Confidential research data must be protected in a manner that complies with applicable law and regulation, agreements covering the acquisition and use of the data, and, as applicable, University policies, such as those pertaining to human subjects research. To protect research data appropriately and efficiently, the University’s researchers, Institutional Review Boards, and Information Security Officers must understand and carry out their responsibilities related to data security. The basic principle of this Policy is that more exacting security measures must be followed as the information risk posed by a research project increases. The principle is embodied in a set of security levels and accompanying sets of protective measures. While the measures pertain to computer and network security for digital data, this basic approach, in which security measures are calibrated to risk, should guide researchers’ plans for handling and storage of paper records, and IRBs’ review and approval of those plans.
This policy applies to all research data physically housed at Harvard, regardless of ownership. When Harvard researchers collect or store research data at other facilities, HUIT may, at the request of the researcher or the IRB or where Harvard has a regulatory obligation or interest, consult with the outside facility IT staff and, as appropriate, inspect the outside facility to assess whether security measures are concordant with this Policy.
Reason For Policy
The Harvard Enterprise Information Security Policy effectively addresses the need to protect confidential and sensitive information that is maintained in the various spheres of University administration. Nevertheless, the research setting poses particular information security risks and has regulatory and contractual constraints that require additional policy provisions and protective measures.
Research data include information that is collected or generated by researchers, information that is obtained from third parties pursuant to Data Use Agreements (DUAs) and third party information that is not subject to DUAs. This Policy covers research data that are confidential, by reason of regulation, policy, law, or contractual obligation.
Who Must Comply
This Policy applies to researchers and research team members who obtain or generate information that is confidential, in particular personally identifiable human subject information and information that is subject to Data Use Agreements (DUAs) containing confidentiality and information security provisions.
The Policy also applies to the Institutional Review Boards and Information Security Officers who are responsible for working with researchers and research team members to ensure that risks associated with human subjects research information within the scope of the Policy have been identified, assessed, and addressed.
The major responsibilities each party has in connection with this policy are as follows (also see Definitions section for further discussion of each party):
In the case of human subjects research, the following groups have specific responsibilities:
- Researchers are responsible for: disclosing to their cognizant IRB(s) the nature of the data they collect, so that the IRB(s) can assess the data security risk; preparing study data security plans and procedures in accordance with the appropriate security category requirements; and implementing and monitoring the data security plans and procedures over the course of their projects.
- The IRBs are responsible for ensuring the adequacy of Researchers’ provisions to maintain the confidentiality of data in human subject research. The IRB fulfills its responsibility by determining the appropriate security category for the data and by obtaining the assurance of the researcher that the requirements for the applicable security category will be followed.
The IRBs may seek the advice and recommendations of School Information Security Officers (IT) and HUIT Information Security in assessing the adequacy of provisions to maintain confidentiality of data and in approving a data security category level. The IRB may approve variances from the security requirements that would apply to a study given its security category, if the requirements would otherwise unduly hinder the conduct of the research and if alternate methods provide adequate protection of confidential information consistent with applicable legal requirements. Variances from Level 4 or 5 requirements must be made with the advice of IT or HUIT Information Security.
- IT and HUIT Information Security are responsible for assisting researchers, with implementation of the appropriate security requirements for their studies and for assisting IRBs, as necessary, with determination of the appropriate data security categories. Arrangements for Level 4 and Level 5 data require additional approval/consultation with HUIT.
- When researchers, laboratories, or departments wish to use a facility for more than one project involving confidential research data (e.g. level 3 or greater), IT and HUIT Information Security will be responsible for certifying that the facility is configured and operated in a manner that meets the requirements of the appropriate data security level(s), and maintaining a record of the certification that can be referred to for subsequent research projects. Level 3 facilities may be certified by IT. Level 4 and 5 facilities will be certified by HUIT
- The ultimate responsibility of researchers, IRBs, and IT and HUIT Information Security is to ensure that research data are assigned an appropriate category under the following standards, and that the stipulated measures for that category (see Related Documents below) are followed. Data security measures during the course of acquiring data, through online or in person surveys, field work, experiments and other methods, are not elaborated in the security requirement documents, because the circumstances vary so greatly from one project to another. Researchers are ultimately responsible for the security of confidential information as it is being acquired, and IRBs and IT and HUIT are responsible, respectively, for reviewing researchers’ plans and providing technical assistance. See the resource and procedure guide below in Related Documents.
