Many Harvard faculty, staff and student members engage in research that involved the collection or use of identifiable private information. Federal law and Harvard policy provide specific guidance or protecting identifiable research information.
The Harvard Research Data Security Policy (HRDSP)
The basic principle of this Policy is that more exacting security measures must be followed as the information risk posed by a research project increases. The HRDSP defines a 5-level categorization schedule for research information and defined the minimum protections required for each level.
This policy is designed to apply in conjunction with the Harvard Enterprise Information Security Policy (HEISP) and reflects consistent requirements for the protection of Harvard confidential and research information. A short description of the categories is given below. For the full policy and approval process description please see the HRDSP page.
Principal Investigator (PI) Responsibility
Compliance with information protection and use requirements is the responsibility of the principal investigator. Each PI should review her/his information use agreements, grants and other contracts to see if any such requirements are included. Harvard personnel working under such an agreement, grant, or contract must, at a minimum, comply with those protection requirements. In addition, it is the PI's responsibility to discuss the protection requirements with the relevant School CIO or IT Director to ensure that the protection requirements can be met.
Other Sensitive Research
Harvard researchers often deal with sensitive information that does not relate to human subjects. Examples can include proprietary information subject to confidentiality requirements, and information with national security implications. Most of these types of information will be categorized as Level 3 information under the categories described in the HRDSP. However, information with national security implications generally will be categorized as Level 4 information. Researchers should consult with their School CIO or IT Director to determine the proper level for these types of information if they are not sure what category is appropriate.
Working with Vendors
University policy requires that written contracts be in place with all vendors that store or process confidential information for the University. University policy also requires that such contracts include specific information regarding security protection requirements. See Section 6.1 of the HEISP for more information. LAPTOPS AND PORTABLE DEVICES The HEISP includes some policies specific to laptops and other portable computing devices. It is University policy that Level 4 and Level 5 information must never be stored on a laptop or other portable computing device. See Section 1.1 of the HEISP for more information. It is also University policy that all University-owned laptops be encrypted. See Section 2.8 of the HEISP for more information. Most School IT groups can also help encrypt non-University owned laptops that might be used to store confidential information. Traveling researchers should note that the use of encryption is illegal in some countries. Further information and precautions for traveling with a laptop may be found at "Advice for Travelers".