Web site developers and owners need usage data on their web sites to evaluate site effectiveness, plan development, and make other strategic decisions. A number of analytical applications are available for this purpose, delivered as both traditional packaged software as well as third-party "software-as-a-service" applications. Some providers charge for their software/service while some offer free services (ex. Google Analytics).
The purpose of this document is to identify some of the risks involved in using third-party analytics providers where the collected web site statistics reside on the provider’s servers rather than on servers hosted by the university.
Potential Exposures
Security and privacy exposures
Credentials and other information can be unintentionally exposed when carried by or passed through site URLs. While this is largely a coding/development issue, and important to eliminate even for internal web sites that keep their logs and statistics locally, it is vital to eliminate these issues if web site traffic statistics are to be maintained externally by a third-party.
Privacy concerns
Sharing personally identifiable information with an external party over which one has no control with regard to the retention or secondary uses of that information carries risks.
- Does the provider have a privacy notice detailing the collection and use of the information used to provide the analytics?
- Is the notice clear?
- Should the information be shared with an external party at all?
Site visitors cannot be adequately informed of privacy practices if those of an external provider do not exist or are unclear. This could result in a lack of compliance with privacy laws and/or with a university web site's own privacy notice.
Violation of university's privacy notice
For sites still using/following the draft IU Online Privacy Statement, use of a third-party analytics provider usually violates the "disclosure of information" section. Such sites would need to revise and post a new privacy notice.
Recommendations
- If at all possible, web site owners should use an analytics application residing on a university host. This provides the most assurance with regard to how information is handled
- If a third-party provider of analytics must be used, then such a provider may be used, without a contract, ONLY for web sites that do NOT handle or collect personally identifiable or sensitive information
- If a third-party provider of analytics must be used, and the web site handles personally identifiable or sensitive information, a contract must first be established with the provider through university purchasing that covers acceptable uses of the collected information
- Any use of a third-party analytics provider must follow the provider’s and all other applicable terms of service documentation and be fully disclosed in the web site’s privacy notice
