As required by the Other Transaction Agreement (“OTA”) between the Federal Aviation Administration (“FAA”) and the State of Nevada, DTFACT-14-A-00003, Modification 0001, May 19, 2014, the Nevada Institute for Autonomous Systems (“NIAS”) in its capacity as the contracted operator hereby establishes the following policies and procedures to ensure the protection of privacy and the public’s trust during operations of the Nevada UAS Test Site.
Under Article 3 Privacy, of the OTA, appended in its entirety below, the State of Nevada and NIAS must:
(i) have privacy policies governing all activities conducted under the OTA, including the operation and relevant activities of UAS authorized by NIAS as the Test Site Operator;
(ii) make their privacy policies publicly available;
(iii) have a mechanism to receive and consider comments from the public on such privacy policies;
(v) update its privacy policies as necessary to remain operationally current and effective; and,
2. Requirements of the Policy
a. Compliance with Applicable Privacy Laws
For purposes of this Agreement, the term “Applicable Law” shall mean (i) a law, order, regulation, or rule of an administrative or legislative government body with jurisdiction over the matter in question, or (ii) a ruling, order, decision or judgment of a court with jurisdiction over the matter in question. Nevada Institute for Autonomous Systems (NIAS) On Behalf of the Governor’s Office of Economic Development 400 South 4th Street, Suite 500, Las Vegas, Nevada 89101 702-793-4218, firstname.lastname@example.org November 2015 Page 2 | 5 NIAS and its team members must operate in accordance with all Applicable Law regarding the protection of an individual’s right to privacy (hereinafter referred to as “Privacy Laws”).
If the U.S Department of Justice or a state’s law enforcement authority files criminal or civil charges over a potential violation of a Privacy Law, the FAA may take appropriate action including suspending or modifying the relevant operational authority (e.g., Certificate of Operation, or Agreement) until the proceedings are completed. If the proceedings demonstrate the operation was in violation of the Privacy Law, the FAA may terminate the relevant operational authority.
b. Change in Law
c. Transmission of Data to the FAA
The Test Site Operator should not provide or transmit to the FAA or its designees any data other than the data requested by the FAA pursuant to Article 5 of the OTA.
d. Other Requirements
3. Nevada UAS Test Site Policy
During the planning phase for potential operations at the Nevada UAS Test Site, NIAS will analyze proposed test plans to ensure that they meet applicable Federal and State privacy regulations, statutes, and guidance for sensor requirements, data collection plans, and data retention plans. The objective is to prevent inappropriate surveillance and collection of data which invades an individual’s privacy.
4. Policy Informed
By This policy is informed by numerous sources such as:
(i) Nevada Revised Statutes Chapter 493;
(ii) Association for Unmanned Vehicle Systems International UAS Operations Industry “Code of Conduct”;
(iii) Department of Justice/National Institute for Justice research and development and policy recommendations;
(iv) International Association of Chiefs of Police Aviation Committee’s Recommended Guidelines for the Use of Unmanned Aircraft;
(v) Airborne Law Enforcement Association policies and procedures (manned and unmanned);
(vi) Department of Defense (“DoD”), US Air Force policies, procedures and operations instructions (“OI”);
(vii) Department of Energy (“DOE”) policies and standard operating procedures; and,
(viii) NTIA suggested best practices for UAS privacy.
5. Operations Planning The NIAS Flight Planning Guides and additional information collected from prospective customers will help to ensure that UAS operations within the Nevada UAS Test Site meet the currently established privacy laws and policies within the United States and the State of Nevada. Examples of the information that NIAS will request from potential customers which will be used to evaluate privacy issues include:
(i) Airspace requirements;
(ii) UAS operating requirements (altitudes, profiles, spectrum, data handling);
(iii) Sensor specifications and operations requirements;
(iv) Data collection requirements;
(v) Data retention requirements (what and for how long);
This information will be used by NIAS planning staff to select appropriate locations for the flight operations to provide for the greatest privacy protection. NIAS will create a detailed test plan with realistic limitations on sensor operations and collection activity of surveillance data during the missions. Empirical test data such as radar track information or Automatic Dependent Surveillance – Broadcast (ADS-B) data will not be subject to these limitations. NIAS will determine the types of sensor data that will be subject to limitation in concert with range authorities and NIAS legal counsel, and will coordinate with range vendors such as airport authorities, DOE, DoD, land owners, and the general public on the nature of the operations and sensor activities expected during the flights.
NIAS will coordinate with the customer/operator and will limit or prohibit sensor operations not specifically required or which have a real expectation of violating privacy during the flights. This will not preclude operational testing of the functionality of the sensor while airborne if required, but will look to minimize unnecessary use throughout the mission. If the operation is conducted in a “sensitive” area, steps will be taken to ensure sensors are not operated during that time while over such area, including removing power from the sensor or confirming that the sensor is gimbaled in such a manner that data is not collected. Regardless of how data is collected (at the GCS, recorded on-board, transmitted to an operations center, etc.), the data will be reviewed by NIAS staff (Range Coordinator or Privacy Representative as a minimum) or appropriate range authority (such as Nellis Test and Training Range or DOE staff).
6. Operations Execution
Specific sensor limitations, data collection limitations and retention agreements will be reviewed throughout the planning stages and again at Flight Readiness Review. Daily operations flight briefings will re-emphasize these limits to ensure that the privacy policies are being adhered to during flight operations. The on-site lead for Flight Operations (Range Coordinator or Flight Operations Manager) will be responsible for ensuring compliance with these limitations, including designation of personnel to monitor sensor operations and data collected.
7. Post-Flight Procedures
Following flight operations, the NIAS staff will provide a written report of the flight activities and will include a summary of sensor operations and the collection of data, if applicable. When required, sensor data will be reviewed by the NIAS staff or designated range vendor authority (DOE/NTTR representatives). If any privacy issues or concerns arise during the course of a flight operation, they will be documented and corrective action shall be documented by the reviewing authority with feedback to the Flight Operations Manager.
8. Change in Law
9. Annual Review and Revision
Voluntary Best Practices for UAS Privacy, Transparency, and Accountability
Consensus, Stakeholder-Drafted Best Practices Created in the NTIA-Convened Multistakeholder Process
May 18, 2016
“Unmanned Aircraft Systems (UAS) technology continues to improve rapidly, and increasingly UAS are able to perform a variety of missions with greater operational flexibility and at a lower cost than comparable manned aircraft. …
–President Barack Obama
Charge from the President
As compared to manned aircraft, UAS may provide lower-cost operation and augment existing capabilities while reducing risks to human life. Estimates suggest the positive economic impact to U.S. industry of the integration of UAS into the NAS could be substantial and likely will grow for the foreseeable future.
The combination of greater operational flexibility, lower capital requirements, and lower operating costs could allow UAS to be a transformative technology in the commercial and private sectors for fields as diverse as urban infrastructure management, farming, and disaster response. Although these opportunities will enhance American economic competitiveness, our Nation must be mindful of the potential implications for privacy, civil rights, and civil liberties. The Federal Government is committed to promoting the responsible use of this technology in a way that does not diminish rights and freedoms.
By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to establish transparent principles that … promote the responsible use of this technology in the private and commercial sectors, it is hereby ordered as follows: …
There is hereby established a multi-stakeholder engagement process to develop and communicate best practices for privacy, accountability, and transparency issues regarding commercial and private UAS use in the NAS. The process will include stakeholders from the private sector. Within 90 days of the date of this memorandum, the Department of Commerce, through the National Telecommunications and Information Administration, and in consultation with other interested agencies, will initiate this multi-stakeholder engagement process to develop a framework regarding privacy, accountability, and transparency for commercial and private UAS use.”
President Barack Obama
FEBRUARY 15, 2015
Consensus, Stakeholder-Drafted Best Practices Created in the NTIA-Convened Multistakeholder Process
The benefits of commercial and private unmanned aircraft systems (UAS) are substantial. Technology has moved forward rapidly, and what used to be considered toys are quickly becoming powerful commercial tools that can provide enormous benefits in terms of safety and efficiency. UAS integration will have a significant positive economic impact in the United States. Whether UAS are performing search and rescue missions, allowing farmers to be more efficient and environmentally friendly, inspecting power lines and cell towers, gathering news and enhancing the public’s access to information, performing aerial photography to sell real estate and provide insurance services, surveying and mapping areas for public policy, delivering medicine to rural locations, providing wireless internet, enhancing construction site safety, or more—society is only just beginning to realize the full potential of UAS. UAS technology is already bringing substantial benefits to people’s daily lives, including cheaper goods, innovative services, safer infrastructure, recreational uses, and greater economic activity. Inevitably, creative minds will devise many more UAS uses that will save lives, save money and make our society more productive.
