Where are my University Websites and Data being Hosted?

image of world and selected locations

Outsourced may mean off-shore

In a recent post we asked if universities and colleges should be in the web hosting business? Our question was prompted by data gathered from linking web server IP addresses to their registered owners.  Inspecting the exercise’s results showed that about 60% of institutions self-host their main website.

But, what about the 40% that outsource? Are there consequences of making that choice that we need to understand?

Yes, one in particular. The choice to outsource may raise data privacy issues depending on a jurisdiction’s specific data storage laws and regulations.

Data privacy may be an issue because institutions in one country are hosting websites on servers located in another. As the table below indicates, Australia’s 40 universities host their main websites on servers located in Australia, the UK and the US. We checked five other countries and their varied patterns of ‘off-shore’ arranges are also set out in the table.

Column headings show countries in which web servers are hosted. Rows show the location of the higher education institutions.
Web Hosting Server Locations
University Locations
AU Flag

Australia

CA Flag

Canada

DE Flag

Germany

GB Flag

Great Britain

IE Flag

Ireland

NZ Flag

New Zealand

US Flag

United States

Australia 28 0 0 8 0 0 4
Canada 0 140 0 0 1 0 32
United Kingdom 0 0 0 134 15 0 20
Ireland 0 0 0 0 20 0 2
New Zealand 0 0 0 0 0 7 1
United States 0 18 2 12 20 0 4,327
Totals 28 158 2 154 56 7 4,385

Only local legal advice can determine if these types of arrangement do or do not cause data privacy issues.

What about personally identifiable data?

We note that personally identifiable data can be held in content management systems to populate staff, faculty and department profiles and directories. And, most websites use forms to collect personally identifiable data for events, newsletters and similar purposes.  A previous article highlighted data collection concerns that may exist under the GDPR regime, regardless of where an institution operates.

And we only examined the location of the servers hosting the main domain websites. Many universities have large numbers of autonomous sites and microsites hosted under a myriad arrangements that may use servers in multiple jurisdictions: some chosen specifically on cost rather than quality, reliability or security factors.

Risk mitigation – make a list, check it twice

A prudent exercise would be to compile a list (like the one we used to prepare this article) of all the relevant web servers, which sites they host, the associated ‘business owners’ and the jurisdictions in which they operate.

The resulting data set would highlight potential issues and ensure that any subsequent website hosting policy decisions are data-informed.