- The Office of the Provost is responsible for implementation of this policy and will work with researchers, IRBs, and IT and HUIT as appropriate, to foster awareness and understanding of the policy. Contact us at RDSAP@harvard.edu for any questions on the HRDSP
The specific security requirements for research information in categories 2, 3, 4 and 5 are set out in Related Documents below.
Level 5 - Extremely sensitive information about individually identifiable people
Level 5 information includes individually identifiable information that could cause significant harm to an individual if exposed, including, but not limited to, serious risk of criminal liability, serious psychological harm or other significant injury, loss of insurability or employability, or significant social harm to an individual or group (e.g. studies on illegal drug use or other illegal activities).
Level 4 - Very sensitive information about individually identifiable people
Level 4 information includes individually identifiable High Risk Confidential Information (HRCI) as defined by the Harvard Enterprise Information Security Policy. This includes Social Security numbers as well as other individually identifiable financial information. (See http://www.security.harvard.edu/enterprise-security-policy/1-high-risk-info for a full list.) Medical records that are not categorized as extremely sensitive and other individually identifiable research information that, if disclosed, could reasonably be expected to present a non-minimal risk of civil liability, moderate psychological harm, or material social harm to individuals or groups should also be classified as Level 4 information. Medical records may also be subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations. Subject to specific government requirements in each case, sensitive national security information should usually be classified as Level 4 information.
Level 3 - Sensitive information about individually identifiable people
Level 3 information includes individually identifiable information that, if disclosed, could reasonably be expected to be damaging to a person's reputation or to cause embarrassment. Student record information protected by FERPA also generally falls under Level 3.
Level 2 - Benign information about individually identifiable people
Level 2 information includes individually identifiable information, disclosure of which would not ordinarily be expected to result in material harm, but as to which a subject has been promised confidentiality; or where Harvard has decided to protect the information. (e.g. surveys or interviews about best work place practices).
Level 1 - De-identified research information about people and other non-confidential research information
Research information in which all information that could be used, directly or indirectly, to identify an individual has been removed is referred to as "de-identified research information," described in federal IRB regulations as information “recorded by the investigator in such a manner that subjects cannot be identified, directly or through identifiers linked to the subjects.” The HIPAA Privacy Rule for protected health information (PHI) specifies eighteen categories of information that must be removed in order to de-identify PHI. There are no specific University requirements for the protection of de-identified research information or for other non-confidential research information, but researchers may want to protect such data for their own reasons, i.e., keeping data private until a paper about the data is published.
When a researcher seeks to obtain research data from a third party pursuant to a DUA, it is the responsibility of the researcher to consult the DUA policy <link> and follow its requirements in determining who is authorized to sign the DUA. If the DUA contains confidentiality or data security provisions, IT and HUIT Information Security are responsible for assisting the researcher in meeting the DUA’s data security requirements and any additional data security obligations. If the research data under the DUA relates to human subjects, then IRBs will work with the researcher to set a security level for the project, and IT and HUIT will assist the researcher in meeting the security level’s requirements and any other security requirements in the DUA.
- Harvard Enterprise Information Security Policy
- Data Use Agreement Policy
- Research Data Management and Retention Policy
This policy covers data security requirements for human subjects research and when DUAs contain confidentiality or data protection provisions.
Human Subjects Research
- When applying for IRB approval, the researcher will describe any personally identifiable information that will be collected from subjects, how the information will be collected, the number of subjects, promises or representations regarding confidentiality made to subjects in recruitment materials and consent forms, and measures to protect the confidentiality of information, such as maintaining a key code or physical security provisions for paper records.
- The IRB will consult with the researcher, obtain additional information as needed, assign a security level to the project, and provide the researcher with the Requirements document for the level (see Related Documents).
- After reviewing the Requirements document, the researcher will, if necessary, consult with IT or HUIT Information Security in order to implement the security level requirements.
- When the researcher has met physical, network, and system security requirements and put in place required operational procedures, the researcher shall so attest to the IRB, by submitting the Researcher Attestation Form or in another manner satisfactory to the IRB.
