Many Harvard faculty, staff and student members engage in research that involves the collection or use of identifiable private information. Federal law and Harvard policy provide specific guidance for protecting identifiable research information.
The Harvard Research Data Security Policy (HRDSP)
The basic principle of this Policy is that more exacting security measures must be followed as the risk posed by a research project increases. This Policy is designed to apply in conjunction with the Harvard Enterprise Information Security Policy (HEISP) and reflects consistent requirements for the protection of Harvard confidential and sensitive research data. For the full policy and approval processes please see the HRDSP page.
Research Data Management
The Research Data Management @ Harvard website provides important information and guidance on a variety of Harvard resources to help students, faculty, researchers, and administrators collect, share, analyze and protect research data. Whether data was created at Harvard, accessed from a repository, or provided by a collaborator, this new site is a useful source of tools and tips for effectively managing your data.
Principal Investigator (PI) Responsibility
Compliance with data protection and use requirements is the responsibility of the principal investigator. Each PI should review her/his data use agreements, grants and other contracts to see if any such requirements are included. Harvard personnel working under such an agreement, grant, or contract must, at a minimum, comply with those protection requirements. In addition, it is the PI's responsibility to ensure any necessary reviews occur, including Data Security Reviews, DUA Reviews, and Institutional Review Board Reviews.
Other Sensitive Research
Harvard researchers often deal with sensitive information that does not relate to human subjects. Examples can include proprietary information subject to confidentiality requirements, and information with national security implications. Most of these types of information will be categorized as Level 3 information under the categories described in the Information Security Guidance. However, information with national security implications generally will be categorized as Level 4 information. Researchers must submit any such projects in the Research Safety Application for Security Review by a local information security reviewer.
Working with Vendors
University policy requires that written contracts be in place with all vendors that store or process confidential information for the University. University policy also requires that such contracts include specific information regarding security protection requirements. See Section 6.1 of the HEISP for more information.
LAPTOPS AND PORTABLE DEVICES: The HEISP includes some policies specific to laptops and other portable computing devices. It is University policy that Level 4 and Level 5 information must never be stored on a laptop or other portable computing device. See Section 1.1 of the HEISP for more information. It is also University policy that all University-owned laptops be encrypted. See Section 2.8 of the HEISP for more information. Most School IT groups can also help encrypt non-University owned laptops that might be used to store confidential information. Traveling researchers should note that the use of encryption is illegal in some countries. Further information and precautions for traveling with a laptop may be found at "Advice for Travelers".