On-Set Data Policy: Drives, Backups & Deliverables Guide

Defining Custody and Ownership of On-Set Drives and Hardware

Clarity regarding who is responsible for what, when, and why is paramount for any data-driven production. On set, this begins with the physical storage devices themselves. Standard practice on professional productions assigns a designated custodian (typically the Data Wrangler, DIT, or Post-Production Supervisor) to each top-level storage asset. This is not merely about who physically holds the drive, but who is accountable for its oversight, who approves access requests, and who conducts audits. This approach prevents the fragmentation of data stewardship that often occurs when personal drives are haphazardly integrated into production workflows.

Consider a camera SSD. During principal photography, the Digital Imaging Technician (DIT) acts as the primary custodian and data authority, not the legal owner. Legal ownership of the footage typically resides with the production company or producer, while the camera department retains custody until offload is verified. Once footage is transferred to a primary RAID array on set, custodial responsibility shifts to the DIT for the duration of dailies processing, and then later to the Post-Production Supervisor as the project moves into editorial. This tiered custody model is aligned with broader information security principles (such as the defined roles and responsibilities described in ISO 27001:2022 Annex A 5.2), though no standard prescribes a film-specific workflow. Productions targeting studio distribution should also align with the MPA Trusted Partner Network (TPN) Best Practices, which is the de facto compliance framework for content security in the M&E industry.

A common pitfall is the failure to inventory all current storage platforms. Productions often mix personal hard drives with dedicated network-attached storage (NAS) devices, leading to a fragmented data landscape where custody is unclear and security is compromised. For example, a DIT might use a personal portable drive for an urgent transfer, but if that drive is not formally inventoried and its data transferred to a production-owned asset, a critical link in the chain of custody is broken.

To mitigate this, productions should employ NAS devices appropriate to their tier. The Synology DS1821+ is an 8-bay solution that scales up to roughly 176TB raw with current 22TB drives (older 18TB drives yield ~144TB), running Synology DSM (7.x) with built-in user and group permissions for precise assignment of custody and access rights. For portable needs, ruggedized SSDs like the LaCie Rugged SSD Pro (Thunderbolt 3, IP67) are appropriate, but they must be paired with strict labeling protocols to maintain a clear chain of custody.

💡 Pro Tip: Tier custody by risk. Tier 1 (active production media and primary camera drives) is custodied by the DIT. Tier 2 (working backup arrays during post) sits with the post-production lead. Tier 3 (long-term archive on LTO or cloud) is custodied by the producer, post supervisor, or studio. Document these tiers in runbooks that specify decisions for drive failures, such as whether to rebuild a RAID or restore from a backup, and who has the authority to call it.

The principle of least privilege, a cornerstone of data security, must be rigorously applied. This means granting users only the minimum access necessary to perform their job functions. Assigning "Everyone" group access to sensitive dailies folders, for instance, is a breach of this principle and a common mistake that exposes valuable assets to unnecessary risk. Instead, access should be linked to formal production roles, ensuring that only authorized personnel can view, modify, or transfer specific data.

Backup Protocols for On-Set Data and Deliverables

The adage "if it does not exist in three places, it does not exist" holds especially true for film production data. The 3-2-1 rule (three copies, two different media, one offsite) is the operational baseline. These protocols must translate production continuity needs into concrete backup designs, defining clear Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO). For instance, dailies might have an RPO of one hour (no more than one hour of work can be lost) and an RTO of four hours (recovery must be possible within four hours).

On-set Data Managers or DITs execute and enforce the on-set data protocols defined by production and post, including scheduling backup jobs and routine validation via checksums (xxHash, MD5, or MHL manifests) and restore drills. It is not enough to simply run backups; they must be tested to ensure recoverability. Industry-standard offload software for this work includes Hedge, ShotPut Pro, Silverstack (Pomfort), and YoYotta, all of which produce verified, checksum-confirmed copies and machine-readable reports.

For broader IT environments (such as production office workstations or post facility endpoints) tools like NinjaOne can manage automated incremental backups with encryption and MFA. For long-term cloud retention, Backblaze B2 Cloud Storage provides S3-compatible API, immutable backups via Object Lock, and 11 nines durability (99.999999999%), which is appropriate for irreplaceable assets.

LTO-9 (18TB native per cartridge, LTFS for drag-and-drop) remains the standard for offline, air-gapped archival. However, dual LTO directly on set is uncommon outside high-end studio features. On most productions, LTO archiving happens near-set in a dedicated DIT cart or trailer, or at the post facility once media reaches editorial, rather than during active shooting. The benefit (immutable, offline defense against ransomware and accidental deletion) is the same; the location and timing differ by budget tier.

