Drone Footage at Fire Scenes: Chain of Custody, HIPAA, and the Cloud Security Default You Did Not Configure

Every fire department I work with has a drone now, maybe two. They bought it for thermal imaging on structure fires and scene overviews on MVCs, plus searching for missing persons in heavy brush. The footage is useful, but the legal and security exposure that comes with it is something the sales rep did not mention.

I sat through a post-incident review last year where the chief pulled up drone footage of a fatal MVA on a laptop. The video was streaming from the pilot's personal DJI account. The pilot set it up himself the week the drone arrived, and nobody had configured Local Data Mode or thought about where those files lived after they left the SD card. The chief did not realize he was watching a video that was also sitting on a server in Shenzhen.

That review is what kicked off this article.

Drone Footage Chain of Custody for Arson Investigation

Fire scenes turn into legal scenes more often than most crews want to think about. Arson investigations and wrongful death suits, not to mention civil liability claims against the city for how a scene was managed, all create situations where the drone footage becomes evidence.

Evidence needs a documented chain of custody from capture through review. The file must show who captured the footage and which device they used, the exact time of capture, a log of everyone who has accessed it since, and whether anyone altered it. Those are all questions a defense attorney will ask, and without that trail they will get the footage excluded while your agency loses the ability to use its own evidence in court.

Most departments do not have this kind of documented trail. They have an SD card in a drawer, a shared Google Drive folder, or a pilot's personal cloud account, and none of those support hash verification or log access or meet the standard a court will expect.

> The fix is a Digital Evidence Management System (DEMS) that generates a SHA-256 hash on upload and logs every access event. The footage moves from the SD card to the DEMS within the shift, and the hash is recorded before anyone reviews the file. This is not expensive or complicated. It just has to be the procedure.

HIPAA Compliance for Drone Footage in EMS

The drone does not know the difference between a structure fire and a patient care scene. When you launch over an MVC with extrication in progress, the camera captures everything from the patient on the backboard to the medic working the IV to the bystander's face. That footage is Protected Health Information under HIPAA.

Storing PHI in a consumer-grade cloud account is a breach. None of the manufacturer clouds that lack a BAA with your agency. Without a BAA, you cannot legally store ePHI in that service.

The same applies to training flights. If you fly a training scenario with simulated patients and the footage is stored in the manufacturer cloud, that is still PHI because identifiable information was captured.

This intersects with another problem I have written about before: crew phones and social media at the scene. The drone footage is another data stream entering an unmanaged pipeline. Your agency needs to account for it the same way it accounts for patient charts and ePCR entries.

Fire Department Drone Footage Public Records Law

Drone footage captured on an agency mission is a public record in most states, which means it is subject to FOIA or state-equivalent sunshine laws. A reporter, a plaintiff's attorney, or a curious citizen can request it.

The wide field of view creates a real problem for agencies. Bystanders and private homes and victims who did not consent to being recorded are all in the frame. If you release raw footage without redaction, you invite privacy lawsuits. Refuse to release it and you lose the public-records argument and invite litigation from the other direction.

Retention policies compound this. Routine training flights should not be kept on the same schedule as fatal scene footage. Some states have specific retention requirements for evidence in open investigations, and others do not. The default behavior of keeping everything forever or deleting everything after 90 days is wrong in both directions.

Your agency needs a retention policy that separates footage by type. Training: 90 days. Operational non-injury: 1 year. Injury or fatality: until the statute of limitations expires plus a safety margin. Every release needs a redaction workflow before the file goes out the door.

Securing Public Safety UAS Data Storage

The manufacturer cloud is the path of least resistance. The drone syncs automatically, the pilot can share a link from their phone, and the chief can watch the footage before the crew clears the scene. That convenience comes at a cost.

DJI has Local Data Mode, but it is not enabled by default. Without it, flight logs with telemetry and media all get transmitted to DJI's servers. The company is subject to Chinese law, which mandates cooperation with state intelligence. Even if you trust DJI's corporate intentions, the legal framework governing your data is not your own.

