Accessibility statement

Use of external IT services for learning and teaching

Guidance for staff

1. Introduction

External IT services, such as wikis, blogs, video and content sharing sites, and community and social networking sites (eg Twitter and Facebook), are commonly used by students and engagement with these tools now accounts for a major part of their online activity and daily routine, both for study and pleasure. Staff must consider the implications of using external IT services in support of teaching and learning activities. This guidance sheet is intended to help staff involved in teaching and learning activities to:

  1. understand what tools are currently available to use as University IT Services
  2. make an informed choice on whether to use external IT services for teaching and learning activities to meet your pedagogic goals;
  3. follow the correct procedure if you choose to do so, taking account of data protection, personal data, information retention and accessibility issues.

2. Getting the most from University IT Services

The University provides a range of tools that can be used to support teaching and learning activities. These include those within our Virtual Learning Environment (VLE) and related tools such as Panopto, Padlet, Xerte and Mentimeter, along with Google Workspace for Education services and Zoom.

2.1 Digital education tools

An overview of supported tools available at the University is provided through the following page which includes links to key guidance on each tool. You can search the tools by type of learning activity or by theme.

2.2 Finding the best tool

There are a lot of tools to choose from and you will need to consider which tool or combination of tools is best suited for the learning and teaching scenario that you have in mind. Where your scenario involves only registered University staff and students, the full range of supported tools will be available to you. However, it is worth remembering that many of the tools can also be used for collaboration and information sharing with users external to the University.  For further information please see the Tools for supporting teaching and learning page. 

To discuss the most appropriate tool for you, please contact a member of the Digital Education Team (email

3. Procedure for using externally hosted tools and services

If, after reviewing the range of University IT services which are centrally supported, you feel that there is a gap in the University's provision and a strong rationale for using an external IT service, then you need to consider the following questions:

3.1 Has the University negotiated a specific agreement with the service provider?

If it has, what are the terms and conditions for use? Do they cover your proposed learning and teaching use case? Do they meet the University's legal obligations?

These legal obligations relate to:

  • The General Data Protection Regulation (2016)
  • Data Protection Bill (2017-19)
  • Privacy and Electronic Communication Regulations (2003)
  • The Public Sector Bodies (Websites and Mobile Applications) Accessibility Regulations (2018)

In meeting these obligations we must ensure that students are not encouraged to sign up for a service that may breach UK data protection legislation, impinge on their rights, or require them to waive legal protections guaranteed by UK law. For example, a US service which is not certified under the Privacy Shield scheme, or a tool which processes personal data outside the EU without adequate contractual and technical safeguards being in place, with terms and conditions which claim ownership or indefinite retention of students' data, would not be appropriate to use.

It will be necessary to consider whose data is involved and the University's ability to provide for its fair processing, security, retention and access, as well as to put in place the appropriate contractual protections required by law through the inclusion of model contract clauses. If you are unsure about the terms of the agreement with the service provider that you propose to use, you must seek advice from the University’s Data Protection Officer (

If it has notyou will need to consider whether an agreement should be in place - specifically relating to the service provider's management and use of the data generated through your proposed learning and activity. Where a provider stores or processes personal data on our behalf, a written agreement must be in place which defines the Data Protection relationship and addresses international data transfer issues, with all required contractual clauses incorporated into the agreement. For further information on this, please see the University's guidance on GDPR and contract compliance.

Please note that if you wish to use an external IT service or tool, you must consult with the University's Data Protection Officer and with IT Services to ensure that the proposed service or tool meets the University's requirements for data management. You should also view the University's Outsourcing and Cloud Computing Policy.

You will also need to assure yourself that the external service or tool meets internationally-recognised web content accessibility standards. Do the digital resources involved meet the Web Content Accessibility Guidelines (WCAG) 2.1 AA standards ensuring that they are perceivable, operable, understandable and robust?  Does the service or tool provide an accessibility statement outlining its conformance with accessibility standards and approach to development with contact details?  Please see the University information on digital accessibility for further guidance.

3.2 Will students be expected to register with the external provider as a compulsory element of your course?

Is the use of a third-party tool or service from an external IT provider an essential requirement for your course, or could students use an alternative tool – ie one managed by University IT Services?

If you expect students to sign up to or use accounts of their own volition and at their own risk, then they must have a free and informed choice as to whether they submit personal information to a site or use their own account for a new purpose. It is important to distinguish personal and independent use of tools from institutionally sponsored use. If you require students to use an external IT service and consequently agree to a provider's terms as part of their course, it will be difficult to say that they have given ‘consent’ where they have no alternative and would otherwise have to drop out of the module. In these circumstances a centrally managed tool should be provided to those students not wishing to consent, offering them a genuine alternative solution.

You may wish to offer an optional (opt-in) learning and teaching activity for those students who are willing to use the third-party tool or service, but this would only be acceptable if this does not require students to reveal any personal details beyond an email address. In these circumstances, you should take care over branding and the entry route to the external service and ensure that there is clear signposting to the external service. For example, if you provide a link to the service from the VLE for example, your students should be clear that they are leaving a University of York service and are engaging with an independent service beyond the control of the University.

If it is essential for all students to use the third-party tool or service, you must ensure that students are not required to share any personal data with the external service provider. In these circumstances, a contract agreement will need to be made with the proposed IT service provider in accordance with the University's data requirements, before the tool can be used in a formal learning and teaching activity.

3.3 How will you ensure access to student data after the activity has been completed?

You should also consider how long you and the University will need access to the data generated from your learning activity after it has been completed, and whether the service provider will retain data for that term and how you will get access. Please note that student data in VLE modules are retained for a five-year term after the teaching and assessment cycle for that module has been completed and you should be thinking about a similar period for your activity to preserve an adequate record of the activities that have taken place in your module. This consideration also applies to supported tools used alongside the VLE such as Padlet and Google Workspace tools.  One approach might be to download and preserve a local copy of all key data for your activity, or to include a copy of this data within the VLE site content for the record.

Certainly you should consider any contingency arrangements if the tool or service that you are using changes its terms and conditions; eg imposes a charging model for its services, or ceases to be available for use. Students should be encouraged to take a regular back-up of their work, so that they have an up-to-date copy of their work, if access to the external IT service is no longer available to them.

3.4 Take Down policy

Finally, before signing up to an external IT service, you should consider whether you have sufficient control over the content posted by yourself and your students to the site. This should cover the range of permissions for your role to edit or delete inappropriate information on the site including postings that are defamatory to other users or those which breach copyright laws.

4. Further help

If you have questions about any of the information contained in this guidance, or you would prefer a personal consultation on your specific learning and teaching scenario, please get in touch with a member of the teams listed below:

Sources of help  

For guidance on data protection and agreements with service providers

Data Protection Officer


For guidance on centrally managed e-learning tools and advice on use of externally hosted tools

Digital Education Team


For guidance on Google Workspace

IT Services


5. Useful resources

University guidance and resources

External guidance

  • JISC Legal guides (can be filtered by key issue including data protection and accessibility)

Document history and status

May 2014 Created by E-Learning Development Team
June 2014 Approved by University Teaching Committee
May 2018 Updated by E-Learning Development Team
November 2021 Updated by the Programme Design and Learning Technology Team


Review cycle: Three yearly

Date of next review: May 2021