Privacy Implementation Notice 2025-03: Guidance pertaining to drones

1. Effective date

This implementation notice takes effect on July 21 2025.

2. Authorities

This implementation notice is issued pursuant to paragraph 71(1)(d) of the Privacy Act.

3. Purpose

This implementation notice provides guidance in accordance with the requirements of the Privacy Act and related policy instruments on the collection, use, retention, disposal and disclosure of personal information obtained from drones. It is intended to guide both privacy officials and program areas.

Federal government institutions (institutions) should assess the risks and opportunities associated with using drones in the collection of personal information and develop tailored guidance that aligns with this Privacy Implementation Notice (PIN) and their own individual requirements and operational context.

While this implementation notice is primarily intended to assist institutions that use or plan to use drones, much of the guidance in it could apply to other aerial surveillance technologies such as piloted aircraft, satellite systems, and closed-circuit television systems.

4. Context

There are varying terminologies used to refer to remotely controlled aircraft that do not have a pilot on board. These types of aircraft, which may be classified into sub-categories based on their differing features, sizes and technical capabilities, have been variously referred to as remotely piloted aircraft (RPA), remotely piloted aircraft systems (RPAS), uncrewed or “unmanned” aircraft system (UAS) and uncrewed aircraft (UA).^{Footnote 1} ^{Footnote 2} ^{Footnote 3}

For the purposes of this notice, because it is intended as general privacy guidance for all Government of Canada (GC) users, the more commonly known and understood term “drone” will be used to encompass this divergent nomenclature.

In the GC, drones are used for various purposes such as aerial surveillance, mapping, imaging, environmental monitoring, search and rescue, research, development, demonstration and other activities related to national security, defence, public safety, law enforcement, and border security. Drones can be a more viable option to traditional aircraft due to their generally lower cost, smaller size, and enhanced mobility. While drones may offer advantages in the field, it is also important for institutions to be cognizant of the potential privacy risks and implications associated with their use.

Most drones are equipped with video and image-capturing capabilities. They may also have additional onboard features and equipment such as facial recognition technology, sensors for detecting thermal energy, antennas that capture wireless network and cellular signals, and synthetic aperture radar. Some drones are used to conduct data collection or surveillance while others may be deployed for transport, delivery or other purposes that do not entail an image capturing or recording function.

Institutions should assess the specific capabilities and intended use of each drone to ensure that privacy risks are appropriately identified, considered and mitigated.

5. Guidance

5.1 Existing requirements

If there is a serious possibility that an individual could be identified in an image, video or other information recorded by a drone (as in the majority of cases), this would constitute personal information.^{Footnote 4} Whether an individual is identifiable using this material on its own or in combination with other information, this material may meet the definition of personal information under section 3 of the Privacy Act. Depending on a drone’s capabilities, examples of personal information may include, but are not limited to, an image or recording of a person’s face or physical characteristics (such as their gait), geolocation data patterns (such as their address or commonly frequented locations), cellular telephone signals, or a licence plate number.

The Privacy Act does not specifically address digital collection devices such as drones and other surveillance technologies. However, it is important to note that the obligations in the Privacy Act apply to institutions regardless of the way personal information is collected. Consequently, the risks that institutional drone use might pose to individuals’ privacy are expanded upon below, along with ways to mitigate them.

5.1.1 Collection of personal information from drones

Authority to collect

As described in section 4 of the Privacy Act, institutions may only collect personal information if the reason for collection relates directly to an operating program or activity. Institutions must also always ensure that they have the legal authority to collect the information before doing so. This may include obtaining judicial authorization, such as warrants for investigations, when required.

The use of drones to collect personal information could engage legal requirements beyond those of the Privacy Act, for example, those contained in the Aeronautics Act, the Canada Lands Surveys Act, the Canadian Transportation Act, the Criminal Code, and compliance with the Canadian Charter of Rights and Freedoms. Institutions should consult their legal services before deploying drones.