A frequent oversight is neglecting restore testing. Many productions assume their backups are recoverable until a crisis hits, only to discover corrupted files or inaccessible archives. Another error is over-relying on single-site backups without segmentation. A single ransomware attack could compromise all data if primary and backup copies are not sufficiently isolated. Productions also routinely fail to coordinate maintenance windows with camera crews, leading to conflicts where critical backups cannot be performed during active shooting.

💡 Pro Tip: Develop comprehensive runbooks for ransomware recovery. These should detail steps like isolating infected drives, identifying the last clean backup, and restoring from immutable, offsite LTO archives. Use policy templates that are tiered by asset type: project-aware backups for editorial project files (Avid bins, Premiere projects, Resolve databases) and full-volume backups for critical workstations.

Data loss has direct financial consequences: lost shoot days, reshoot costs, insurer claims, and contractual penalties to distributors. Disciplined backup protocols are part of the risk and insurance posture of any production. For more on managing production finances and contingency, see our guide on Cashflow Scheduling: Avoiding Payroll Crises and Vendor Shutdowns.

Access Controls and Permissions for Production Assets

Controlling who can access what data is as crucial as backing it up. Production assets, ranging from raw footage to scripts and confidential budgeting documents, require stringent access controls. The professional standard is to enforce least-privilege access through documented governance. Folder or department owners (e.g., the VFX Supervisor for specific asset deliveries, the Director for their dailies) approve access requests, while IT enforces these permissions without controlling the content itself.

Reviewing access at key production phases (pre-production to production, production to post, post to delivery) and at major crew transitions is more realistic than rigid quarterly cadences, given that productions rarely run long enough for that schedule. Each phase transition is a natural audit point. This practice aligns with international data protection regulations like GDPR and CCPA, as well as MPA TPN guidance and ISO 27001 principles, which emphasize traceable data lineage. Every drive and deliverable should have a documented custody and version history.

Cloud-based collaboration platforms like SharePoint and OneDrive are increasingly common for sharing dailies cuts, scripts, and production documents. They offer granular site permissions, sensitivity labels, and automated retention policies. Custody of these digital folders must be explicitly assigned to specific production roles. On set, a NAS like the QNAP TS-673A can support snapshot-based protection and Active Directory or LDAP integration; ZFS-based snapshots are available only when running QuTS hero (the ZFS-based OS), not the standard QTS firmware.

A common mistake is failing to document permissions changes, especially during crew handovers. When an Assistant Camera leaves the production, their access to camera card data might not be formally revoked or transferred, creating audit gaps and potential security vulnerabilities. Similarly, granting broad access without clear role linkage undermines the entire security framework.

💡 Pro Tip: Link access directly to formal production roles (e.g., "DIT Group" has read/write on raw footage folders, "Post Only" has read-only on proxies). For larger productions, periodic permission audits (using built-in reporting in SharePoint, Active Directory, or your NAS) can flag drift from policy. Always coordinate with production security personnel for chain-of-custody logs on physical drive handoffs, ensuring every transfer is documented and verified.

Effective access control also plays a vital role in preventing scope creep. By clearly defining who can access and modify specific project files and deliverables, productions can better manage the evolution of creative and technical requirements. This minimizes unauthorized changes and ensures that all work adheres to the agreed-upon vision and budget. For further reading on managing project scope, refer to our guide on How to Prevent Scope Creep on Indie Films: A Change Control System That Works.

Retention, Delivery, and Handover of Deliverables

The lifecycle of production data extends far beyond the wrap of principal photography, culminating in the delivery of final deliverables and long-term retention. Formal retention rules are typically dictated by contractual obligations with distributors, broadcasters, or insurers (e.g., one-year active retention for dailies, seven-year or longer archive for feature film masters). Handover Standard Operating Procedures (SOPs) must clearly specify delivery formats, such as IMF (Interoperable Master Format) packages for final masters, ProRes deliverables for broadcast, and DCP for theatrical.

Ultimately, the producer (or the financing entity defined in the production agreement) owns the final deliverables. A tiered retention policy, combined with point-in-time restore capabilities, ensures that necessary assets can be retrieved at any stage. Output management processes are critical for organizing and distributing documents like Edit Decision Lists (EDLs), AAF/XML conform files, and production reports, complete with records of custody transfer.

For long-term archival of deliverables, AWS S3 Glacier Deep Archive offers highly cost-effective storage (around $0.00099/GB/month at current rates) with a minimum retention period of 180 days and immutability via Vault Lock. Handover of such archives is managed through signed access manifests. For high-volume file delivery, Aspera Faspex (IBM) provides browser-based, high-speed transfers of large files with audit trails for custody transfer; Signiant Media Shuttle is another widely used alternative in the M&E industry.

