Last updated: 
4 days 14 hours ago
Blog Manager
One of Janet’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Travelling with encrypted devices

Tuesday, February 11, 2014 - 20:03

Most portable devices – laptops, smartphones and memory sticks – should be encrypted so that the information they contain is protected if the device is lost or stolen. Many countries (including the UK) give their immigration and other authorities legal powers to demand that you decrypt an encrypted device though given the number of laptops that cross borders every day only a tiny minority seem to be subject to such demands. The possibility of decryption being required does mean that you and your employer should assume that a laptop may have to be decrypted when travelling: any information (for example personal or commercial) that you don't want to have disclosed to foreign authorities should be removed before you leave. The UK Information Commissioner’s guidance indicates that this should be an extension of routine practice, laptops shouldn't contain unnecessary information anyway:

As long as the [personal] information stays with the employee on the laptop, and the employer has an effective procedure to deal with security and the other risks of using laptops (including the extra risks of international travel), it is reasonable to decide that adequate protection exists.

A few countries' laws go further and place restrictions on the use of encryption. Travel advice from the UK Foreign Office and US State Department should warn if taking an encrypted device to a country is likely to cause problems. If you are concerned about taking an encrypted device to a foreign country then leave your normal laptop and phone at home. If you need to communicate while you are away take a freshly installed basic device with no encryption and minimal data on it; assume that it will be compromised and malware installed while you are away so don't use it for any sensitive information or connect it to any protected networks; wipe and re-install it at the end of your trip. Personal data of EU residents shouldn't be stored on an unencrypted laptop but the Information Commissioner suggests that it may be acceptable to store information from those you meet while you are away as they will be used to local, rather than EU, data protection laws:

Where information has been obtained in a third country (i.e. outside the EEA) this will be a relevant factor as the data subjects may have different expectations as to the level of protection that will be afforded to their data than if the information been obtained in the EEA. Where the country (or territory) of origin of the information is outside the EEA it is important to remember that the DPA is not intended to provide a different level of protection for the data subjects rights than that provided by the data protection regime, if any, in the non-EEA country of origin.

Organisations whose staff regularly travel to these countries may find it worth maintaining a loan pool of 'travelling' laptops and phones, ensuring that these are wiped and reinstalled between each trip.

Comments