- Upon receipt of the attestation of the researcher, the IRB may complete its approval process. When a researcher requires proof of IRB approval before security requirements are satisfied, the IRB can approve subject to the condition that no human subjects data will be acquired until the researcher has met the security requirements and so attested to the IRB.
- In addition to the researcher’s attestation, the IRB may also request confirmation from IT or HUIT Information Security that security requirements have been satisfied, in order to complete its approval process.
Data Use Agreements (DUAs)
When a researcher wishes to obtain information from a third party and provision of the information is contingent upon execution of a DUA (an “incoming DUA”) the proposed DUA should be approved in advance by Sponsored Programs Administration Office, before it is signed, following the procedures set forth in the University Data Use Agreement Policy
A facility that has been approved by IT or HUIT Information Security for a research project that has been assigned Security Level 3, 4, or 5, may be certified by IT or HUIT Information Security for use on additional research projects having the same or lower Security Level. Individual research plans that are identified as having data exceeding the level of facility certification will need additional controls that are reviewed and approved by HUIT.
Certification of Level 4 and 5 facilities requires final review and approval by HUIT.
In order for a facility to be certified, the following steps must be carried out in addition to the initial Security Level approval by IT or HUIT Information Security:
- Designation of a facility manager who will:
- maintain a file of active projects storing data on the facility servers or computers,
- be responsible for carrying out operating procedures specified in the relevant Security Level protocol,
- ensure that researchers who store data at the facility are informed of their responsibilities, as set forth in the relevant Security Level protocol, and that the researchers acknowledge those responsibilities
- Notification by IT or HUIT Information Security of facility certification, to the researcher, the researcher’s department, and the IRB, of the date of facility certification and the period of certification, which should not exceed one year.
- Renewal: HUIT will notify the designated facility manager before the end of the period of certification. If the facility needs its certification renewed in order to support ongoing or anticipated future projects, HUIT and the facility manager will confer and establish a review plan for the renewal. Upon renewal, notification will be carried out as with original certification, see preceding paragraph.
Data Use Agreement: Any agreement between a data provider and a researcher who requests the data concerning the transfer, use, security, or disposal of the data, regardless of the title or form of the agreement.
Facility: Any computer or computer network and the office or laboratory in which it is situated, used for the processing and storage of research data.
Facility Certification: Approval of a facility for processing and storing research data of a specified security level, either level 3, 4, or 5, by HUIT or IT, so that approval does not have to be obtained on a protocol-by-protocol basis.
HUIT Information Security [HUIT]: The Harvard University Security Information Office
Human Subjects Research: As defined in the Common Rule, 45 CFR 46 §102 <link>: research that involves obtaining data about a living individual through intervention or interaction with the individual, or obtaining identifiable private information about the individual.
IRB: Institutional Review Board. Harvard’s human research protection program has three IRBs:
Harvard School of Public Health: Office of Regulatory Affairs and Research Compliance (ORARC)
Contact and location information for ORARC is as follows:
- Phone: 617-432-2157
- Fax: 617-432-2165
- Email: firstname.lastname@example.org
- Address: Harvard School of Public Health
Office of Human Research Administration
90 Smith Street
3rd Floor-Room 335
Boston, MA 02120
University Area: Committee on the Use of Human Subjects (CUHS)
Contact and location information for the Committee on the Use of Human Subjects is as follows:
- Phone: 617- 496-CUHS
- Fax: 617-496-7400
- Email: email@example.com
1414 Massachusetts Avenue, Second Floor
Cambridge, MA 02138
Faculty of Medicine: Committee on Human Studies (CHS)
Contact and location information for the Committee on Human Studies is as follows:
- Phone: 617-432-2157
- Fax: 617-432-2165
- Email: firstname.lastname@example.org
Harvard School of Public Health
Office of Human Research Administration
90 Smith Street
3rd Floor-Room 335
Boston, MA 02120
Researcher: Any faculty member, student, or other investigator who applies to an IRB for approval of a human subjects research project, or who seeks to obtain research data from a third party.
School Information Security Office [IT]: The designated Security Information Officer at a School, or the Chief Information Officer of the School.
Security Level: The assigned information risk designation to be determined by the IRB for human subjects research projects, in consultation with the researcher and IT or HUIT as appropriate. Security levels can be designated for confidential research data that does not involve human subjects, by IT or HUIT in consultation with the researcher and others as appropriate, including OGC and OTD.