Harvard University’s Information Security Policy effectively addresses the need to protect confidential and sensitive information that is maintained in the various spheres of University administration. The research setting poses particular information security risks and challenges, including regulatory and contractual constraints that require additional policy provisions and protective measures. While following the Policy Statements of the Harvard Information Security Policy, this Policy provides specific guidance for managing research data.
Properly protecting research data is a fundamental obligation that is grounded in the values of stewardship, integrity, and commitments to the providers and sources of the data. This policy is particularly focused on the protection of research data that are confidential by reason of applicable law and regulation, agreements covering the acquisition and use of the data, intellectual property protections, and University policies.
To protect research data appropriately and effectively, the University’s researchers, Institutional Review Boards, Information Security Officers, Negotiating Offices and research administrators must understand and carry out their responsibilities related to data privacy and security. The Data Security Levels described in the Harvard Data Classification Table and the corresponding Requirements reflect the basic principle that more exacting security requirements must be implemented as the risk associated with the research data increases.
Scope of Policy
This Policy and the accompanying Guidance applies to all Research Data, as such term is defined in the Retention and Maintenance of Research Records and Data Frequently Asked Questions guidance, regardless of the storage medium (e.g., disk drive, electronic tape, cartridge, disk, CD, DVD, external drive, paper, fiche, etc.) and regardless of form (e.g., text, graphic, video, audio, etc.), physically housed at Harvard or stored remotely under the management of Harvard researchers. It applies to researchers and research team members who obtain, access or generate Research Data, in particular confidential or sensitive information, and information governed by a contract.
The Policy also applies to the research administrators and reviewing offices working with the Office of the Vice Provost for Research, in assisting researchers in identifying and assessing data confidentiality risks; and Information Security Reviewers working with researchers and research team members to ensure implementation of appropriate security controls for research information.
For additional guidance on the scope of relevant research data reviews see: HRDSP Applications Summary and Order of Reviews