Drone Registration – How safe is your personal registration data?

So you have now registered your drone and received your operator ID and/or your flyer ID; what has happened to your personal data?

Given that many people last year suffered a phishing attack from the CAA, you may have legitimate concerns as to the risk of your personal data. Not only will your concerns relate to your personal information, but also your operator ID and/or your flyer ID being compromised by a nefarious operator of drones. You may also have noticed that at the time, your data was not independently verified, but it would appear that Experian was in fact used.

Once you completed your registration, you would have been forced to accept the CAA terms and conditions that relate to your personal data. You would not have been able to amend these terms and conditions as this would have prevented you from flying because you would not have had the appropriate registration.

The CAA has a privacy policy and they are the data controller. You would have entered your full name, address, date of birth and an email address in order to register. The Government Digital Service or GDS as it is known promises not to transfer your data outside of the European Economic Area, sell or rent your data to 3rd parties or share your data with third parties for marketing purposes. Your data is now also processed in accordance with GDS’s privacy notice, which means the GDS may collect more information:

  • “questions, queries or feedback you leave, including your email address if you contact GOV.UK
  • your email address and subscription preferences when you sign up to our email alerts
  • how you use our emails – for example, whether you open them and which links you click on
  • your Internet Protocol (IP) address, and details of which version of web browser you used
  • information on how you use the site, using cookies and page tagging techniques

We use Google Analytics software to collect information about how you use GOV.UK. This includes IP addresses.”

So not only is your data passed onto GDS and they seek to get more information, but did you know that your information is also passed onto a customer support provider which is a 3rd party is called “Teleperformance?” This company has offices all over the globe and works in many different sectors. How sure are you that this company will not share your data?

Did you also know that you agreed to limit the CAA’s liability in the event of a claim? If you run a drone business and your information has been compromised, for example, whereby all your drones have been seized because there has been some confusion over the operator ID, the CAA has excluded the following losses:

  • “losses not foreseeable to you and us when these terms were formed
  • losses not caused by any breach on our part
  • business losses
  • losses to non-consumers”

Additionally, the CAA terms also say that they will have no liability for any breach of the privacy terms as a consequence of a breakdown of systems or network access. Does that offer you a sufficient level of comfort after the phishing attack in 2019?

In summary, you have agreed to the privacy notice of the CAA, the privacy notice of the GDS, personal information being analysed by Google analytics, and personal information being utilised and stored by a global company called Teleperformance with limited ability to make a claim in the event you have suffered loss and damage.

If you’re not happy with this you are free to contact the government privacy team: [email protected] or the Information Commissioner, who is an independent regulator: [email protected]

If you would like to discuss this or any other drone law issues, please contact us.