Data Protection and Travel
Data Protection and Travel
The University recognises that when undertaking travel on University business that it may, on occasion, be necessary to take University information with you.
It is also recognised that travel can present risks to the protection and security of data.
In this section we have provided information on the risks to be aware of and measures you can take to keep your information secure when travelling on University business.
This advice applies to all travel on University business, which may include travel to conferences or meetings, research and field trips, and other travel where you will be transporting University information. This includes that held on University managed or personally owned devices such as computers, laptops, notebooks, iPads, tablets, mobile phones, portable printers, photocopiers or scanners with internal data storage facilities, external hard drives and memory sticks (USB’s), as well as hard copy data (e.g. paper files).
If you have any questions, please contact us at firstname.lastname@example.org.
This guidance supplements more general advice and requirements for business travel which can be found at https://www.reading.ac.uk/procurement/insurance/business-travel.
Before you travel:
- If travelling outside the UK, research your destination country for known any increased cyber threats, security threats, or local laws and customs that could present risks to the data you hold. Information can be found at https://www.gov.uk/foreign-travel-advice.
- Be aware that the UK restricts the export of some information, and that some countries may expressly forbid the import of information or encryption.
- Be mindful that some countries may also have poor digital infrastructures that could affect your ability to work in that location or that may restrict access to some services such as social media, web search engines, VPN’s and encrypted messaging platforms.
- Some countries will not have laws that are comparable to those in the UK. Taking identifiable personal data of a sensitive nature can present far greater risks to those it relates to in countries that do not. Avoid travelling with sensitive information in all instances and seek advice from imps if you have a need to do this – in some instances travel that involves the transfer of personal data will be restricted and risk assessments and safeguards will be required by law.
- If you are travelling with data subject to any third party (such as research funder) contracts, check whether there are restrictions on taking that information outside the UK, or EEA (these may be referred to as ‘Restricted Transfers’). Where this applies, in some instances, you will need the express permission of the contract party (ies) to do so.
- Consider what data can be accessed remotely rather than storing or holding on any device. Make use of University cloud services, such as Office 365 (One Drive).
- Only take data that you absolutely need. Clear your device of any other data held on the device (for example by moving to onsite or University cloud storage) before you travel.
- Back up any data you must take with you on site before you go.
- If you must take University data with you on a device, ensure that the device (and the data) are encrypted - unless any of the countries you are travelling to have restrictions on encryption - and be prepared for requests to decrypt and make information available at borders.
- Take separate copies of emergency contact numbers in case your device (s) are lost or seized. Keep these with you and secure.
- If you cannot encrypt your device (and the data) do not take any data classified as Highly Restricted under the University Classification Policy. Data classified as Restricted must be limited to only that which is strictly necessary and subject to all the above actions and considerations. Seek advice from IMPS if you are intending to take personal data (beyond emergency contacts) outside of the UK or EEA.
- Use University managed devices wherever possible. Where you need to take a personally owned device (including mobile phones) ensure that you have secured these in line with the Bring Your Own Device Policy.
- Check your devices are all in working order, and that any security scans and updates are up to date before you go to be sure that you can access what you need to and that you have all necessary peripherals such as chargers and connectors.
While you are traveling and away
- Turn off your device when not in use. Switch off wifi, bluetooth and GPS when you don't need them
- Do not leave devices or data unattended and be particularly vigilant in busy environments where you may be distracted, such as airports.
- Make use of secure storage, such as safes, if you do need to leave your device.
- Avoid using public and shared computers, such as those within internet cafes and coffee shops. Wifi connections in hotels and conference centres may be insecure – do not use these for accessing sensitive University data. Be wary of public USB charging ports.
- Connect via a VPN where you are able to do so.
- Be wary of connecting your device to other devices, use trusted file share tools if you can, do not plug USB’s into your device if you can not be sure they are from a trusted source.
- Be mindful of being overlooked in public spaces while using your device. Consider the use of privacy screens if you do have a need to use your device in locations where this is more likely.
- When accessing your University Office 365 account and editing a document, edit using the web versions of Word, Excel or PowerPoint or choose “open in Word desktop app” or “open in Excel desktop app” so this does not download any data or store it on your device while you are away.
- In the event of loss or theft or a device or University data follow the procedures for reporting and information security incident as soon as you are able to, via the means you have available to you. Leave a message if this requires you to call outside of UK office hours.
When you return
- Check you have all your devices with you. Report any lost devices or data.
- Run any available security scans on your device
- If you notice anything suspicious, or have concerns, contact DTS for advice