Administrative and non-administrative purposes

Institutions may use drones to collect personal information for both administrative and non-administrative purposes. An administrative purpose is defined in section 3 of the Privacy Act as the use of personal information about an individual in a decision-making process that directly affects that individual. Administrative purposes for which institutions collect personal information in the context of drones might include, for example:

monitoring an asset or port of entry for compliance purposes or potential illegal activity
search and rescue
confirming identity for authentication and verification
other law enforcement, defence and national security matters

Personal information, including information collected through drones, that is used for an administrative purpose must be retained for a minimum of 2 years, as required by paragraph 4(1) of the Privacy Regulations. However, unless under litigation hold, retention can be less than 2 years if the individual consents to its earlier disposal or has exercised their rights under the Privacy Act following an access request.

The Policy on Privacy Protection defines a non-administrative purpose as one for which the use of personal information is not related to any decision-making process that directly affects the individual. With respect to drones, such purposes could include, for example:

monitoring motor vehicle traffic to assess traffic patterns
infrastructure inspections
situational awareness of surrounding airspace
identifying the perimeters of forest fires and floods

When personal information is collected for a non-administrative purpose, institutions should de-identify or dispose of that information as soon as it is no longer required for the program or activity. This includes personal information that an institution collects through drones. For guidance on de-identification and possible inadvertent capture, refer to the Limiting Collection section of this guidance.

Privacy notification

Subsection 5(2) of the Privacy Act requires that institutions inform individuals from whom they collect personal information of the purpose for which the information is being collected, except where doing so might result in the collection of inaccurate information or defeat the purpose or prejudice the use for which information is collected.

Section 4.2.20 of the Directive on Privacy Practices sets out the elements that institutions are required to include in their privacy notices. This includes the institution’s legal authority, its purpose for collecting personal information, and any uses or disclosures of personal information that are consistent with the original purpose of collection. Privacy notices help promote transparency and trust by informing the public about the types of personal information the government is collecting and the reasons for that collection.

Institutions should provide notice when their use of drones may result in the collection of personal information. It is important for any such notification to be accessible to those whose personal information is likely to be collected. This could include, but is not limited to, an institution’s website or social media account, in traditional media, or along the perimeter of a fixed deployment site. Details that institutions might provide in the privacy notice, in addition to the requirements set out in section 4.2.20 of the Directive on Privacy Practices, could include the dates, duration and reason for deployment.

As a general rule, privacy notices would not be required for drone use in a law enforcement or national security context where notification would defeat the purpose of original collection (for example, by compromising an investigation). Program areas should consult with their privacy officials and legal services for support in making this determination, and to document the results of those consultations.

Limiting collection

Section 4.2.9 of the Directive on Privacy Practices requires institutions to limit their collection of personal information to what is directly related to and demonstrably necessary for their programs or activities. Institutions should assess each element of personal information to be collected to determine whether it satisfies these criteria. This may prove challenging in some cases where several personal information elements are intertwined with one another. Nonetheless, in these cases, institutions should limit their collection to those specific elements, to the extent possible.

When using drones, institutions can follow several best practices to limit their collection of personal information. These might include, for example:

restricting the duration of deployment
requiring standard operating procedures for extended or high-intensity monitoring
setting additional geographic flight boundaries
when collecting an image or video, employing a larger Ground Sample Distance (GSD), such as 25–30 cm per pixel, to decrease the level of detail captured

According to Appendix A of the Directive on Privacy Practices, the creation of personal information is considered a collection under the Privacy Act. The use of data minimization techniques, such as the ones discussed in the following paragraphs, can prevent the unnecessary creation of personal information when analyzing data collected from drones and, hence, should be considered by institutions. This is particularly important where data collected could be combined with other sources of information to create profiles of individuals.^{Footnote 5}

There may be a chance that personal information is captured inadvertently while deploying drones. In such cases, institutions should either de-identify the footage, for example by blurring the faces and other identifying features, or promptly delete it if it is not directly related to the operating program or activity.

Depending on the drone and its onboard equipment, inadvertent capture may be minimized through the integration of detection technology, vision system applications, and artificial intelligence (AI) tools that automatically identify and remove unwanted artifacts. Automated blurring technology, such as for faces or licence plates, could be used to ensure that personal information collected inadvertently is hidden from accessible records.^{Footnote 6}

Risk assessment

Institutions are required to conduct or update a privacy impact assessment (PIA) in accordance with Appendix C: Standard on Privacy Impact Assessment (the standard) of the Directive on Privacy Practices if drones are incorporated into a new or existing program or activity that uses personal information for an administrative purpose. The purpose of a PIA is to identify and assess any potential privacy implications and devise appropriate mitigation measures.

