Drones shall only be used if agreed by the data controller and operated in accordance with the ICO recommendations https://ico.org.uk/your-data-matters/drones/
Use should be limited to:-
- inspection of inaccessible building structures (roofs, etc) ; and
- surveillance in cases where in the opinion of the data controller conventional CCTV would not be appropriate.
Right to be Informed – temporary information signs should be located in and around the area where such use will take place stating the purpose of the surveillance and contact details of the data controller.
Archive Retention – the recognised standard is 30 days however in setting this parameter consider how long it is likely to be before you become aware of an incident. The shorter the archive retention the less potential impact right of access and right to erasure requests will have on the business.
Archive retention of footage relating to incidents that are or may be the subject of investigation shall be until notification by the investigating body that the case is closed or in the absence of such notification for a period not exceeding 6 years.
Privacy – cameras should not view areas where individuals have a reasonable expectation of privacy, including, but not limited to:-
- residential housing including attached external areas not in public view;
- commercial property neither in public view or associated with the purpose of the surveillance; and
- public areas outside the scope of the purpose of the surveillance.
Process – To be documented using the VeriFi Compliance Manual or VeriFi EIDOS Management Information System.
The issue and return of equipment should be recorded by name of the person taking custody together with date and time in a dedicated log book or Daily Occurrence Log.
All recordings should take place at the start of any incident and should continue uninterrupted until the incident has concluded. However, this is subject to the relevant individual(s) having a reasonable expectation of privacy. If the location of the recording changes during the course of an incident then it may be appropriate to stop the drone recording at that point. Recordings should not be made of general duties, unless specifically instructed by the data controller.
Recordings should be transferred from the drones system to a secure PC file and held for the archive period. If no action is to be taken the archive should be deleted after 30 days, should the case remain subject of investigation the need to continue archive retention should be reviewed at monthly intervals until the case is closed.
Recordings shall only be released upon completion of a data release log.