Skydio is US-based and markets heavily to government agencies. Their security posture is better out of the box, but better does not mean compliant. You still need to verify the configuration and disable unnecessary cloud sync, and then route the data pipeline into agency-controlled storage rather than a Skydio-managed server you have no audit rights over.

Anzu and smaller manufacturers occupy specialized niches where the same questions come up. You need to understand their data storage and administrative access models, plus what happens if the manufacturer gets acquired or goes under. Where does the data live when it leaves the drone and who has their hands on it?

The reference architecture for secure data storage is simple in practice. The drone writes to the SD card. The SD card transfers to a hardened laptop or tablet on scene, and that device uploads to the agency's CJIS-compliant or HIPAA-compliant storage over a VPN or private APN. The manufacturer cloud is bypassed entirely. This takes an extra 90 seconds per flight, which is a small price for keeping scene footage off third-party servers.

This connects to a broader problem I see regularly: public records security and what agencies should never release. The drone footage pipeline is just one more channel that needs the same treatment as your CAD logs and your ePCR database and your pre-plan documents.

DJI Drone Cloud Security for Public Safety

If you have DJI drones in your fleet, and most departments do, you need a configuration audit.

First, verify that every aircraft in the fleet has Local Data Mode enabled. This prevents the drone and controller from transmitting data to DJI's servers. It is a setting in the DJI Pilot app buried in the security menu, and it is not the default.

Second, check what accounts are associated with each aircraft. I have seen drones registered to a lieutenant's personal email, a shared department Gmail that three people know the password to, and an account for a vendor who left the agency two years ago. Each of these is an exposure.

Third, audit the cloud sync settings. Even with Local Data Mode enabled on the aircraft, the controller app can still sync media to the DJI cloud if the pilot has cloud sync turned on in the app. This setting is on by default.

Fourth, enforce MFA on every drone-related cloud account. Shared passwords are the norm in public safety for operational tools, and a shared password on a cloud account that stores scene footage is a breach waiting to happen.

Frequently Asked Questions

Is it legal to store drone footage on the manufacturer cloud?

Technically yes, but the compliance risk is significant. If the footage contains PHI, consumer-grade manufacturer cloud services lack a Business Associate Agreement and do not meet HIPAA storage requirements. For CJIS-governed agencies, the same problem applies. The legal answer is yes until it becomes a lawsuit.

How do I make sure my drone footage is admissible in court?

Use a Digital Evidence Management System that generates a cryptographic hash at the point of upload. Document every hand-off from the pilot to the evidence custodian and time-stamp every access event. Without this chain, the footage will be challenged and likely excluded. The DEMS does not need to be expensive, but it needs to be used consistently.

What is Local Data Mode and should my agency use it?

Local Data Mode prevents the drone and its controller from transmitting flight data and media to the manufacturer's servers. Any agency that operates DJI equipment should have this enabled on every aircraft. It is a free software setting that takes thirty seconds per drone to configure with no operational downside.

What retention schedule should we use for drone footage?

Separate footage by type. Training flights stay for 90 days, operational non-injury calls for 1 year, and any scene involving injury, fatality, or potential litigation stays until the statute of limitations for your jurisdiction expires plus a margin. Review the schedule annually. Do not apply one retention period to all footage.

Who at the agency should own the drone security baseline?

One person. It can be the IT manager, the training chief, or the drone program coordinator, but one person should be responsible for verifying the security configuration on every aircraft in the fleet, auditing the associated cloud accounts quarterly, and ensuring the data pipeline lands in agency-controlled storage. If everybody owns it, nobody owns it.

---

The drone is a good tool, but it is also a clinical documentation device and a potential evidence source and a data transmitter that your agency may not have configured to its own standards. The same due diligence you apply to your ePCR system and your dispatch logs needs to apply to the aircraft in the sky.

-- Steven