Examples of factors to consider when conducting a PIA for a new or substantially modified program or activity involving drones include:

all the sensors, equipment and other technologies on board the drone
the information capture capabilities of those technologies
how personal information collected through drones may be subsequently accessed, used, stored, disclosed and disposed of

When completing PIAs, institutions are encouraged to be as specific as possible about when, why, how and for how long the technology will be deployed.

If drones are incorporated into a new or existing program or activity that handles personal information for a non-administrative purpose, then it will be necessary to complete or update a privacy protocol as required by sections 4.2.16 of the Directive on Privacy Practices and C.2.2.18 of the standard. The elements to include in a privacy protocol are set out in section C.2.2.19 of the standard.

Personal information bank

Institutions must identify the scope and elements of personal information collected from drone usage in a personal information bank (PIB). In particular, they must identify if that information will be used for an administrative purpose or organized in a manner that would allow it to be reasonably retrieved by the individual’s name, identifying number, symbol, or other identifiers assigned to an individual. If an institution is handling personal information collected by a drone that is not already described in an existing PIB, it may be necessary to register or update an institution-specific PIB which better reflects the elements of information collected, the purpose of collection, and the retention period.

5.1.2 Use and disclosure

Sections 7 and 8 of the Privacy Act require that an individual’s personal information may be used or disclosed only for the purposes for which it was originally obtained or for uses consistent with those purposes, unless the institution obtains the consent of the individual to whom the information relates.

Subsection 8(2) describes the limited circumstances under which personal information under the control of a government institution may be disclosed without the consent of the individual to whom the information pertains. With respect to drones, these circumstances might include, but are not limited to:

for the purpose of carrying out a lawful investigation and/or the enforcement of any law within Canada or its provinces and territories
when the head of the government institution is of the opinion that the public interest in disclosing it clearly outweighs the privacy interests of the individual, or that the use or disclosure would clearly benefit the individual to whom the information relates (in cases such as search and rescue and/or when someone’s safety or life is at risk)

Information sharing agreements

If an institution intends to share personal information obtained via a drone with another federal institution, it must establish an information-sharing agreement (ISA) as required by section 4.2.33 of the Directive on Privacy Practices. The purpose of an ISA is to clarify the obligations and accountabilities of each party involved, ensuring compliance with the Privacy Act and its related policies.

Section 4.2.33 of the Directive on Privacy Practices lists the elements that are required to be addressed in an ISA, including the personal information to be disclosed; the purpose of the disclosure; a timely privacy breach reporting requirement; and the administrative, technical and physical safeguards in place to protect the personal information to be disclosed. For additional guidance on ISAs, see Guidance on Preparing Information Sharing Agreements Involving Personal Information.

If disclosing personal information to an institution with a recognized national security mandate, the Security of Canada Information Disclosure Act (SCIDA) may apply, in which case it is recommended that institutions consult their legal services.^{Footnote 7}

5.1.3 Safeguarding

In accordance with sections 4.2.30, 4.2.31 and 4.2.32 of the Directive on Privacy Practices and as a preventive measure against privacy breaches, institutions are required to safeguard personal information that has been collected by drones at all stages of its handling. This is to be achieved by:

limiting access to personal information to only those with a legitimate need to know
implementing administrative, technical and physical safeguarding measures
ensuring that any access, use or disclosure of personal information is monitored, documented and audited

Sections 4.2.4, 4.2.5 and 4.2.6 of the Directive on Privacy Practices prescribe how institutions are to manage breaches. Appendix B: Mandatory Procedures for Privacy Breaches details the actions institutions are required to take to ensure that they identify and manage breaches in a timely and efficient manner.

Administrative safeguards

Institutions should develop clear and documented procedures for employees to follow in the event a drone is lost or misplaced. These procedures can address steps for data recovery, assign responsibility for those actions, outline methods for tracking or locating the missing device, and specify when and how to remotely wipe data from the device, if possible.

