See Beyond Ordinary

Privacy

In Advisory Circular 107-2, para 1.1.3, the FAA encourages all private and commercial UAS operators to adhere to state and local privacy laws and to follow the National Telecommunications and Information Administration (NTIA) Voluntary Best Practices for UAS Privacy, Transparency, and Accountability. The guidelines laid out in this document are great and we want the community to know that Great Lakes Drone Company LLC has embraced these best practices since it was founded.  Although these best practices are not regulatory, they are common sense and something that we want to promote and encourage among other UAS operators.

The NTIA Best Practices are “meant to go beyond existing law and they do not — and are not meant to — create a legal standard of care by which the activities of any particular UAS operator should be judged.  These Best Practices are also not intended to serve as a template for future statutory or regulatory obligations, in part because doing so would make these standards mandatory (not voluntary) and could therefore raise First Amendment concerns.”  I think this is a good approach to have and one that allows UAS operators to consciously and actively support.

NTIA defines covered data as information collected by a UAS that identifies a particular person. “If data collected by UAS likely will not be linked to an individual’s name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data.”

Here’s an outline of the NTIA’s Best Practices and how Great Lakes Drone Company LLC supports and adheres to these guidelines:

  • “Inform others of your use of UAS:  Where practicable, UAS operators should make a reasonable effort to provide prior notice to individuals of the general time frame and area that they may anticipate a UAS intentionally collecting covered data.”
    • Great Lakes Drone Company LLC has always been aware of privacy concerns and we have taken action to include making contact with neighbors in residential areas.  We have offered to show them the imagery we have taken in support of our customer’s needs and to address concerns that they may have.
  • “When a UAS operator anticipates that the UAS use may result in collection of covered data, the operator should provide a privacy policy for such data appropriate to the size and complexity of the operator, or incorporate such a policy into an existing privacy policy…”
    • Great Lakes Drone Company LLC has developed a privacy policy that we make available here on our website as well as printed copies that we have available for interested parties when we are flying missions.  This policy outlines:
      • The purposes for which UAS operations may collect covered data (real estate, industrial inspection, etc)
      • The kinds of covered data that UAS operations may collect (photography, video, audio)
      • Information regarding data retention and de-identification (blur) practices
      • Examples of the types of any entities with whom covered data will be shared (real estate agent, post processing editor, website company)
      • Information on how to submit privacy and security complaints or concerns (website, mail, email, phone)
      • Information describing practices in responding to law enforcement requests
        • This is a tough one.  How do we handle this?
  • “Show care when operating a UAS or Collecting and Storing Covered Data:…UAS operators should avoid using UAS for the specific purpose of intentionally collecting covered data where the operator knows the data subject has a reasonable expectation of privacy.”
    • Our UAS operations are intended to only collect video and photos for the explicit support of our customer’s needs.  Incidental collection of covered data by our operations will either be handled by obtaining permission from the individual for the explicit use of our customer, or blurring out any personal identifying information, or cutting that imagery from our storage.
  • “…UAS operators should avoid using UAS for the specific purposes of persistent and continuous collection of covered data about individuals.”
    • It should go without saying that our UAS operations are not involved in persistent and continuous collection of covered data on individuals.  This is not our mission and we will not conduct these operations.
  • “…UAS operators should make a reasonable effort to minimize UAS operations over or within private property without consent of the property owner or without appropriate legal authority.”
    • Since our inception, we have attempted to contact any property owners that may have images or video collected while conducting a mission for our customer.  In most cases, this works very well and we are able to address any concerns at that time.  Our goal is to be transparent and accountable for our operations.
  • “UAS operators should make a reasonable effort to avoid knowingly retaining covered data longer than reasonably necessary to fulfill a purpose…”
    • Since our inception, we have included in our contract, a data retention policy to ensure that we remove data that we have collected.  This also encourages us to keep removing data from our storage to include our backup storage devices.  This is complex and time consuming, but something that we work hard at.
  • “UAS operators should establish a process, appropriate to the size and complexity of the operator, for receiving privacy or security concerns, including requests to delete, de-identify, or obfuscate the data subject’s covered data.”
    • Great Lakes Drone Company LLC has a contact form on our website which allows individuals to contact us to bring up any privacy concerns.
  • “Limit the Use and Sharing of Covered Data: UAS operators should consider taking the following actions to secure covered data:”
    • “Having a written security policy with respect to the collection, use, storage, and dissemination of covered data appropriate to the size and complexity of the operator and the sensitivity of the data collected and retained.”
      • Great Lakes Drone Company LLC has established a written security policy (and training) to ensure that any UAS operators understand and are sensitive to the data that they have collected, to keep it secure, and to remove it from the memory cards or computer hard drives when it is no longer needed to support our customer operations or marketing needs.”
    • “Making a reasonable effort to regularly monitor systems for breach and data security risks.”
      • Great Lakes Drone Company LLC ensures that the computers we use have firewalls enabled and that our online cloud storage providers are enabled with two-factor authentication.  We monitor our systems and we are notified via email when new files have been added or deleted.
    • “Making a reasonable effort to provide security training to employees with access to covered data.”
      • Great Lakes Drone Company LLC conducts security training annually with the camera and UAS operators.  Any third party team members will also be reminded of privacy concerns that they should be on the lookout for while post processing any video or photo data.
    • “Making a reasonable effort to permit only authorized individuals to access covered data.”
      • Great Lakes Drone Company LLC does this by limiting the number of employees and consultants to the raw data that may have covered data in it.  During post processing activities, we are also on the lookout for any personal identifying data and we either remove the data from the photo or video or we will use blurring techniques to make the individual unrecognizable.
    • “Monitor and Comply with Evolving Federal, State, and Local UAS Laws: UAS operators should ensure compliance with evolving applicable laws and regulations and UAS operators’ own privacy and security policies through appropriate internal processes.”
      • Although this is difficult, we make an effort to ensure that applicable federal, state, and local laws are researched for the area we are asked to be operating in before conducting any UAS operations.  This can be difficult and time consuming because there are so many types of jurisdictions to consider.  For example, there are state, town, county, and possibly HOA privacy rules that we attempt to research and understand before conducting operations.