However, the very characteristics that make UAS so promising for commercial and non-commercial uses, including their small size, maneuverability and capacity to carry various kinds of recording or sensory devices, can raise privacy concerns. As a result, individuals may be apprehensive about the adoption of this technology into everyday life. In order to ensure that UAS and the exciting possibilities that come with them live up to their full potential, operators should use this technology in a responsible, ethical, and respectful way. This should include a commitment to transparency, privacy and accountability. The purpose of this document is to outline and describe voluntary Best Practices that UAS operators could take to advance UAS privacy, transparency and accountability for the private and commercial use of UAS. 1UAS operators may implement these Best Practices in a variety of ways, depending on their circumstances and technology uses, and evolving privacy expectations. In some cases, these Best Practices are meant to go beyond existing law and they do not—and are not meant to—create a legal standard of care by which the activities of any particular UAS operator should be judged. These Best Practices are also not intended to serve as a template for future statutory or regulatory obligations, in part because doing so would make these standards mandatory (not voluntary) and could therefore raise First Amendment concerns.
1 The National Telecommunications and Information Administration (NTIA) has convened a series of multi-stakeholder efforts as a way to increase privacy protections based upon the Administration’s framework for consumer information privacy. On February 15, 2015, President Obama issued a Presidential Memorandum instructing NTIA to convene such a process to develop and communicate best practices for privacy, accountability, and transparency issues regarding commercial and private UAS use in the National Airspace System. These Voluntary Best Practices are the result of that multi-stakeholder engagement process.
These voluntary Best Practices for UAS focus on data collected via a UAS, which includes both
commercial and non-commercial UAS. The only section applicable to newsgatherers and news reporting
organizations is Section V considering that their activity is strongly protected by the First Amendment
to the Constitution of the United States. There is also an Appendix entitled, “Guidelines for Neighborly
Drone Use” that is intended to be a quick and easy reference guide for recreational UAS operators.
These Best Practices do not apply to data collected by other means—for instance, a company need not
apply these Best Practices to data collected via the company’s website. These Best Practices do not
apply to the use of UAS for purposes of emergency response, including safety and rescue responses.
Nothing in these Best Practices shall:
• Be construed to limit or diminish freedoms guaranteed under the Constitution;
• Replace or take precedence over any local, state, or federal law or regulation;
• Take precedence over contractual obligations or the representations of entities contracting UAS operators. However, entities contracting UAS operators should consider these Best Practices when setting the terms of a contract for UAS use, and UAS operators should consider these Best Practices when choosing to accept a contract for UAS use; or
• Impede the safe operation of a UAS.
UAS operators should comply with all applicable laws and regulations. These Best Practices are intended to encourage positive conduct that complements legal compliance. Operators who are aware of other best practices that may apply specific guidance to technologies deployed on or through UAS should consider how to incorporate that guidance into their privacy and security policies and practices.
These Best Practices are also not intended to serve as a template for future statutory or regulatory obligations, in part because doing so would raise First Amendment issues.
The term “consent” means words or conduct indicating permission. Consent must be informed and
conduct indicating permission may be express or implied, depending on the context.
“Covered data” means information collected by a UAS that identifies a particular person. If data collected by UAS likely will not be linked to an individual’s name or other personally identifiable information, or if the data is altered so that a specific person is not recognizable, it is not covered data.
The term “data subjects” refers to the individuals about whom covered data is collected.
The terms “where practicable” and “reasonable” depend largely on the circumstances of the UAS
operator, the sensitivity of data collected, and the context associated with a particular UAS operation.
IV. Voluntary Best Practices
These voluntary Best Practices for UAS focus on data collected via a UAS, which includes both
commercial and non-commercial UAS. The only section applicable to newsgatherers and news reporting organizations is Section V considering that their activity is strongly protected by the First Amendment to the Constitution of the United States. There is also an Appendix entitled, “Guidelines for Neighborly Drone Use” that is intended to be a quick and easy reference guide for recreational UAS operators. These Best Practices do not apply to data collected by other means—for instance, a company need not apply these Best Practices to data collected via the company’s website. These Best Practices do not apply to the use of UAS for purposes of emergency response, including safety and rescue responses.
1. Inform Others of Your Use of UAS
1(a) Where practicable, UAS operators should make a reasonable effort to provide prior notice to individuals of the gener-al timeframe and area that they may anticipate a UAS inten-tionally collecting covered data.2
(1) the purposes for which UAS will collect covered data;3
(2) the kinds of covered data UAS will collect;
(3) information regarding any data retention and deidentification practices;4
(4) examples of the types of any entities with whom covered data will be shared;
(5) information on how to submit privacy and security complaints or concerns; and
(6) information describing practices in responding to law enforcement requests.
2. Show Care When Operating UAS or Collecting and Storing Covered Data
2(a) In the absence of a compelling need to do otherwise, or consent of the data subjects, UAS operators should avoid
2 What qualifies as a practicable and reasonable effort to provide prior notice will depend on operators’ circumstances and the context of the UAS operation. For example, delivery UAS operators may provide customers with an estimated time of delivery. Real estate professionals using UAS may provide a home seller (and possibly immediate neighbors) with prior notice of the estimated date of UAS photography of the property. Hobbyist UAS operators may not need to notify nearby individuals of UAS flight in the vicinity.
3 These Best Practices recognize that UAS operators may not be able to predict all future uses of data. Accordingly, these Best Practices do not intend to discourage unplanned or innovative data uses that may result in desirable economic or societal benefits.
4 If it is not practicable to provide an exact retention period, because, for example, the retention period depends on legal hold requirements or evolving business operations, the UAS operator may explain that to data subjects when disclosing its retention policies.
using UAS for the specific purpose of intentionally collecting cov-ered data where the operator knows the data subject has a reasonable expectation of privacy.
2(b) In the absence of a compelling need to do otherwise, or consent of the data subjects, UAS operators should avoid using UAS for the specific purpose of persistent and continuous collection of covered data about individuals.
2(c) Where it will not impede the purpose for which the UAS is used or conflict with FAA guidelines, UAS operators should make a reasonable effort to minimize UAS operations over or within private property without consent of the property owner or without appropriate legal authority.
2(d) UAS operators should make a reasonable effort to avoid knowingly retaining covered data longer than reasonably necessary to fulfill a purpose as outlined in § IV.1(b). With the consent of the data subject, or in exceptional circumstances (such as legal disputes or safety incidents), such data may be held for a longer period.
2(e) UAS operators should establish a process, appropriate to the size and complexity of the operator, for receiving privacy or security concerns, including requests to delete, de-identi-fy, or obfuscate the data subject’s covered data. Commercial operators should make this process easily accessible to the public, such as by placing points of contact on a company website.5
3. Limit the Use and Sharing of Covered Data
3(a) UAS operators should not use covered data for the following purposes without consent: employment eligibility, promotion, or retention; credit eligibility; or health care treatment eligi-bility other than when expressly permitted by and subject to the requirements of a sector-specific regulatory framework.
3(c) If publicly disclosing covered data is not necessary to fulfill the purpose for which the UAS is used, UAS operators should avoid knowingly publicly disclosing data collected via UAS until the operator has undertaken a reasonable effort to obfuscate or de-identify covered data —unless the data subjects provide consent to the disclosure.
3(d) UAS operators should make a reasonable effort to avoid us-ing or sharing covered data for marketing purposes unless the data subject provides consent to the use or disclosure. There is no restriction on the use or sharing of aggregat-ed covered data as an input (e.g., statistical information) for broader marketing campaigns.
4. Secure Covered Data
4(a) UAS operators should take measures to manage security risks of covered data by implementing a program that contains reasonable administrative, technical, and physical safe-guards appropriate to the operator’s size and complexity, the nature and scope of its activities, and the sensitivity of the covered data.
Examples of appropriate administrative, technical, and physical safeguards include those described in guidance from the Federal Trade Commission, the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the Interna-tional Organization for Standardization’s 27001 standard for in-formation security management.
