This document discusses guidelines for using externally hosted web 2.0 services at the University of Edinburgh. It outlines legislative issues around data protection and freedom of information acts. It also covers university regulations regarding assessment, branding and computing. Key service concerns are identified such as security, confidentiality, data ownership and reliability. The document proposes establishing a risk management process including a risk register. It concludes that clear guidelines are needed as web 2.0 services develop, to help users understand risks without discouraging use, and to consider external access to internal university services.