All University-owned laptops must be encrypted. However, in some countries you need permission before you can bring in an encrypted laptop or other device.
In addition some encryption software requires a licence before it can be exported from the UK (but not the standard products the University uses: Sophos Safeguard and TrueCrypt)
UK export controls requires licensing for the export of restricted encryption software and hardware. However, mass market products which are freely available to the public, such as Sophos Safeguard, BitLocker and FileVault which are used on Microsoft and Apple computers, and LUKS, which is used on Linux computers within the University, are not subject to export control.
Should you use encryption software which is not a mass market product, it is likely that you will need to obtain what is known as a Cryptography Open General Export Licence (OGEL). Further details can be found at https://www.gov.uk/export-of-cryptographic-items
Countries which you can freely enter with an encrypted laptop
Some countries allow individuals to enter them with encrypted laptops, without the need to seek any licence or permission. These ‘Permitted Countries’ grant individuals a “personal use exemption” to freely enter them with encrypted laptops, as long as the individual does not create, enhance, share, sell or otherwise distribute the encryption software during his/her stay in the relevant Permitted Country. A list of Permitted Countries (as at 2011) can be found at Annex A.
However, although you do not need a licence to take an encrypted laptop into the Permitted Countries, upon entry, you may still be asked to divulge the contents of your laptop, including by un-encrypting the laptop. See the ‘Advice’ section below for further advice in this regard.
Countries for which you need permission to enter with an encrypted laptop
Countries that do not feature on the list of Permitted Countries will normally only grant import permission on the production of an import licence. Licenses are usually obtained in advance through application to the government of the country in question. Please check with the Embassy or Consulate of the country you are intending to visit well in advance of your intended departure. Please note that even with a licence, you may be asked to decrypt your device at the port of entry (see ‘Advice’ below).
Taking an encrypted laptop to certain countries without possession of the appropriate licences could violate both UK export controls and/or the import regulations of the country being travelled to. This could result in the confiscation of the laptop, fines and/or other penalties. The laws of a country can change at any time. Therefore, before travelling internationally, it is important to ensure that you have the most up-to-date information about travelling with encrypted laptops.
Staff who have a need to travel to a country which does not permit the import of an encrypted device without a permit or licence are responsible for obtaining such permission before taking an encrypted laptop (or encrypted device) to such a country. This is the default approach and we recommend that this is explored in preference to the other options below.
The Higher Education community is not aware of anyone experiencing a problem when travelling to a country where permission to import encryption was required in advance but such permission was not obtained prior their entry. With this in mind, the individual may wish to assess the risk and make a balanced judgement whether they should apply for permission or not.
An alternative option is to travel with an unencrypted laptop. However, travel with an unencrypted laptop is acceptable only in two scenarios:
There is no data whatsoever held locally on the laptop and it is used only as a terminal to access the University’s Virtual Windows Desktop service, so that as the user travels they are able to access email, personal and shared folders which remain on University servers and, in the event the laptop is lost or stolen no data would be lost.
There may be data stored locally on the device, but only if an assessment of all that data will result in the answer “No” to all the following questions:
1. Are the data personal data as defined by the Data Protection Act 1998?
2. Are the data otherwise classified as defined within the University’s Information Protection Policy?
3. Are the data subject to a Sponsor’s non-disclosure agreement or government security standards that require encryption?
4. Would the University suffer reputational damage if the data were disclosed or found unprotected?
5. Are the data valuable intellectual property of the University?
If the answer is Yes to any of these questions, then option 2b) is not permitted.
Depending upon the country you are visiting and the security arrangement at its borders, you may be asked to reveal the contents of your laptop or storage device. For this reason, you should avoid taking any classified data (as defined with the University’s Information Protection Policy) with you. Such data should be kept in your files store on the University’s servers. However, if it is necessary to take classified data overseas, you must ensure it is fully backed up to University servers prior to your departure and keep such data to the minimum necessary for the duration of your visit. You must assume that any overseas government has the right to access your data and you should therefore be prepared to show it to them if necessary. Otherwise you should avoid taking it and should discuss alternative arrangements with IT Services, such as remote access, but even then assume that data traffic may be intercepted. A University headed letter, stating that your laptop is encrypted using commercial encryption software and that the information is normal business information in relation to your role at the University, may be helpful in the event of questioning at border controls. An example is provided at Appendix B.
The following countries have signed an agreement permitting an individual traveller to bring an encrypted laptop into the country under a “personal use” exemption, as long as the traveller does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting.
To whom it may concern,
I, [NAME AND POSITION] of the University of Leeds (“University”), confirm that the bearer of this letter, [NAME], [POSITION], is travelling with a laptop which has been encrypted with standard commercial encryption software by the University as it contains personal or commercial information relating to the University.
Yours sincerely
[NAME]
[POSITION]
The University of Leeds