Drones, otherwise known as Unmanned Aerial Vehicles (UAVs), are used extensively in today's business landscape, offering valuable data that is driving innovation across many industries. From construction and agriculture to logistics and insurance, businesses are utilizing the power of drones to capture data to make informed decisions.
Drone data and records are one of the newest categories of information that we’ve seen in business over the last few years, and understanding the retention and management of these records has proved challenging to many companies. The key categories of commercial (non-recreational) drone data and records are: drone records and data: drone aircraft documentation, drone flight records, drone accidents and incidents, drone operator/pilot records, and drone data. For each category, we'll discuss examples, challenges, and considerations for retention and compliance.
Drone Aircraft Documentation:
Examples: Registrations, licenses, insurance certificates, specifications, configurations, and maintenance documentation.
Challenges: Complying with specific documentation requirements from federal, state/provincial, and local government agencies is critical for each drone.
Drone Flight Records:
Examples: Flight logs documenting flight details such as date, time, location, altitude, flight duration and related flight consents.
Challenges: The volume of flight records can be substantial and needs to be managed appropriately. In some jurisdictions and based on the data to be collected, data subject consent may be required.
Drone Accidents and Incidents:
Examples: Records related to accidents, incidents, near-misses, and any damage to property caused by drones.
Challenges: Reporting incidents promptly to regulators, conducting investigations, and maintaining comprehensive documentation for insurance claims.
Drone Operator/Pilot Records:
Examples: Records of operator/pilot qualifications, certifications, licenses, and training.
Challenges: Tracking pilot and operator certifications, renewals and training while safeguarding sensitive personal information of pilots and operators.
Examples: Data captured by drones, such as images, videos, point clouds, 3D models, geospatial data, and thermal data. Data formats can include:
Images and photographs (JPEG, TIFF)
Point Clouds (LAS/LAZ, XYZ)
3D Models (OBJ, STL)
Geospatial Data (SHP, GeoTIFF)
Thermal Data (R-JPEG)
Challenges: Ensuring the authenticity, chain of custody and secure transmission of the large volumes of data generated by drones is critical to the data’s integrity, especially when selecting relevant portions to retain.
Retention and Compliance Considerations
Specific record retention requirements vary by jurisdiction and must be documented for each location where an organization operates drones. These requirements can differ between countries, states/provinces, and local governments, sometimes leading to conflicts.
In the U.S., drones are primarily regulated per Title 14, Part 107 of the Code of Federal Regulations:
14 C.F.R. 107.40 (c)(4) states that records of maintenance, preventive maintenance, and alterations performed on unmanned aircraft must be retained for 1 year from when the work is completed or until the maintenance is repeated or superseded by other work.
14 C.F.R. 48.100 (c) states that drone registrations expire after 3 years unless they are renewed.
14 C.F.R. 107.21 requires remote pilots, i.e. persons flying drones, to submit reports for deviations during in-flight emergencies that required immediate action, although no specific retention period is stated for these records.
140 C.F.R. 107.65 states that remote pilots must have passed an initial or recurrent aeronautical knowledge test or completed recurrent training within the last two years for their remote pilot certification – companies need to be retaining these test and training records for at least that period of time in order to maintain compliance.
While some are more comprehensive than others, all 50 states within the U.S. have regulations governing the use of drones. Here are a few examples:
North Dakota Century Code 29-29.4-06 states that documentation of surveillance flights such as duration, flight path, and mission objectives must be retained for 5 years.
According to Idaho Statute 21-213, no person, entity or state agency may use a drone to intentionally conduct surveillance of, collect information about, or photographically or electronically record specifically targeted persons or private property including farms, dairies, ranches and other agricultural areas, without written consent from the individual or property owner. Although this section doesn’t specify retention for these written consents, privacy retention requirements need to be considered as civil actions can be brought against offenders and penalties can be imposed.
Drone use is regulated in each country so it’s important to learn and follow regulations in all the countries in which your organization has drone operations. Here are a few examples:
European Regulation (EU) 2019/947 governs drone registration, and UAS.SPEC.050 (g) specifies responsibilities of persons flying drones, including keeping a record of UAS operations information as required by the declaration or by the operational authorization.
European Regulation (EU) UAS.LUC.020 requires Light UAS Certificate holders to keep records of operational risk assessments, mitigation measures taken, and qualifications and experience of involved personnel for 3 years from the date of the operation.
Canadian law requires persons using drones for commercial purposes to comply with Personal Information Protection and Electronic Documents Act (PIPEDA), other than for journalism, not-for-profit operations, etc., specifying that consent must be obtained when collecting, using or sharing privacy information. They also require that individuals be given access to their personal information obtained through drone use.
In China, drones are overseen by the Civil Aviation Administration of China (CAAC), which recommends that drone operators keep their registration records for at least 3 years in case the CAAC needs to review them for any accidents or incidents that may have occurred.
In conclusion, businesses should adhere to laws and regulations in the jurisdictions where they operate drones and incorporate these requirements into records retention schedules and compliance strategies. Careful consideration should be given to the location of privacy information within drone data, which should be taken into account when making a decision on retention periods for these records to maintain compliance with applicable privacy laws. Although some organizations may choose to keep these records longer based on business needs, compliance strategies should include drone records being kept for at least the required minimum retention periods.
Drone Laws for a Safer Airspace (www.drone-laws.com)
‘Retention Bytes’ is a practical resource for navigating the world of global data retention, records retention, and document retention. Authored by Jeanne Caldwell, the founder and principal consultant at iGMapware, this blog focuses on information governance and offers insights to help organizations maintain compliance.
Disclaimer: Retention Bytes provides general information and opinions, not legal or professional advice or recommendations. Readers should consult experts for specific guidance.