It’s a fact of life for businesses that staff sometimes have to go on business trips, your company policies cover who they can fly with, where they can sit on the plane, where they can stay: you’ve got travel fitness sorted, they have necessary medical supplies and on the off chance of something bad happening they have emergency contact details aplenty. You’ve even prepped them, that if they ever find themselves in an awkward situation with someone demanding money from them, they should just hand over the money and get the hell out of there safely!
But have you considered what happens when they get off their flight, before they’ve even entered the country officially? The case of Nathan Hague, British-Australian software developer who had his MacBook and android phone seized by the Australian Border Force (ABF), seemingly at random recently, raises just one more issue you need to consider when sending staff on business trips.
Now, the ins-and-outs of the story aren’t up for debate here. Mr Hague has made certain claims regarding what happened, and the ABF deny them and we’re not here to defend one side or the other. However, what is clear is that Mr Hague’s electronics were seized and were inspected without him being present as was the ABF’s legal right to do – here’s the legal bit: section 186 of the Commonwealth Customs Act 1901, gives customs officers such as the ABF the authority to inspect electronic devices and to read files on them. In fact, the Australian Government can seize and hold laptops and phones for up to 14 days if they suspect you may be a person of interest and they’re hoping to bring in new laws that extend these powers to 30 days. And, it’s not just Australia that can do this; many countries have similar laws allowing the seizure and inspection of electronics, files can be downloaded, and social media accounts can be accessed.
Privacy advocates are having a field day with this and are suggesting ever more complicated ways of protecting personal data and keeping the authorities out of your private life. But have you considered how this might affect your business, particularly with respect to GDPR?
The chances of getting stopped and having your electronics and data seized are minimal but they shouldn’t be ignored. So, what do you tell your staff to do if they are unfortunate enough to catch the eye of border security? Our money is on full co-operation with the authorities. Do what they ask, provide passwords as requested and give the authorities no reason to suspect that you are anything other than entirely innocent. Anything other than full cooperation could result in the electronics being permanently seized and your staff member being refused entry to the country – not a good result.
If your staff member has problems with the idea of their personal data being accessed, then they should remove all trace of it from their work-related electronics and leave their personal electronics at home when travelling for business. It really should be that simple. You, as an organisation, have nothing to hide from the authorities of the country you’re travelling to so comply with their requests as fully as possible.
You could however be left in a slightly sticky situation with the authorities at home. If your staff member’s electronics have access to client information, complying with the requests of border security and potentially having them download information could constitute a data breach which may need to be reported to the ICO. The ICO isn’t a monster and we’d like to think that they would be understanding in their approach to a breach that happened under circumstances like these, but we can’t help but feel that they would be infinitely more ‘understanding’ if you had taken all reasonable steps to comply with GDPR requirements in the first place. After all border security are just doing their jobs, trying to keep people safe: but those electronics could just as easily be lost or stolen on the business trip, or even on the way home from work one evening, and if you’re not taking reasonable care to protect data then you’re not complying with GDPR requirements.
So, here’s a few questions to get you thinking…
Have I got my C.I.A. right?
Confidentiality, Integrity and Availability are fundamental to GDPR. Nobody really needs access to all client information all of the time, structure access appropriately to minimise the consequences of a data breach.
Do I need to consider updating any HR, Travel or IT policies to;
- Give advice on what to do in the event of being stopped by border control
- Set requirements for what business travellers are expected to do:
- Always shut down a laptop fully when on the move?
- Always fully log out of applications and request a password to get back in (no auto-fill of passwords!)
- People who don’t want to run the risk of having their personal data accessed when travelling for business should remove it entirely from business electronics
- Log out of applications on your mobile when you’re finished with them
Do you have any idea what is lurking on C Drives? We’ve been struggling to get away from them for years, but people just won’t leave them alone!
And what about thumb drives/USB sticks, they’re just as likely to harbour uncontrolled information, but they’re way easier to lose!