Outsourcing Higher Education Website Hosting May Move Data Off-shore
In a recent article we asked if universities and colleges should be in the web hosting business? Our question was prompted by analysing data gathered from linking web server IP addresses to their registered owners. Inspecting the exercise’s results showed that about 60% of institutions self-host their main website.
But, what about the 40% that outsource? Are there consequences of making that choice that we need to understand?
Yes. One in particular. The choice to outsource may raise data privacy issues depending on a jurisdiction’s specific laws and regulations about data storage, in general and personally identifiable information storage, in particular.
Data privacy may be an issue because higher education institutions located in one country are hosting websites on servers located in another. As the table below indicates, Australia’s 40 universities host their main websites on servers located in Australia, the UK and the US. We checked five other countries and their varied patterns of ‘off-shore’ arrangements are also set out in the table.
Australia |
Canada |
Germany |
Ireland |
New Zealand |
United Kingdom |
United States |
|||
|---|---|---|---|---|---|---|---|---|---|
|
Australia | 28 | 0 | 0 | 0 | 0 | 8 | 4 | |
|
Canada | 0 | 140 | 0 | 1 | 0 | 0 | 32 | |
|
Ireland | 0 | 0 | 0 | 20 | 0 | 0 | 2 | |
|
New Zealand | 0 | 0 | 0 | 0 | 7 | 0 | 1 | |
|
United Kingdom | 0 | 0 | 0 | 15 | 0 | 134 | 20 | |
|
United States | 0 | 18 | 2 | 20 | 0 | 12 | 4,327 | |
| Totals | 28 | 158 | 2 | 56 | 7 | 154 | 4,386 |
Only local legal advice can determine if these types of arrangement do or do not cause data privacy issues.
What about personally identifiable data?
We note that personally identifiable data can be held in content management systems to populate staff, faculty and department profiles and directories. And, most websites use forms to collect personally identifiable data for events, newsletters and similar purposes. A previous article highlighted data collection concerns that may exist under the GDPR regime, regardless of where an institution operates.
And we only examined the location of the servers hosting the main domain websites. Many universities have large numbers of autonomous sites and microsites hosted under a myriad arrangements that may use servers in multiple jurisdictions: some chosen specifically on cost rather than quality, reliability or security factors.
Risk mitigation – make a list, check it twice
A prudent exercise would be to compile a list (like the one we used to prepare this article) of all the relevant web servers, which sites they host, the associated ‘business owners’ and the jurisdictions in which they operate.
The resulting data set would highlight potential issues and ensure that any subsequent website hosting policy decisions are data-informed.
