Where are my University Websites and Data being Hosted?

image of world and selected locations

Outsourcing Higher Education Website Hosting May Move Data Off-shore

In a recent article we asked if universities and colleges should be in the web hosting business? Our question was prompted by analysing data gathered from linking web server IP addresses to their registered owners.  Inspecting the exercise’s results showed that about 60% of institutions self-host their main website.

But, what about the 40% that outsource? Are there consequences of making that choice that we need to understand?

Yes. One in particular. The choice to outsource may raise data privacy issues depending on a jurisdiction’s specific laws and regulations about data storage, in general and personally identifiable information storage, in particular.

Data privacy may be an issue because higher education institutions located in one country are hosting websites on servers located in another. As the table below indicates, Australia’s 40 universities host their main websites on servers located in Australia, the UK and the US. We checked five other countries and their varied patterns of ‘off-shore’ arrangements are also set out in the table.


AU Flag


CA Flag


DE Flag


IE Flag


NZ Flag

New Zealand

GB Flag

United Kingdom

US Flag

United States

Column headings show countries in which web servers are hosted. Rows show the location of the higher education institutions.
Australia 28 0 0 0 0 8 4
Canada 0 140 0 1 0 0 32
Ireland 0 0 0 20 0 0 2
New Zealand 0 0 0 0 7 0 1
United Kingdom 0 0 0 15 0 134 20
United States 0 18 2 20 0 12 4,327
  Totals 28 158 2 56 7 154 4,386  


Only local legal advice can determine if these types of arrangement do or do not cause data privacy issues.

What about personally identifiable data?

We note that personally identifiable data can be held in content management systems to populate staff, faculty and department profiles and directories. And, most websites use forms to collect personally identifiable data for events, newsletters and similar purposes.  A previous article highlighted data collection concerns that may exist under the GDPR regime, regardless of where an institution operates.

And we only examined the location of the servers hosting the main domain websites. Many universities have large numbers of autonomous sites and microsites hosted under a myriad arrangements that may use servers in multiple jurisdictions: some chosen specifically on cost rather than quality, reliability or security factors.

Risk mitigation – make a list, check it twice

A prudent exercise would be to compile a list (like the one we used to prepare this article) of all the relevant web servers, which sites they host, the associated ‘business owners’ and the jurisdictions in which they operate.

The resulting data set would highlight potential issues and ensure that any subsequent website hosting policy decisions are data-informed.

Data as of March 2019



Sign Up for Email Delivery:

We collect the following solely to email you new research.

* indicates required

MailChimp stores your details. We do not share data with third parties.




Blog photo image: unsplash.com / pexels.com