Skip to main content Skip to navigation

Outsourcing and Third Party Access to University Information Assets


The University provides 'approved' IT facilities and services. These are defined as provided directly by University staff and facilities or those provided by a third party on behalf of the University and subject to a formal legal contract and/or service level agreement.

We acknowledge that staff and students are able to access unapproved IT facilities, mostly available via the Internet, provided by third parties with which the University does not have any formal agreement. Examples of this are the use of Google Docs, DropBox and Hotmail/Gmail. The University has issued specific guidance on the use and selection of Cloud services.

Users signing up to the terms and conditions of informal IT facilities do so at their own risk.

There are potential risks associated with using informal IT facilities including a lack of knowledge and control over:

  • Who may have access to user data
  • How user data is used
  • Where user data is stored
  • How securely user data is stored
  • How viable the facility will be in the long term
  • Whether user data will be recovered in the event of a disaster
  • How much support will be provided in the event of a problem

Non-approved IT services and facilities will not be used for Protected, Restricted or Reserved University information or for processing similar information on behalf of a third party.

Prior to seeking approval for a non-University approved IT facility or service for processing of Protected, Restricted or Reserved University information, a formal risk assessment will be undertaken by the Department to ensure that the processing will take place securely, that the relationship will not give rise to any further risks for the University (e.g. reputational, financial or legal risks) and that the impact of any disruption or problem caused by or affecting the third party is clearly understood. Please contact the Institutional Resilience Team via informationsecurity at warwick dot ac dot uk for help.

Third Party Access

The appropriate Information Custodian will be accountable for ensuring that risks are identified and managed where University information is to be accessed or handled by third parties. This is to protect the interests of the University and continue the safeguarding of University information in line with our legal obligations.

A named University staff member (or named members) will be accountable for managing the access provided to a third party and their activities on the network. The named University individual(s) will ensure that obligations around acceptable use and event record keeping are understood by the third party prior to access being granted.

IT Services can advise on the standard event logging requirement to comply with our obligations under the JANET Acceptable Use Policy.

Third party access (physical or logical) will be strictly controlled and must only allow access to information or systems necessary to carry out the agreed activities. This is to reduce the risk of disclosure or theft of University information, theft or damage to equipment (intentional or accidental) or misuse of information or facilities.

Temporary Guest access to University network will be approved and facilitated by IT Services (

Overall Framework Info

The minimum mandatory working practices in these pages are presented in boxed text to distinguish them from recommended practices.

Current document version: 1.3

Download full PDF(PDF Document)