Travelling abroad with AU data Policy

If you have confidential or personal data on a removable device that is taken off University property, University Rules and Regulations say that the device (laptop, removable hard disk storage, data stick etc), or the relevant files on it, must be encrypted.  This is to ensure that the data cannot be accessed if it is lost or stolen. 

When travelling abroad, particularly to countries external to the UK and the EU, you need to carefully consider the issue of what data you need to take with you, and also what needs to be encrypted and also your destination’s laws in relation to encrypted data and hardware.  Ideally, you should seek advice from Information Services well in advance of any travel. 

Key Points 

There are four major issues you need to consider if you are planning to take your laptop or other device with you when travelling abroad:  

1. Illegality: It may be illegal to use encryption or take encryption hardware into a country.

2. Import licence: You may need an import licence to use encryption or take encryption hardware into a country. 

3. Information disclosure: You may be required to disclose encryption key(s) to local authorities (e.g. customs officials) to enable them to access encrypted information. 

4. Tampering: In some countries, attempts may be made to tamper with your laptop e.g. to install key-logging hardware or software, putting your information at risk. 

1. Where encryption or possession of encryption hardware is illegal

In countries where the use of encryption or the possession of encryption hardware is illegal, you must not take an encrypted laptop or encrypted USB memory stick or hard drive with you.  

If you do, then you may: 

  • be prevented from entering the country you are travelling to, disrupting your work 
  • have your equipment confiscated (and possibly not returned) resulting in: 
  • inconvenience to you and financial cost to the University,  
  • extreme cases, detention or arrest. 

If you are travelling to a country where this is the case, and it is critical that you have a laptop for work purposes when abroad, you should contact Information Services (IS) for advice. Depending on your requirements, a short-term loan laptop (without encryption or encryption hardware) may be available.   

2. An import licence is required

Some countries require you to obtain an import licence if you are taking encryption hardware with you or using encrypted devices. In cases where encryption hardware is controlled, the licence will be required regardless of whether encryption is actually in use. 

You will normally need to apply in advance for an import licence, generally at the same time as obtaining a visa. Some countries have individual exemptions for encryption hardware or software.  Be careful as these may be for private, non-business related purposes. If you are relying on an exemption you must be sure it will apply to you. 

The process of obtaining an import licence for encryption may take longer than obtaining a visa for travel. By applying for an import licence, you may be advertising that you are carrying (potentially) sensitive information with you on your device and in some countries this may increase the risks that your device may be tampered with. 

3. Information Disclosure

Even in countries where encryption is permitted (for example, the United States) you may find that you are required to allow local authorities access to your laptop or other storage devices and, if encrypted, that you disclose the encryption keys needed to access information on them. 

You should plan ahead when travelling abroad and taking information with you on your laptop.  

You should not take any information with you where its disclosure to authorities would constitute a breach of data protection legislation; a breach of confidence; or would otherwise be damaging to the interests of the University. As far as possible, any information you take with you should be limited to that which is necessary for your work while abroad. 

4. Tampering

There are some countries where there are additional threats posed by the possibility of tampering. 

In these countries your laptop may be at risk of being compromised if it is handed to the authorities or is not kept with you at all times. 

You are vulnerable even if the laptop is encrypted and it is possible for hardware key loggers to be installed so that your activities and communications (including your PIN and your username and password) can be recorded. 

Some best practice 

When travelling, also be aware of other risks and make familiarize with best practice.  See below: 

  • Be wary when charging your device: beware of free charging kiosks - they might be connected to devices which intercept your username and password when you connect your device 
  • Keep your device with you or lock it up: consider the risks of leaving your device behind, e.g. in a hotel room or conference venue. If you must do this, ensure the device is locked in an official secure place or safe 
  • Report a lost device immediately: contact the University Data Protection Officer at infogovernance@aber.ac.uk 
  • Do not connect to unsecure networks: do not use unsecure networks - in addition to internet cafes, be aware that hotel and conference centre networks or even your friend's network may be insecure 
  • Do not connect to other devices: do not allow storage devices to connect to your device (including USB sticks; they may be infected without their owner's knowledge) 
  • Turn off your device: do not keep your device on when you're not using it, not even in sleep mode as it is still transmitting information. Switch off wifi, bluetooth and GPS when you don't need them 

Finally, do not take data, particularly AU confidential data or personal data, with you abroad