This guidance supports Safe use of University information: guidance on device configuration and use - User commitment 2.4:
"Users must check the security requirements for University information stored on or accessed from their devices before travelling abroad, particularly if travelling outside the European Economic Area."
This guidance is not definitive as this is a complex and fluctuating area dependent on individual circumstances.
As this is a changing area, guidance will be updated to reflect new circumstances and in response to feedback.
If you're in doubt about any of this guidance, or if you have questions or feedback, please contact IT Support.
Implement policy: Read, understand and implement all the User Commitments in the Policy for Safe use of University information on all devices when using any device to access University information in the UK or abroad.
Clarify risks: Is the University information (physical or electronic) confidential? Is taking it with you a risk to its security?
Prepare and take care of your device: Ensure your device is safe to use and keep it with you when travelling. Assess the risks when deciding whether to take an encrypted or unencrypted device.
Foreign & Commonwealth Office travel advice email: TravelAdvicePublicEnquiries@fco.gov.uk
Understand export controls: You need to obtain a licence before some encryption software and hardware can be exported (transported) from the UK.
Consider encryption: Many University managed mobile devices (laptops, tablets, phones) are encrypted to keep the information stored on them secure. On some non-University managed devices, setting up password protected auto-locks automatically encrypts the device. You may also have encrypted other devices or data yourself. However, not everyone views encryption in a favourable manner as it can be used for military and/or criminal purposes. In some countries you need permission before you can bring in an encrypted device or data.
Understand local laws of your destination country: Remember that the laws of a country can change at any time. Before you travel, check for the most up-to-date information about travelling with encrypted devices and data. Failure to follow the requirements of the country you are visiting could result in the confiscation of the device, fines and/or other penalties, including detention.
Assume everything you do on your device is being intercepted: This risk is higher in some countries. If you make the assumption that your data is being intercepted, you will be more aware of potential risks and it will help to keep your device and data safe.
Depending on the country you are visiting and the security arrangement at its borders, you may be asked to reveal the contents of your device or papers.
Overseas governments might have the right to access your information and you must be prepared to show it to their representatives (such as border control) on request. This can include insistence that you unencrypt your device or confiscation of your device.
For these reasons, you should avoid taking any Confidential information with you (check the University Information Classification and Handling Scheme). You should keep such information on your University filestore or York Google Drive and access it using the University Virtual Desktop Service (VDS). There is still a risk that data traffic may be monitored and it is your responsibility to assess this risk.
If it is essential to take Confidential information abroad (physical or electronic), you must:
Make sure you have:
If you follow the User Commitments in the Policy for Safe use of University information on all devices you will minimise risks to your device and information. There are some increased risks to your device when you travel:
The risk of your device being tampered with is higher when travelling abroad, especially in some countries. To ensure your device is safe to use on your return:
If you are unsure whether your device is encrypted you can ask IT Support for help.
Be aware that:
UK export controls require licensing for the export of restricted encryption software and hardware. However, mass market products which are available to the public, such as Sophos Safeguard, BitLocker (Microsoft devices), FileVault (Apple devices) and LUKS (used on Linux computers within the University), are not subject to export control.
If you use encryption software which is not a mass market product, it is likely that you will need to obtain what is known as a Cryptography Open General Export Licence (OGEL).
For more information see the UK Government advice on Export of cryptographic devices.
It depends. Because encryption products can be used for illegal purposes, including terrorist activity, many countries ban or severely regulate the import, export and use of encryption products.
Taking your device with encryption software or hardware (irrespective of whether you have implemented encryption) to certain countries without proper permission could violate import regulations of the country to which you are travelling, and could result in your device being confiscated, fines or other penalties.
A group of countries (referred to here as 'Permitted Countries') has negotiated a set of rules which attempt to facilitate travelling with encryption software. This is known as the Wassenaar Arrangement. One of its provisions allows a traveller to enter a participating country freely with an encrypted device in certain circumstances.
A University headed letter, stating that your device is encrypted using commercial encryption software and that the information is normal business information in relation to your role at the University, may be helpful in the event of questioning at border controls. See the example declaration letter at the bottom of this page.
Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies: encryption software falls under Category 5 - Part 2 of the 'Dual-Use Goods and Technologies' controls.
Permitted Countries allow individuals to enter them with encrypted devices without the need to seek any licence or permission.
These Permitted Countries grant individuals a personal use exemption to freely enter them with encrypted devices, as long as the individual does not create, enhance, share, sell or otherwise distribute the encryption software during his/her stay in the relevant Permitted Country.
The countries that support the personal use exemption include (at April 2015): Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Republic of Korea, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Turkey, United Kingdom, United States.
Note that although the Russian Federation and the Ukraine agreed to many of the Wassenaar Arrangement's provisions, they currently do not permit personal use exemptions.
Remember that although you do not need a licence to take an encrypted device into the Permitted Countries you may still be asked to divulge the contents of your device, by logging in (which may put your username and password at risk) or unencrypting it.
You must assess the risks and consequences of this happening before departure.
See Travelling abroad with University information for more advice.
If in doubt ask IT Support for help.
Countries that are not on the list of Permitted Countries will normally only grant import permission on the production of an import licence. You will need to obtain a licence in advance through application to the government of the country in question.
Note that in countries where encryption is controlled you will need a licence irrespective of whether you have implemented encryption.
It is your responsibility to check with the Embassy or Consulate of the country you are intending to visit well in advance of your intended departure. Obtaining an import licence is likely to take longer than obtaining a visa for travel.
If you do not follow the requirements of the destination country you may:
You should also assess the risk that in applying for an import licence you may be advertising that you are carrying potentially confidential information on your device and in some countries this may increase the risk that your device may be tampered with.
Travelling with an unencrypted device may be an acceptable alternative in some circumstances.
Please note that even with a licence you may still be asked to divulge the contents of your device, by logging in (which may put your username and password at risk) or unencrypting it. You must assess the risks and consequences of this happening before departure.
See Travelling abroad with University information for more advice.
If in doubt ask for help.
Print out a letter using your University letterhead paper and including the following text:
To whom it may concern,
I, [NAME AND POSITION] of the University of York ("University"), confirm that the bearer of this letter, [NAME], [POSITION], is travelling with a device which has been encrypted with standard freely available commercial encryption software by the University as it contains confidential personal or commercial information relating to the University.
Head of Department
University of York
If in doubt ask for help from IT Support.
An alternative option is to travel with an unencrypted device. This is acceptable if the following two circumstances apply:
You should clear all personal information and unnecessary software and data from your device before travelling. Depending on the country you are travelling to you might: