Where are my University Websites and Data being Hosted?

image of world and selected locations

Outsourcing Higher Education Website Hosting May Move Data Off-shore

In a recent article we asked if universities and colleges should be in the web hosting business? Our question was prompted by analysing data gathered from linking web server IP addresses to their registered owners.  Inspecting the exercise’s results showed that about 60% of institutions self-host their main website.

But, what about the 40% that outsource? Are there consequences of making that choice that we need to understand?

Yes. One in particular. The choice to outsource may raise data privacy issues depending on a jurisdiction’s specific laws and regulations about data storage, in general and personally identifiable information storage, in particular.

Data privacy may be an issue because higher education institutions located in one country are hosting websites on servers located in another. As the table below indicates, Australia’s 40 universities host their main websites on servers located in Australia, the UK and the US. We checked five other countries and their varied patterns of ‘off-shore’ arrangements are also set out in the table.

 

 
AU Flag

Australia

CA Flag

Canada

DE Flag

Germany

GB Flag

Great Britain

IE Flag

Ireland

NZ Flag

New Zealand

US Flag

United States

Column headings show countries in which web servers are hosted. Rows show the location of the higher education institutions.
Australia 28 0 0 8 0 0 4
Canada 0 140 0 0 1 0 32
United Kingdom 0 0 0 134 15 0 20
Ireland 0 0 0 0 20 0 2
New Zealand 0 0 0 0 0 7 1
United States 0 18 2 12 20 0 4,327
  Totals 28 158 2 154 56 7 4,385  

 

Only local legal advice can determine if these types of arrangement do or do not cause data privacy issues.

What about personally identifiable data?

We note that personally identifiable data can be held in content management systems to populate staff, faculty and department profiles and directories. And, most websites use forms to collect personally identifiable data for events, newsletters and similar purposes.  A previous article highlighted data collection concerns that may exist under the GDPR regime, regardless of where an institution operates.

And we only examined the location of the servers hosting the main domain websites. Many universities have large numbers of autonomous sites and microsites hosted under a myriad arrangements that may use servers in multiple jurisdictions: some chosen specifically on cost rather than quality, reliability or security factors.

Risk mitigation – make a list, check it twice

A prudent exercise would be to compile a list (like the one we used to prepare this article) of all the relevant web servers, which sites they host, the associated ‘business owners’ and the jurisdictions in which they operate.

The resulting data set would highlight potential issues and ensure that any subsequent website hosting policy decisions are data-informed.

Data as of March 2019