Research Data Management

< Back to Research Policies & Compliance

Many Harvard faculty, staff, scholars, and student members engage in research that involves the collection or use of identifiable, sensitive or private information. Federal law and Harvard policy provide specific guidance and requirements for protecting identifiable research information.

Click to jump to Federal Data Management Policies

Policy Contacts

Emre Keskin
University Research Data Officer

The Harvard Research Data Security Policy (HRDSP):
The basic principle of this Policy is that more exacting security measures must be followed as the risk posed by a research project increases. The HRDSP is designed to apply in conjunction with the Harvard Enterprise Information Security Policy (HEISP) and reflects consistent requirements for the protection of Harvard confidential and sensitive research data. For the full policy and approval processes please see the HRDSP section on this page.

Principal Investigator (PI) Responsibility:

Compliance with data protection and use requirements is the responsibility of the principal investigator. Each PI should review her/his data use agreements, grants and other contracts to see if any such requirements are included. Harvard personnel working under such an agreement, grant, or contract must, at a minimum, comply with those protection requirements, as well as any disposition obligations. In addition, it is the PI’s responsibility to ensure any necessary reviews occur, including Data Safety/Security Reviews, DUA Reviews, and Institutional Review Board Reviews, and other research-related reviews governed by the Negotiating and Signing Authority Policy.

The Research Administration Portal shows faculty and researchers their outstanding research administration and compliance activities, including reviews related to data management, and provides an overview of their portfolio. The application includes projects and protocols from Agreements-DUA, Data Safety/Security, ESTR, GMAS, and OAIR.

General Data Protection Regulation (GDPR) Research Guidance:

GDPR, effective as of May 25, 2018, is a far-reaching regulation applicable to organizations with European Economic Area (“EEA”) based operations and certain non-EEA organizations that process the Personal Data of individuals in the EEA. For purposes of GDPR, Personal Data refers to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.” OVPR developed the GDPR Research Guidance to support Harvard researchers in their engagement with Personal Data and European collaborators.

Other Sensitive Research:
Harvard researchers often deal with sensitive information that does not relate to human subjects. Examples can include proprietary information, data that is subject to confidentiality requirements, and information with national security implications. Most of these types of information will be categorized as Level 3 information under the categories described in the Information Security Guidance. However, information with national security implications, certain foreign and/or medical data, generally will be categorized as Level 4 information. Researchers must submit any such projects in the Research Safety Application for Security Review by a local information security reviewer.

Working with Vendors:
University policy requires that written contracts be in place with all vendors that store or process confidential information for the University. University policy also requires that such contracts include specific information regarding security protection requirements. See Section 6.1 of the HEISP for more information.

Additional Resources for Data Management:

Institutional Compliance Management Program

CMS DUAs Semi-Annual Reporting requirement

Effective immediately all schools with active CMS DUAs in a given fiscal year provide semi-annual reports on their CMS DUAs by the following August 31^st and every 6 months subsequently after the first report. This memo provides an overview of the new requirement and an outline of the information that must be submitted for DUAs active during the initial reporting period July 1, 2022, through June 30, 2023. The Office of the Vice Provost for Research (OVPR) will confirm the data to be included in each annual report no later than March 1^st of each year.

These semi-annual reports are critical to fostering transparency and accountability, enhancing data-based decision-making processes, and providing a comprehensive overview of CMS DUAs to ensure institutional compliance. As part of CMS’s implementation of their new Data Management Plan Self-Assessment Questionnaire (DMP-SAQ) requirements, CMS has been noticeably clear that an instance of non-compliance in one area of the University could result in sanctions on the entire University, and these reports will also play a crucial role in ensuring compliance with CMS’s new requirements.

Non-compliance with this new requirement may result in delays in approving requests for new CMS Data.

The annual report for July 1, 2022 – June 30, 2023, must include the following components (Please use attached template):

Contacts: Contact information for the main point-of-contact regarding the contents of the report as well as a list of other individuals, if any, who contributed to preparation of the report
Executive Summary: A concise summary highlighting:
- The number of CMS DUAs active during the reporting period,
- The number of Active CMS DUAs as of the end of the reporting period,
- The number of Active CMS DUAs for physical files,
- The number of Active CMS DUAs for VRDC access,
- The number of new CMS DUAs initiated during the reporting period,
- The number of CMS DUAs that were closed during the reporting period
  - For closed DUAs for physical files:
    - Was all data destroyed and certification of destruction provided to CMS?
      - If no, was data approved for re-use under another active DUA?
        
        If yes, please provide information on closed DUA and the active DUA re-using the data
        
        If no, please explain.
Details on Active CMS DUAs: A detailed breakdown of the existing Active CMS DUAs, including PI or PIs (their current affiliations), associated data safety review(s) and expiration date(s), location of CMS data (and consistency of data location with what is on the DUA), whether the IT infrastructure satisfies CMS requirements (and if not, what are the plans to achieve compliance – could be included as a spreadsheet attachment), and notes on any amendments to the DUAs that are in progress.

OVPR Review/Approval of Regulated Data Projects

The Office of the Vice Provost for Research (OVPR) aims to facilitate research projects that involve the generation, acquisition, storage, and use of regulated data (“Regulated Data Projects”) by implementing an Institutional Compliance Management Program (ICoMP) that fosters transparency and accountability, enhances data-based decision-making processes, and provides a comprehensive overview of regulated data projects to ensure institutional compliance. A critical component of the ICoMP is OVPR review and approval of Regulated Data Projects that pose management challenges and/or reputational risk as well as reasonable review and oversight of such projects by OVPR. This review and approval process is intended to ensure that the research team is prepared to meet the appropriate regulated data requirements and reduce risks for program participants, individual researchers, Schools, and Harvard as an institution. This document describes the criteria that determine whether a Regulated Data Project requires OVPR review and approval as well as outlines the process for requesting such a review.

Within OVPR, Regulated Data Projects may be reviewed by the University Research Data Officer or their designee.

Once a Regulated Data Project has received OVPR approval, any significant program expansions or changes should be submitted through this process, so that additional OVPR review may occur.

Centers for Medicare and Medicaid Services (CMS) DUAs: Effective August 1, 2023, new CMS DUAs or extensions of existing CMS DUAs will need to obtain approval from OVPR prior to submission of the signed DUA or extension request to CMS. As part of CMS’s implementation of their new Data Management Plan Self-Assessment Questionnaire (DMP-SAQ) requirements, CMS has been noticeably clear that an instance of non-compliance in one area of the University could result in sanctions on the entire University, and these approvals will also play a crucial role in ensuring compliance with CMS’s new requirements.

Non-compliance with this OVPR review/approval requirement may result in delays in approving requests from the involved School related to Regulated Data Projects.

DUA Procedure:

Within the Data Safety module, the PI/DUA Team assigns an ancillary review to the University Research Data Officer organization. Within the comments section of the ancillary review, include the following information, as appropriate:

Requestor listed on DUA (CMS DUAs only)
Data Custodian on record
Physical/VRDC (CMS DUAs only)
Data Location on university systems
Whether PI/PIs has had prior experience with the same type of regulated data
Whether there were any instance(s) of non-compliance by PI/PIs on any prior Regulated Data Project
Confirmation whether PI/PIs are current on required trainings
If extending a Regulated Data Project, please provide justification for extension.

Sponsored Proposals/Awards Procedure:

The Central Reviewer will edit the Required Signatures in GMAS and add the “Provost Signatory” role to the list, which alerts the University Research Data Officer (URDO) that there is a Regulated Data Project for OVPR Review. The URDO will add additional OVPR reviewers if necessary. Using the text box in the “GMAS Signature Required” email generation screen, Central Reviewer will specify a department contact, the sponsor deadline, and a brief statement indicating the particular element(s) of the proposal that has triggered the need for URDO review. The URDO will navigate to the GMAS Request Home Page from the email and perform the review and, if no concerns, will electronically sign indicating approval to the Submitting Office that they may move forward with the submission or execution of the award agreement. If there are additional considerations or restrictions placed on the project, they will be communicated to the department contact, PI, and Central Reviewer.

Data Ownership

What is essential: The University has the proper resources to secure and manage research data, as well as protect associated intellectual property rights, and therefore is the appropriate administrator of such data. Consequently, the rights, responsibilities, and principles that determine how research data should be handled ultimately belong to the University.

How to comply: The University developed the Research Data Ownership Policy to clarify rights related to research data, and help guide research and administrators through the relevant processes.

Why it’s important: Consistent with the University’s overarching goals of creation and dissemination of knowledge, it is important that research data be shared and distributed openly. That said, there may be legitimate and compelling reasons why data must be kept confidential; for instance, when its release would reveal proprietary ideas and techniques of researchers and their partners or when it includes personal information regarding individual research subjects. There are also circumstances when questions arise regarding the ownership of the data generated from research projects, with one party claiming full ownership and preventing its use by other collaborators. These disputes often result in complaints and lengthy investigations, or even litigation, with lasting negative effects on all participants. In the most deleterious cases, withholding of data has delayed students in completing their theses and receiving their degrees. The Research Data Ownership Policy provides an infrastructure aimed at preventing such outcomes, and instead emphasizes consistent and transparent handling of research materials.

Helpful Resources (Contact information and other links):
OVPR contact: Emre Keskin
Retention of Research Data and Materials Guidance

Trainings: Harvard Research Data Security Training Course (University-Wide)

Data Use Agreements (DUAs)

What is essential: A Data Use Agreement (“DUA”) is a binding contract governing access to and treatment of nonpublic data provided by one party (a “Provider”) to another party (a “Recipient”). DUAs are often required by external parties before they permit data to be received by Harvard and may also be necessary for Harvard data to be disclosed to another organization. DUAs are considered research-related agreements and must be reviewed and signed by the Office for Sponsored Programs or the Longwood Area Offices for Research Administration (HMS/ HSPH) in accordance with the Delegation of Signing Authority.

How to Comply: The DUA Guidance and Policy elaborate on reviews and processes associated with DUAS, and provide step-by-step instructions for researchers on the procedures for submitting and managing DUA requests in the Agreement System.

Why it’s important: DUA terms and conditions vary depending on the laws and regulations governing the specific type of data to be shared, as well as the policies and/or requirements of the Provider and Recipient. Formal agreements in these cases help to avoid misunderstandings and disputes over the use and storage of data, appropriate access and security measures, and other important matters, including publication rights and ownership of results.

Helpful Resources (Contact information and other links):

OVPR contact: Emre Keskin
For additional information and best practices on using the Agreements System, view the Agreements-DUA Submission Guide and visit the Research Data Management website.
Harvard T.H. Chan School of Public Health: Sponsored Programs Administration (SPA): dua@hsph.harvard.edu
Harvard Medical and Dental Schools: Office of Research Administration (ORA): SPAContracts@hms.harvard.edu
University Area, all other Harvard schools: Office for Sponsored Programs (OSP): dua@harvard.edu
Research Administration Portal reflecting outstanding research administration activities

Committee: Negotiations Policy Committee; Agreements System Workgroup

Trainings: Harvard Research Data Security Training Course (University-Wide)

Harvard Research Data Security (HRDSP)

What is essential: Harvard University’s Enterprise Information Security Policy effectively addresses the need to protect confidential and sensitive information that is maintained in the various spheres of University administration. The research setting poses particular information security risks and challenges, including regulatory and contractual constraints that require additional policy provisions and protective measures. The HRDSP and Associated Guidance focuses on proper management and stewardship of research data, inclusive of human subjects research, data exchanged pursuant to a data use agreement (DUA), and other data subject to foreign, federal or state regulations, sponsor requirements or intellectual property protections.

How to comply: To protect research data appropriately and effectively, the University’s researchers, Institutional Review Boards, Information Security Officers, Negotiating Offices and research administrators must understand and carry out their responsibilities related to data privacy and security. The HRDSP provides specific guidance for managing research data, and the relevant support systems, procedures and reviews that are associated with such data.

Why it’s important: The Harvard community creates and exchanges many types of data and materials while engaging in its research-driven mission to promote the free exchange of academic, scientific and other types of intellectual works. Federal, state and international laws and regulations, as well as University policies and best practices, impose obligations on the University, as well as its administrators and researchers, to protect the confidentiality, integrity and security of such data and information. The misuse of data could result in fines, and revocation of sponsored funds or access to data.

Helpful Resources (Contact information and other links):

OVPR contact: Emre Keskin

For additional guidance on the scope of relevant research data reviews see the HRDSP Applications Summary and Order of Reviews
Quick Guide for Researchers: 12 Essentials Every Researcher Should Know – Data Management
Research Data Security Examples
GDPR Data Categories Requiring Special Protection
Research Administration Portal reflecting outstanding research administration activities

Committee: Research Data Security Operations Committee, Data Safety Workgroup

Trainings: Harvard Research Data Security Training Course (University-Wide)

Research Records Retention

What is essential: At the direction of Provost Steve Hyman, a number of University stakeholders collaborated to outline a set of basic principles to guide the retention and maintenance of research records by Harvard faculty and staff. In June 2011, outgoing Provost Steve Hyman and incoming Provost Alan Garber adopted these Principles, expounding that Harvard researchers and staff should have systems or practices for maintaining the essential Research Records that they create in order to support research findings, justify the uses of research funds and resources, and protect any resulting intellectual property. In determining which records are essential, Harvard researchers and staff should use prudence and reasoned judgment and may seek to refer to the prevailing standards in their relevant academic or professional disciplines. In general, researchers and staff should keep those records that will document research findings and justify the uses of research funds and other resources.

How to comply: Stakeholders developed the Retention and Maintenance of Research Records and Data Frequently Asked Questions (“FAQs”), organized by Principle. The FAQs establish the minimum University requirements for research records and data retention.

Why it’s important: Systems and procedures for maintaining essential Research Records are necessary to protect researchers, students, trainees and the University by ensuring accountability in sponsored research projects and research integrity in all research conducted at, or under the auspices of, the University. Researchers have certain obligations to record, maintain and retain research records, and to make those records available for grant monitoring and auditing purposes, as well as to enable investigators and the institution to respond to questions of research integrity and stewardship. See, e.g., 2 CFR 200, 42 CFR 93.106(b). The University and its researchers are accountable for ensuring the integrity of, and access to, research data and materials and documents, materials and information that relate to the administration and financial management of research, reporting of research results, sponsored award applications, and human research records. This responsibility continues even after researchers who originally collected those data and materials have left the University.

Helpful Resources (Contact information and other links):

OVPR contact: Emre Keskin
Research Data Management Website
Research Integrity and Responsible Conduct of Research (RCR) guidance
Guiding Principles for Communication in Research Misconduct Proceedings

Committee: Each School must appoint a representative responsible for research records and data retention issues, consider discipline-specific issues and provide further guidance beyond these minimal requirements, consistent with best practices of the disciplines contained within that School. The Provost’s Office is charged with assuring that each School appoints such a representative and develops discipline-specific additional guidance for each School that will be consistent with the Principles and this guidance. Once a year, all School representatives, the Provost’s Office and the consultative group described above will meet to discuss outstanding issues and best practices that can be shared across all Schools.

Federal Data Management Policies

The University has developed resources to help support researchers and administrators as they navigate federal funding agencies’ data management plan requirements. Below are agency-specific materials, and references to the appropriate Harvard tools and offices.

If you have questions about specific sponsor requirements, please speak with your cognizant sponsored research office (OSP, HMS ORA, HSPH ORA). If you have questions about the sensitivity of your data, or appropriate resources, please speak with your local IT provisioner or information security officer.

National Institutes of Health (NIH)

Effective January 25, 2023, the NIH will implement an updated Data Management and Sharing Policy, which will require a data management and sharing plan (DMSP) for all NIH-funded projects involving the generation of Scientific Data.

The University has developed several Harvard-specific resources, and additional resources may be available for your specific school and/or unit:

Harvard NIH DMSP Budgeting and Application Instructions – Tip Sheet (09/21/2023): Guidance focused towards Principal Investigators and grant managers working together to complete an application, which includes the newly required DMSP
NIH DMS Policy Central Reviewer Tip Sheet: Guidance focused towards a Central Reviewer reviewing an application, JIT request, or award, which includes the newly required DMS Plan
Harvard Briefing Sheet for the 2023 Policy: An overview and history of the Policy, responsibilities and resources
Harvard FAQ for the 2023 Policy: Includes Harvard-focused answers based on current NIH guidance.
SEAS Research Data Management: Support and consultation on Data Management Plans
Longwood Research Data Management (RDM): Information and resources on NIH Data Management Plans
DMPTool: Web-based platform to assist with creating and sharing Data Management P The Tool provides step-by-step guidance for drafting DMPs, including NIH-specific templates and samples to address specific requirements.
Harvard Library Research Data Management Program: Connects members of the Harvard community to services and resources that span the research data lifecycle, to help ensure that Harvard’s multi-disciplinary research data is findable, accessible, interoperable, and reusable (FAIR)

National Science Foundation (NSF)

Since 2011, the National Science Foundation (NSF) has required data management plans (DMPs) for incoming grant applications. These DMPs are becoming an increasingly important part of NSF grant applications and are thoroughly reviewed.

The University has developed several Harvard-specific resources, and additional resources may be available for your specific school and/or unit:

SEAS Research Data Management: Support and consultation on Data Management Plans
Longwood Research Data Management (RDM): Information and resources on NSF Data Management Plans
DMPTool: Web-based platform to assist with creating and sharing Data Management P The Tool provides step-by-step guidance for drafting DMPs, including NSF-specific templates and samples to address specific requirements
Harvard Library Research Data Management Program: Connects members of the Harvard community to services and resources that span the research data lifecycle, to help ensure that Harvard’s multi-disciplinary research data is findable, accessible, interoperable, and reusable (FAIR)