Things you need to consider, and do, when travelling
It is important to carry out a risk assessment of your travel plans well in advance of travelling, and this should include an assessment of Information Security risks. This may consist of a personal assessment but could also include your line manager and/or other School or Unit representatives. The University Travel Plan and Risk Assessment information linked below should be consulted. Your School or Unit may also have local information or resources that should be considered.
You should ensure that you can maintain access to necessary digital services that are protected by MFA. Advice on this can be found in the MFA and Travel pages linked below.
Always follow the Guidance on Travel Safety linked below.
From an Information Security perspective, the goal should be to minimise the risks to University data and assets, your own data and assets, and – of course – risks to yourself.
To protect University and your own data we advise that you should always use encrypted devices. However, there are potential legal ramifications when entering other countries which may depend on many factors including who you are and what you are entering the country for. A few countries do not allow encryption for personal use at all. Many countries allow encryption for personal use but have laws/regulations that require you to give access to the data on request at borders or by law enforcement. To protect yourself you may need to comply with such regulations. The websites on encryption law linked below may help on what these laws and regulations currently are but it is your responsibility to make sure that you do not break the laws of countries that you travel to, and you may need to consult further. Consult the University Business Travel Advice site for information and advice. This contains important details about passports and visas, and has information on Embassies. Information on encrypting devices |
Do you need to take a work laptop or device at all? The best way to minimise risks is not to have any University or personal data to protect If you do need to take a laptop/device, do you need to have any data stored on it? The information linked below on Off Site Working can help you utilise services such as SharePoint, OneDrive, Datastore, Remote Desktop, Outlook and Microsoft Office 365 applications via the web. Using this minimises data on your local device and your need to have your own specific device. You can also use the University VPN service as a further level of protection. Your School or Unit may be able to provide you with a freshly built encrypted laptop or device which will be free of data, but you should be prepared to provide access to the device as requested by the laws of the country you are visiting even if there is no data on it. If you do need to take a laptop/device and you do need to have data on it then the device must be encrypted - see the information linked below. You may also wish to encrypt the data itself either by using an encrypted container or application-level encryption. You can also use the University VPN Service as a further level of protection for online work. You should be prepared, however, to provide access to the device and to data as requested by the laws of the country you are visiting. It is far easier to put required data on a clean device than it is to remove data that is not required from your usual device so your School or Unit may be able to provide you with a freshly built laptop or device which will initially be free of data. |
There are some Information Security high-risk countries where we advise not taking encrypted devices. As far as the University is concerned these are currently China, Iran, North Korea, and Russia. For such countries - and only if you need to take a device with you – we advise that you should use the University's Clean Laptop Service which will provide a freshly built laptop with no encryption. We also advise that you should work online only and utilise the University's VPN if available. Further information can be found in the Guidance for Travel to Information Security High Risk Countries document.
Guidance for Travel to Information Security High Risk Countries (2025 update) (Word document)
Regardless of what device you are using the best way to minimise the risks associated with having data on the device is to work online where possible. The guidance on Off Site Working will aid you with this. In order to make working online more secure you should ensure that you can use the University VPN Service . You should also consider that your access to University support may be limited when you are travelling: make sure that you have tested whatever resources you need to take or use well in advance of travel and are comfortable using them. |
Backups are always important, but if you are travelling the risks of theft, damage or confiscation of your devices mean that you should ensure that a backup is taken. We have some advice on backups linked below. However, the recommendation to minimise the data you are carrying should mean that there is little or no data to back up. No unnecessary data should be present on the device; for this reason, it is usually easier to start with a device that has no data on it.
In summary;
- Make sure that you and your line management or applicable School/Unit staff have assessed the risks
- Make sure you are following all applicable laws and regulations, and bear in mind that this may involve providing access to your devices
- Take the minimum amount of University or personal data with you - only what you require to carry out your expected tasks, and ideally none
- Utilise online services where possible and use the VPN
- Make sure that whatever resources you will be using work as you expect and familiarise yourself with them before travelling
- Make sure that you follow the relevant University policies:
- Always follow the Guidance on Travel Safety
This article was published on