A common and costly mistake is prematurely deleting backups or source files without formal retention sign-off from all stakeholders. Another significant issue is delivering unversioned files (e.g., "final_edit.mov" instead of "final_edit_v03.mov"), which inevitably leads to disputes and confusion over which version is authoritative. Skipping chain-of-custody documentation during studio handovers can also result in legal or financial liabilities.

💡 Pro Tip: Create detailed handover runbooks that include required approvals, chain-of-custody forms, and secure transfer logging for every deliverable. Implement retention tiers that match contractual obligations (e.g., daily backups for active deliverables in cloud storage, weekly snapshots, and LTO for long-term archive). Forecast capacity needs for post-production growth (proxies, VFX plates, color sessions) before they overrun your storage plan.

The methodical approach to data retention and handover directly influences the overall perception of professionalism and reliability. This systematic approach is also vital for managing the complex requirements of minors on set, where specific data (like consent forms and schooling records) may have different retention periods and access rules. For detailed considerations, consult our guide on Minors on Set: Scheduling, Schooling, and Legal/Safety Constraints.

Documentation, Compliance, and Audit Practices

The bedrock of any effective data policy is comprehensive documentation. This includes maintaining policy catalogs, Standard Operating Procedures (SOPs), and runbooks for all backup and restore processes. These documents should delineate triage matrices and detailed restore workflows. Productions targeting studio distribution must also be prepared to produce evidence (backup success reports, access review logs, encryption attestations) for MPA Trusted Partner Network (TPN) assessments and internal audits. Mature data governance frameworks can automate validation and lineage tracking for on-set assets, supporting compliance from capture to archive.

Tools like IT Glue, often used by Managed Service Providers, offer tiered documentation templates and asset management ideal for cataloging drive inventories, custody records, and compliance artifacts. These platforms support role-based access to documentation itself, ensuring that only authorized personnel can view or modify critical policy information. For a film-specific maturity reference, the most relevant frameworks are MPA TPN Best Practices and Digital Asset Management (DAM) maturity models published by industry bodies, rather than generic vendor maturity ladders.

A critical mistake is treating documentation as an afterthought. Productions often inherit undocumented drives or workflows from previous projects, creating a labyrinth of uncertainty. Lacking clear restore records for compliance evidence is another common pitfall, leaving productions vulnerable during audits or insurer reviews. Without proper documentation, the "who, what, when, where, and why" of data management becomes impossible to trace.

💡 Pro Tip: Automate evidence collection wherever possible. Use APIs from backup solutions to generate dashboards showing SLA breaches or RPO summaries. Tier documentation by risk so the most critical data processes have the most detailed and frequently reviewed documentation. Conduct periodic recovery drills that incorporate chain-of-custody exercises. For productions handling personally identifiable information (cast contracts, minor consent forms, payroll), align restore processes with applicable privacy regulations so you restore only the minimum data necessary.

Regular tech scouts are essential for identifying potential data management challenges before they escalate. A thorough tech scout is not just about camera positions and lighting; it is also about assessing network infrastructure, power availability for data wrangling stations, and secure storage options for drives. Proactive planning, informed by thorough documentation, can prevent a significant percentage of on-set problems. For more on this, see our guide on How to Run a Tech Scout That Prevents 50% of On-Set Problems.

Interface & Handoff Notes

What you receive (upstream inputs):

2. Untested backups or single-point failure: Assuming backups work without verification, or relying on only one backup copy, leads to catastrophic data loss when the primary system fails.

3. Lack of version control and metadata: Delivering unversioned files or files without proper metadata (scene, take, camera, sound roll) creates chaos in post-production, leading to costly rework and potential creative compromises.

Browse This Cluster

- The Producer's Workflow Bible: Calendars, Docs, and Version Control

Next Steps

A disciplined on-set data policy is not a luxury; it is a baseline requirement for any serious production. By defining custody, implementing rigorous and tested backup protocols, enforcing least-privilege access, and establishing clear retention and handover procedures aligned with MPA TPN expectations, productions safeguard both their creative work and their financial investment. For a broader understanding of the systems that underpin successful film production, explore our guide on The Producer's Workflow Bible: Calendars, Docs, and Version Control. To understand how data management impacts financial planning, read Cashflow Scheduling: Avoiding Payroll Crises and Vendor Shutdowns.

To proactively address potential data-related issues before they arise, review How to Run a Tech Scout That Prevents 50% of On-Set Problems.

---