the Australian Privacy Principles (APPs). | The APPs establish guardrails around the collection, use and disclosure of personal information and sensitive information, which apply to Commonwealth Government agencies and organisations with an annual turnover exceeding $3 million (APP Entities). The APPs also provide individuals with the right to seek access or correction to personal information held by the APP Entity, as well as the ability to make complaints about interference with the individual's privacy. |
The DPPs are based on similar concepts to those used in the APPs and refer users to the APPs for further information. Among other things, the APPs set out a framework regulating:
- the requirement to have an open, transparent, and up to date privacy policy;
- the collection of personal information, including when an individual should be notified about the collection of the individual’s personal information, and the matters to be included in the notification;
- the use and disclosure of personal information collected, including when consent is required;
- how an APP Entity can use or disclose personal information for a direct marketing purpose;
- how long personal information can be retained; and
- the right of individuals to seek access or corrections to personal information held by an APP Entity.
Although the APPs do not apply to individuals in their personal capacity (such as recreational hobbyists), APP Entities are bound by the requirements of the APPs in all aspects of their business. With the increased penalties for serious and repeated interferences with privacy passed by the Australian Parliament late last year, APP Entities that intend to deploy or use remotely piloted aircrafts or drones in their business should consider the APP requirements before deploying any remotely piloted aircrafts or drones. As a matter of good practice, APP Entities should conduct a privacy impact assessment to identify the potential impact the contemplated use of remotely piloted aircrafts or drones might have on the privacy of individuals and assess whether such use aligns with the APP Entity’s privacy policy and practices, and the requirements of the APPs.
Key takeaways
- As the name suggests, the guidelines will not be mandatory, but will instead act as a voluntary, recommended code of conduct.
- The DPPs have a broader reach than the existing APPs under the Privacy Act. The DPPs apply to all drone users, including recreational hobbyists and small businesses. By contrast, the APPs do not generally apply to individuals or businesses whose turnover does not exceed $3 million per annum.
- The guidelines ultimately released by the Department may differ from those released during the public consultation process.
Further information
Further information on the draft guidelines is available here.
This article was written by Jayne Heatley, Partner and Luke Dale, Partner.