For example, UAS operators engaging in commercial activity should consider taking the following actions to secure covered data:
• Having a written security policy with respect to the collection, use, storage, and dissemination of covered data appropriate to the size and complexity of the operator and the sensitivity of the data collected and retained.6
• Making a reasonable effort to regularly monitor systems for breach and data security risks.
• Making a reasonable effort to provide security training to employees with access to covered data.
• Making a reasonable effort to permit only authorized individuals to access covered data.
5. Monitor and Comply with Evolving Federal, State, and Local UAS Laws
5(a) UAS operators should ensure compliance with evolving applicable laws and regulations and UAS operators’ own privacy and security policies through appropriate internal processes.
5 This may be as simple as talking to an individual who approaches the UAS operator with a concern.
V. Best Practices for Newsgatherers and News Reporting Organizations
Newsgathering and news reporting are strongly protected by United States law, including the First
Amendment to the Constitution. The public relies on an independent press to gather and report the
news and ensure an informed public.
For this reason, these Best Practices do not apply to newsgatherers and news reporting organizations.
Newsgatherers and news reporting organizations may use UAS in the same manner as any other
comparable technology to capture, store, retain and use data or images in public spaces. Newsgatherers
and news reporting organizations should operate under the ethics rules and standards of their
organization, and according to existing federal and state laws.
Appendix Guidelines for Neighborly Drone Use
Drones are useful. New, fairly cheap drones are easy to use. But just because they are cheap and
simple to fly doesn’t mean the pictures and video they take can’t harm other people. The FAA and part
ner organizations have put safety guidance online at http://knowbeforeyoufly.org. But even safe flight
might not respect other people’s privacy. These are voluntary guidelines. No one is forcing you to obey
them. Privacy is hard to define, but it is important. There is a balance between your rights as a drone
user and other people’s rights to privacy. That balance isn’t easy to find. You should follow the detailed
“UAS Privacy Best Practices”, on which these guidelines are based, especially if you fly drones often, or
use them commercially. The overarching principle should be peaceful issue resolution.
1. If you can, tell other people you’ll be taking pictures or video of them before you do.
2. If you think someone has a reasonable expectation of privacy, don’t violate that privacy by taking pictures, video, or otherwise gathering sensitive data, unless you’ve got a very good reason.
3. Don’t fly over other people’s private property without permission if you can easily avoid doing so.
4. Don’t gather personal data for no reason, and don’t keep it for longer than you think you have to.
5. If you keep sensitive data about other people, secure it against loss or theft.
6. If someone asks you to delete personal data about him or her that you’ve gathered, do so, unless you’ve got a good reason not to.
7. If anyone raises privacy, security, or safety concerns with you, try and listen to what they have to say, as long as they’re polite and reasonable about it.
8. Don’t harass people with your drone.
Supporters As of June 2016
Association for Unmanned Vehicle Systems International (AUVSI)
Center for Democracy and Technology Commercial Drone Alliance Consumer Technology Association
CTIA Digital Content Next
(DCN) Future of Privacy Forum Intel
National Association of Broadcasters (NAB)
New America’s Open Technology Institute
News Media Coalition
Newspaper Association of America (NAA)
Online Trust Alliance (OTA)
Radio Television Digital News Association (RTDNA)
Small UAV Coalition
Software & Information Industry Association (SIIA)
U.S. Chamber of Commerce
X (Formerly Google [x])
To add your organization to the list of supporters, please email email@example.com
“As the President recognized when he directed NTIA to convene this process, these best practices can help promote Commerce priorities by allowing the industry to grow, develop and innovate while helping to build consumer trust.”
– U.S. Secretary of Commerce Penny Pritzker
“The best practices agreed to by a diverse group of stakeholders—including privacy and consumer advocates, industry, news organizations and trade associations—represent an important step in building consumer trust, giving users the tools to innovate in this space in a manner that respects privacy, and providing accountability and transparency.”
– NTIA Deputy Assistant Secretary Angela Simpson
The best practices were developed by a group of stakeholders convened by the National Telecommunications and Information Administration. This is not a government publication.
More information about the NTIA process is available at www.ntia.doc.gov. An easy to read summary of the best practices is available at www.fpf.org