It is important to carry out a risk assessment of your travel plans well in advance of travelling, and this should include an assessment of Information Security risks. This may consist of a personal assessment but could also include your line manager and/or other School or Unit representatives. The University Travel Plan and Risk Assessment information linked below should be consulted. Your School or Unit may also have local information or resources that should be considered.
Always follow the Guidance on Travel Safety linked below.
From an Information Security perspective, the goal should be to minimise the risks to University data and assets, your own data and assets, and – of course – risks to yourself.
Travel plan and Risk Assessment information
To protect University and your own data we advise that you should always use encrypted devices. However, there are potential legal ramifications when entering other countries which may depend on many factors including who you are and what you are entering the country for. A few countries do not allow encryption for personal use at all. Many countries allow encryption for personal use but have laws/regulations that require you to give access to the data on request at borders or by law enforcement. To protect yourself you may need to comply with such regulations.
The websites on encryption law linked below may help on what these laws and regulations currently are but it is your responsibility to make sure that you do not break the laws of countries that you travel to, and you may need to consult further. Consult the University Business Travel Advice site for information and advice. This contains important details about passports and visas, and has information on Embassies.
Information on encrypting devices
https://www.gp-digital.org/world-map-of-encryption/
University Business Travel Advice
Do you need to take a work laptop or device at all? The best way to minimise risks is not to have any University or personal data to protect
If you do need to take a laptop/device, do you need to have any data stored on it? The information linked below on Off Site Working can help you utilise services such as SharePoint, OneDrive, Datastore, Remote Desktop, Outlook and Microsoft Office 365 applications via the web. Using this minimises data on your local device and your need to have your own specific device. You can also use the University VPN service as a further level of protection. Your School or Unit may be able to provide you with a freshly built encrypted laptop or device which will be free of data, but you should be prepared to provide access to the device as requested by the laws of the country you are visiting even if there is no data on it.
If you do need to take a laptop/device and you do need to have data on it then the device must be encrypted - see the information linked below. You may also wish to encrypt the data itself either by using an encrypted container or application-level encryption. You can also use the University VPN Service as a further level of protection for online work. You should be prepared, however, to provide access to the device and to data as requested by the laws of the country you are visiting. It is far easier to put required data on a clean device than it is to remove data that is not required from your usual device so your School or Unit may be able to provide you with a freshly built laptop or device which will initially be free of data.
Finally, there are some Information Security high-risk countries where we advise not taking encrypted devices. As far as the University is concerned these are currently China, Iran, North Korea, and Russia. For such countries - and only if you need to take a device with you – we advise that you should use the University's Clean Laptop Service which will provide a freshly built laptop with no encryption. We also advise that you should work online only and utilise the University's VPN if available. Further information can be found in the Guidance for Travel to Information Security High Risk Countries document.
Guidance for Travel to Information Security High Risk Countries 2023 (Word document)
