Accessibility statement

Use of external IT services for learning and teaching

Guidance for staff

1. Introduction

External IT services, such as wikis, blogs, community and social networking sites (eg Facebook), are commonly used by students and engagement with these tools now accounts for a major part of their online activity and daily routine, both for study and pleasure. Staff must consider the implications of using external IT services in support of teaching and learning activities. This guidance sheet is intended to help staff involved in teaching and learning activities to:

  1. understand what tools are currently available to use as University IT Services
  2. make an informed choice on whether to use external IT services for teaching and learning activities to meet your pedagogic goals;
  3. follow the correct procedure if you choose to do so, taking account of data protection, personal data and information retention issues.

2. Getting the most from University IT Services

The University provides a range of tools that can be used to support teaching and learning activities. These include those within our Virtual Learning Environment (VLE) and Google Apps for Education services.

2.1 E-learning tools

The VLE, Yorkshare, includes quizzes, surveys and collaborative tools such as wikis, blogs and discussion forums. A summary of the supported tool-set is available in the E-Learning Development Team's brochure:

Case studies of tool usage are also provided on the Inspiration tab of the VLE support site:

2.2 Google Apps

IT Services also support Google Apps for Education, with Google Sites and Google Docs being particularly suited to reflective and collaborative learning and teaching tasks, and Google Plus for sharing information with people both within and outside the University.

For an overview of Google Apps, please review:

2.3 Finding the best tool

There are a lot of tools to choose from. Which tool is best suited for the learning and teaching scenario that you have in mind? Some of the scenarios in which IT services may be used to support learning and teaching are shown in the York TEL handbook (section 4.4).

To discuss the most appropriate tool for you, please contact a member of the E-Learning Development Team:

3. Procedure for using externally hosted tools and services

If, after reviewing the range of University IT services which are centrally supported, you still feel that there is a gap in the University's provision and a strong rationale for using an external IT service, then here's what you need to consider.

3.1 Has the University negotiated a specific agreement with the service provider?

If it has – what are the terms and conditions for use, do they cover your proposed learning and teaching use case, and do they meet the University's legal obligations?

These legal obligations relate to:

In meeting these obligations we must ensure that students are not encouraged to sign up for a service that may breach UK data protection legislation, impinge on their rights, or require them to waive legal protections guaranteed by UK law. For example, a US service which is not certified under the Privacy Shield scheme, or a tool which processes personal data outside the EU without adequate contractual and technical safeguards being in place, with terms and conditions which claim ownership or indefinite retention of students' data, would not be appropriate to use.

It will be necessary to consider whose data is involved and the University's ability to provide for its fair processing, security, retention and access, as well as to put in place the appropriate contractual protections required by law through the inclusion of model contract clauses. If you are unsure about the terms of the agreement with the service provider that you propose to use, you must seek advice from the University’s Data Protection Officer (

If it has not, you will need to consider whether an agreement should be in place - specifically relating to the service provider's management and use of the data generated through your proposed learning and activity. Where a provider stores or processes personal data on our behalf, a written agreement must be in place which defines the Data Protection relationship and addresses international data transfer issues, with all required contractual clauses incorporated into the agreement. For further information on this, please see the University's guidance on GDPR and contract compliance.
Please note that if you wish to use an external IT service or tool, you must consult with the University's Data Protection Officer and with IT Services to ensure that the proposed service or tool meets the University's requirements for data management. You should also view the University's Outsourcing and Cloud Computing Policy.

3.2 Will students be expected to register with the external provider as a compulsory element of your course?

Is the use of a third-party tool or service from an external IT provider an essential requirement for your course, or could students use an alternative tool – ie one managed by University IT Services?

If you expect students to sign up to or use accounts of their own volition and at their own risk, then they must have a free and informed choice as to whether they submit personal information to a site or use their own account for a new purpose. It is important to distinguish personal and independent use of tools from institutionally sponsored use. If you require students to use an external IT service and consequently agree to a provider's terms as part of their course, it will be difficult to say that they have given ‘consent’ where they have no alternative and would otherwise have to drop out of the module. In these circumstances a centrally managed tool should be provided to those students not wishing to consent, offering them a genuine alternative solution.

You may wish to offer an optional (opt-in) learning and teaching activity for those students who are willing to use the third-party tool or service, but this would only be acceptable if this does not require students to reveal any personal details beyond an email address. In these circumstances, you should take care over branding and the entry route to the external service and ensure that there is clear signposting to the external service. For example, if you provide a link to the service from the VLE for example, your students should be clear that they are leaving a University of York service and are engaging with an independent service beyond the control of the University.

If it is essential for all students to use the third-party tool or service, you must ensure that students are not required to share any personal data with the external service provider. In these circumstances, a contract agreement will need to be made with the proposed IT service provider in accordance with the University's data requirements, before the tool can be used in a formal learning and teaching activity.

3.3 How will you ensure access to student data after the activity has been completed?

You should also consider how long you and the University will need access to the data generated from your learning activity after it has been completed, and whether the service provider will retain data for that term and how you will get access. Please note that student data in VLE modules are retained for a five-year term (Archiving of VLE Teaching and Learning Material and Communications (MS Word , 26kb)) after the teaching and assessment cycle for that module has been completed and you should be thinking about a similar period for your activity to preserve an adequate record of the learning that has taken place in your module. One approach might be to download and preserve a local copy of all key data for your activity.

Certainly you should consider any contingency arrangements if the tool or service that you are using changes its terms and conditions; e.g. imposes a charging model for its services, or ceases to be available for use. Students should be encouraged to take a regular back-up of their work, so that they have an up-to-date copy of their work, if access to the external IT service is no longer available to them.

3.4 Take Down policy

Finally, before signing up to an external IT service, you should consider whether you have sufficient control over the content posted by yourself and your students to the site. This should cover the range of permissions for your role to edit or delete inappropriate information on the site including postings that are defamatory to other users or those which breach copyright laws.

4. Further help

If any of the information contained in this guidance resource is unclear, or you would prefer a personal consultation on your specific learning and teaching scenario, please get in touch with a member of the teams listed below:

Sources of help 

For guidance on data protection and agreements with service providers

Data Protection Officer


For guidance on centrally managed e-learning tools and advice on use of externally hosted tools

E-Learning Development Team


For guidance on Google Apps

IT Services


5. Useful resources

University guidance

External guidance

JISC Legal Web 2.0 Tutor’s Legal Issues Checklist: (pdf)

JISC Legal Consent Management:

ICO Social networking and online forums – when does the DPA apply?

ICO Online Safety:

University resources

E-learning brochure of centrally-supported tools: (pdf)

Document history and status

May 2014 Created by E-Learning Development Team
June 2014 Approved by University Teaching Committee
May 2018 Updated by E-Learning Development Team


Review cycle: Three yearly

Date of next review: May 2021