As a best practice, it is recommended that institutions maintain flight records for all drones and similar aerial surveillance technology. While the Canadian Aviation Regulations require operators to maintain flight records for certain categories of larger drones, maintaining records for all drones and similar aerial surveillance technology is a best practice for audit and accountability purposes.^{Footnote 8} Similarly, when personal information is collected during a drone deployment, it is important that institutions keep a record of the reason for the deployment.

It also recommended that institutions conduct regular audits for both the technical and procedural aspects of a program or activity that uses drones. Audits, which could include the review of access logs and an assessment of encryption standards, help verify that the handling of any personal information collected complies with established security and privacy requirements.

With respect to administrative safeguards, one way analysts can mitigate the risk of unnecessary creation of personal information is to set controls on data linkages. For example, institutions can establish guidelines that limit the merging of data collected by drones with data contained in other databases unless it is strictly necessary.

Lastly, even if the drone operation is not intended to collect personal information, it is a best practice for drone operators, including contractors, to receive training in privacy practices. It is likewise important that operators are informed of the institution’s standard operating procedures for documenting and maintaining flight records.

Technical safeguards

Prior to a drone procurement and software updates, it is important that operators review the manufacturer's data sharing and storage policies and opt out of information sharing with a third party when not required.

Section 5.2 of this guidance discusses additional considerations related to the use of third-party contractors. At all stages of handling, data must be stored using GC-controlled environments or devices, and in accordance with the requirements of the Policy on Government Security.

When deploying drones, operators should protect any data stored on the device to prevent unauthorized access. One way to do so is by implementing strong passwords and two-factor authentication.

In addition, when drones contain equipment that collects and stores information on memory cards, it is important to use password-protected or encrypted storage cards. When mobile applications are used to pilot drones, institutions should maintain a pool of dedicated devices for this use only, rather than having employees use their individually assigned work devices.

After a drone flight, institutions should follow secure data transfer practices. Examples of such practices include the use of a secure connection to transfer data (such as footage) to a dedicated computer and measures to securely erase any personal information from the drone or the onboard equipment once the transfer has been completed. Any removable storage devices used in drone operations should be encrypted according to the sensitivity of the information involved. In all instances, the use of access controls is required to ensure unauthorized parties do not access data.

Regardless of how drones are piloted, a variety of technical measures can protect information from unauthorized access or disclosure. For example, it is important to ensure that all data gathered is encrypted and saved locally on the drone when flight plans extend beyond the operator’s line of sight. In all instances, it is important for drone operators to be aware that signal interference may occur and, to the extent possible, monitor for other signals on the frequency being used.

Below are several additional technical safeguards that could be implemented for drone deployments. Programs are encouraged to consult with their security and privacy officials prior to doing so:

selecting a data mode to block network communications between a mobile application and external servers to help prevent the unintentional transmission of personal information
enabling a pre-set return location within the drone to prevent loss
using a device-level virtual private network (VPN) or encrypted communication channels when transmitting via a wireless network to help prevent the unauthorized interception of communications during a drone flight

Physical safeguards

Physical safeguarding measures are also required when seeking to protect personal information collected during the course of a drone program or activity. Institutions should ensure that drones, and any related equipment or data storage devices, are housed in locked areas and secure facilities that are protected against unauthorized access. For more information on physical security controls and procedures, see Appendix C: Mandatory Procedures for Physical Security Control of the Directive on Security Management.

5.2 Third-party contracting

Private sector organizations are subject to legal obligations with respect to the collection, use, retention, disposal and disclosure of personal information under the Personal Information Protection and Electronic Documents Act and provincial privacy laws.

Federal institutions, however, retain ultimate responsibility, under the Privacy Act, for protecting individuals’ privacy when using goods or services procured from contractors to be used in government programs or activities that handle personal information. This responsibility extends to any privacy breaches experienced by contractors. It is strongly recommended that institutions engage in the following best practices when contracting with drone service providers, vendors, manufacturers or suppliers:

Consulting with privacy, security and cyber security officials prior to procuring and deploying drones or their components, particularly those originating from foreign states, as drones, like other technologies, can be susceptible to hacking and other cyber security threats
Consulting with legal, privacy, cyber security and security officials regarding the degree of ownership, control or influence that foreign actors may hold within a third party to identify potential risks
Consulting with the institution’s privacy and security officials regarding a contractor’s history of privacy and security-related incidents
Ensuring that contracts, agreements or information sharing arrangements clearly outline measures to protect personal information and include a requirement to immediately notify the institution should there be any indication of a security or privacy breach
Regularly assessing, or commissioning a qualified third party to assess, a contractor’s automated software, as well as their data collection and storage practices, for conformity with the guidance provided in this PIN. Additionally, if feasible, conducting periodic audits of these practices to ensure compliance with contractual obligations
Verifying where personal information will be stored and transferred; reviewing licensing agreements; ensuring compliance with the institution’s IT security policies; understanding software updates prior to software approval or renewal; and ensuring that there are clearly defined and maintained procedures for asset, patch and vulnerability management life cycles^{Footnote 9}

For more guidance on contracting, see the Guidance Document: Taking Privacy into Account Before Making Contracting Decisions.

6. Application

This implementation notice applies to government institutions as defined in section 3 of the Privacy Act, including parent Crown corporations and any wholly owned subsidiary of these corporations. However, this notice does not apply to the Bank of Canada.

7. References

Legislation

Related Treasury Board of Canada Secretariat policy instruments and guidance

8. Enquiries

Members of the public may contact Treasury Board of Canada Secretariat Public Enquiries at questions@tbs-sct.gc.ca for information about this implementation notice.

Employees of government institutions may contact their Access to Information and Privacy (ATIP) coordinator for information about this implementation notice.

ATIP coordinators may contact the Treasury Board of Canada Secretariat’s Privacy and Responsible Data division at ippd-dpiprp@tbs-sct.gc.ca for information about this implementation notice.

Footnotes

Footnote 1

A remotely piloted aircraft (RPA) is defined under the Canadian Aviation Regulations as a navigable aircraft, other than a balloon, rocket, or kite, that is operated by a pilot who is not on board. See the Canadian Aviation Regulations for more information.

Return to footnote 1 referrer

Footnote 2

An RPA is a component of a remotely piloted aircraft system (RPAS), which is defined as a set of configurable elements consisting of a remotely piloted aircraft, its control station, the command-and-control links, and any other system elements required during flight operation. See the Canadian Aviation Regulations for more information.

Return to footnote 2 referrer

Footnote 3

An uncrewed or “unmanned” aircraft system (UAS) is defined under the Defence Terminology Bank as a system comprised of an uncrewed aircraft and the necessary equipment, network and personnel to operate it. The term uncrewed aircraft (UA) refers to an aircraft that operates without on-board human intervention.

Return to footnote 3 referrer

Footnote 4

An image of an individual is considered inherently personal and will be about an identifiable individual in most circumstances, unless the image is so blurry that it does not reveal anything about the physical characteristics of the individual.

Return to footnote 4 referrer

Footnote 5

In addition to data minimization, for more guidance on the use of de‑identification as a privacy‑preserving technique for written, typed, tabular or other similar digital formats, refer to the Guidance Document on De-identification.

Return to footnote 5 referrer

Footnote 6

It is recommended that institutions considering the use of blurring technology proceed with caution and in conjunction with other best privacy practices. There is a risk that personal information remains identifiable because of “under-blurring.” Prior approval is recommended for the use of such technology and consultation with the institution’s information technology, security and privacy officials is recommended. Furthermore, institutions are reminded that the Directive on Automated Decision-Making may apply to the use of automated blurring technology.

Return to footnote 6 referrer

Footnote 7

See the Security of Canada Information Disclosure Act: A Step-by-Step Guide to Responsible Information Sharing for more information.

Return to footnote 7 referrer

Footnote 8

A record of a particular flight made by a drone operator (originally defined in the Canadian Aviation Regulations as a “record of a particular flight made by an RPAS operator”). See section 901.48 of the Canadian Aviation Regulations for more information.

Return to footnote 8 referrer

Footnote 9

For more information on security requirements and procedures, see Appendix F: Mandatory Procedures for Security in Contracts and Other Arrangements Control of the Directive on Security Management.

Return to footnote 9 referrer

Page details

Date modified:: 2025-07-21

Language selection

Search