Posted by Charlotte Ebbutt, Associate
Drones – a new risk to privacy in the office
Management of data risks is an ever-evolving responsibility. With recent media coverage of law firms photographing client documents on the desks of competitor firms the need to manage threats outside the building is now part of the risk management role. The latest threat to privacy faced by business is from the use of drones.
Law firms in the City have reported drones hovering outside their office windows. The issue has become significant enough to be flagged by the Law Society to its members. The risk of course is that these drones, fitted with cameras, are breaching the privacy of the businesses concerned and of their clients. Focussing on the security around office doors may mean that the threats of breach by way of drones filming through windows are neglected.
So what is the regulatory position?
The Information Commissioner, the UK’s data regulator, recommends that the users of drone cameras should operate them in a responsible way to respect the privacy of others. If the drone is used for a “professional purpose”, then the drone section of the CCTV code sets out various regulatory requirements. The Data Protection Act 2018 also applies to the piloting of live systems that will capture personal data. The lawful use of a drone to capture personal data would require a privacy impact assessment to be carried out in advance. That assessment would require a balance between the benefit to the drone’s data controller and the detriment to the data subjects.
Is spying by drones lawful?
Taking photographs of information on an office desk without the consent of those occupying the office is clearly a breach of privacy regulations and data protection law. The fact that such relatively extreme measures have been taken indicates either the absence of lawful means to obtain the data in question or an attempt to intimidate or unsettle an opponent or business rival.
Adapt policies and procedures
As a practical step towards mitigating any potential privacy threat from drones, businesses should consider amending internal risk policies. Suggesting that papers are not left on a desk when the occupant steps away for more than a couple of minutes is a much easier step to take than trying to capture and trace a drone. Even with sophisticated equipment it is not easy to track and locate a drone user and so preventative measures are likely to be more effective and a better use of business resources. Furthermore, taking proper steps to mitigated the potential loss of data will provide some protection if an audit by the data regulator or a claim in damages arises from a privacy breach.
If you have any enquiries, please contact Emma Banister Dean on:
01865 268 370 Email us
Minimise the impact with our dispute resolution solicitors