Holiday packing list
The holiday season has descended and many employees will be looking forward to logging out and switching off for a week or two. Some, however, whether due to a specific business need or a desire to be diligent and avoid the mountain of emails on their return, may wish to take their company laptops and/or phones, or their own devices with access to company data with them to keep on top of things while they’re away.
What are the implications of travelling abroad with company data and what safeguards should organisations have in place?
Employees are not data controllers in their own right and fall under the remit of the organisation, and this doesn’t change if they take data or devices overseas. Contractors, however, could be either data controllers in their own right or data processors subject to the organisation’s instructions. When an employee or contractor takes an organisation’s data or devices overseas on holiday or on business, that does not in and of itself constitute a transfer of personal data, because the data continues to fall within the responsibility of the controller at the ‘home’ location – it is not usually transferred to another entity overseas unless…
When data and devices are carried across borders they are exposed to security risks.
In the UK, both Border Force officers and police officers have distinct powers which may be exercised against individuals.
Border Force officers are granted powers under section 78(2) Customs and Excise Management Act 1979 to require passengers to produce baggage and anything therein or carried with them for inspection and to answer any questions posed.
In addition, paragraph 7 of Schedule 7 Terrorism Act 2000 grants police officers, and designated immigration and customs officers the power to search anything which they reasonably believe has been or is about to be on a ship or aircraft for the purpose of determining whether there is a person they may wish to question for the purpose of determining whether they appear to be a person who is or has been concerned in the commission, preparation or instigation of acts of terrorism. Where an individual, is questioned, items discovered in a subsequent search may be detained for examination for up to 7 days and police officer are also entitled to copy anything which is searched and to retain that copy subject to certain limitations. It is a criminal offence to seek to wilfully obstruct or seek to frustrate a search or examination. These broad powers permit officers to act in the absence of any reasonable suspicion of involvement in terrorist activity. The powers were controversially deployed against the spouse of a Guardian journalist who had been liaising with former NSA intelligence contractor and whistleblower Edward Snowden, who was questioned and had encrypted storage devices detained.
In the absence of a court order, there is no obligation to disclose passwords, codes or encryption keys to UK officers, but should they be volunteered then devices and data are liable to be accessed. Regardless, technology is available which enables data to be extracted from even locked devices, and where device access is protected by a mere fingerprint, this can be obtained from a detained individual, which makes full disk encryption even more important.
The consequence of these laws is that when staff pass through UK ports their devices, and the data contained within or to which they have access through, is put at risk.
The UK is not the only country with such powers, and many other countries may have even more draconian rules. The US has similar rules to the UK although there is some debate as to whether a forensic search involving the digital imaging of a device requires reasonable suspicion. New Zealand has introduced powers requiring access to be granted to electronic devices with failure to comply triggering a $5,000 fine and the device is liable to be seized, and Canada also has legal penalties for hindering or obstructing border guards. Even in the absence of criminal penalties, there is a risk of entry being denied. China’s state security police have been granted powers to inspect electronic devices and their content provided two officers are present upon presentation of their ID even in the absence of grounds for suspicion. Only in the last year have Israeli border officers been forced by a court ruling to cease the practice of seizing and searching mobile devices at borders.
Consideration should also be given to the fact that some apps will be unlawful in foreign countries; Facebook, WhatsApp and Instagram are banned in China, example.
Admittedly, these powers are generally not exercised with great frequency; US Customer and Border Protection states that in 2023 “less than 0.01 percent of arriving international travelers encountered by CBP at a port of entry had their electronic devices searched”, but that still amounted to 41,767 international travelers and there is an increasing trend so the risk is not illusory, and may be more concerning for certain industries and professions.
What practical measures can be taken to safeguard devices and the data stored on or accessible via them when travelling overseas or through border controls?
Create and publicise bring your own device and travel policies;
Maintain an inventory of devices used for business purposes;
Implement device password and encryption protocols;
Install software that enables devices used for business purposes to be remotely locked and wiped;
Require staff to notify and seek permission to transfer data and/or devices outside the UK;
Only permit staff to take business data or devices overseas where necessary;
Consider whether data stored on a device should be deleted and only accessible in the cloud when passing through border control;
Ensure staff are briefed on their rights and responsibilities in the event of being stopped at border control;
Advise staff who may benefit from special privileges or legal protections in respect of business data, such as lawyers and journalists, to alert border control officers to that fact in the event that a device search is imminent;
Require staff to switch off devices used for business purposes when passing through border control, unless legally required to do otherwise;
Establish a 24/7 notification mechanism for staff to alert in the event of an issue at border control;
Have protocols in place in the event of an issue at border control, and consider whether wiping a device, removing access to data and/or updating passwords are necessary and lawful;
Require access to business networks to be obtained via VPN;
Educate staff as to the dangers of connecting to public or untrusted wifi hotspots and require and provide VPNs.
If you require support in preparing your organisation's data protection and/or information management policies and procedures, or training staff on safeguarding data, contact us.
Find out more about our data protection and data privacy services.