IF A FACULTY MEMBER WISHES TO USE WEB 2.0 AND/OR CLOUD-BASED TECHNOLOGIES TO ENHANCE A COURSE, WHAT STEPS CAN BE TAKEN TO REDUCE RISK AND ENSURE THE SECURITY OF STUDENT DATA?
Full reliance on a third party service that is not supported by the institution or division, nor through an contract relationship will involve a high level of risk and is not recommended as a primary learning environment, in particular for fully online courses. However, if faculty members wish to take advantage of the benefits of Web 2.0 or Cloud-based technologies as an adjunct activity to enhance a course they should comply with the following directives to reduce the risk in use of third party systems:
#1 Provide an alternative if a student does not wish to use an external environment hosted outside the institution.
If, as part of the course curriculum design, the instructor wishes to use an externally hosted Web 2.0 technology or access to cloud computing resources that cannot be replicated within the institutional framework, instructors should provide students with the choice to “opt out.” Students cannot be compelled to create accounts on non-university systems or with non-university services. Externally hosted Web 2.0 or cloud-based environments to be used by students as part of course activities must be explicitly listed in the course syllabus. Should students choose not to participate in such an external environment a viable alternative assignment or activity must be available to them.
#2 Don’t put any information classified as highly sensitive into a third-party service without entering into a contract with the vendor. 
Avoid inclusion of data that would be classified by the University of Toronto as “personal” or “confidential distribution” in third party systems. See Information Security Guidelines for details. If the pedagogical objectives of the course require the instructor or students to enter this type of information into the third-party system, the instructor should not use the system without working with the appropriate institutional office to contractually require the service to comply with necessary security and privacy requirements. Fortunately, in most cases conscientious planning of instructional activities will avoid the need to transmit any highly sensitive data..
#3: Don’t give away intellectual property owned by others.
As in all instructional situations, the instructor should be sure that use of copyrighted materials incorporated into content uploaded to third-party tools complies with copyright law. Additionally, the instructor should review the terms of service of the third-party tool; typically, the provider claims a license to copy, adapt, and share the content as needed to enable the user to access and use the service. If the license exceeds this limited scope, the instructor should ensure that the owner of the rights (potentially the institution, the instructor, or the student) agrees with these terms
If the rights are owned by the instructor(s) or students, they should be advised to review the terms of service to ensure that they understand and are comfortable with those terms, and they should be advised to consider placing copyright notices on their content.
 Adapted from Policy as an Enabler of Student Engagement Educause Review © 2010 Merri Beth Lavagnino https://er.educause.edu/articles/2010/10/policy-as-an-enabler-of-student-engagement