Travelling with encrypted devices

Most portable devices – laptops, smartphones and memory sticks – should be encrypted so that the information they contain is protected if the device is lost or stolen. Many countries (including the UK) give their immigration and other authorities legal powers to demand that you decrypt an encrypted device though given the number of laptops that cross borders every day only a tiny minority seem to be subject to such demands. The possibility of decryption being required does mean that you and your employer should assume that a laptop may have to be decrypted when travelling: any information (for example personal or commercial) that you don’t want to have disclosed to foreign authorities should be removed before you leave. The UK Information Commissioner’s guidance indicates that this should be an extension of routine practice, laptops shouldn’t contain unnecessary information anyway:

As long as the [personal] information stays with the employee on the laptop, and the employer has an effective procedure to deal with security and the other risks of using laptops (including the extra risks of international travel), it is reasonable to decide that adequate protection exists.

A few countries’ laws go further and place restrictions on the use of encryption. Travel advice from the UK Foreign Office and US State Department should warn if taking an encrypted device to a country is likely to cause problems. If you are concerned about taking an encrypted device to a foreign country then leave your normal laptop and phone at home. If you need to communicate while you are away take a freshly installed basic device with no encryption and minimal data on it; assume that it will be compromised and malware installed while you are away so don’t use it for any sensitive information or connect it to any protected networks; wipe and re-install it at the end of your trip. Personal data of EU residents shouldn’t be stored on an unencrypted laptop but the Information Commissioner suggests that it may be acceptable to store information from those you meet while you are away as they will be used to local, rather than EU, data protection laws:

Where information has been obtained in a third country (i.e. outside the EEA) this will be a relevant factor as the data subjects may have different expectations as to the level of protection that will be afforded to their data than if the information been obtained in the EEA. Where the country (or territory) of origin of the information is outside the EEA it is important to remember that the DPA is not intended to provide a different level of protection for the data subjects rights than that provided by the data protection regime, if any, in the non-EEA country of origin.

Organisations whose staff regularly travel to these countries may find it worth maintaining a loan pool of ‘travelling’ laptops and phones, ensuring that these are wiped and reinstalled between each trip.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *