Harvard Research Data Security Policy (HRDSP)

The protection, use, and categorization of research data at Harvard

The University recently announced the Harvard Research Data Security Policy. The office of the University Technology Security Officer (UTSO), working with the Vice Provost for Research, the Institutional Review Boards (IRBs), Risk Management and Audit Services, and the Office of the General Counsel, has established information security categories (see levels below) and accompanying measures to protect research information at the University. Implementation of this policy will be carried out by the IRBs and the information security officers of the individual researchers' Schools.

It is very important that all HKS researchers (faculty, staff, or fellows) familiarize themselves with the policy and its implications, at: http://security.harvard.edu/research-data-security-policy.

In addition to the standard requirements for IRB review and approval (or exemption determination) for research involving human subjects, research information (datasets) originating from non-Harvard sources is often accompanied by a data use agreement (DUA) that defines limitations and/or protection requirements for the information (e.g., from the Department of Education, the US Census Bureau, or private research institutes). Harvard personnel working with such data must, at a minimum, comply with the use limits and protection requirements in such agreements. If confidential information is subject to security requirements specified in a data use agreement, grant, or contract, those requirements must be met (e.g., a DUA may require that data be stored only on a standalone computer not connected to a network, and the original source media - CD, thumb drive, etc. – must be kept in a locked file cabinet in a secure office).

Note that individual researchers (faculty, staff, or fellows) do not have the authority to sign a data use agreement on behalf of the University. Only specifically authorized officers may sign such agreements, even when the agreements do not include any transfer of funds. For HKS, the authorized office is the University’s Office for Sponsored Programs (OSP). Contact Charlene_Arzigian@harvard.edu with any questions.

Harvard researchers may also work with sensitive information that may not meet the definition of “human subjects” research. Such data might include proprietary information subject to confidentiality requirements, or information with national security implications.
Researchers should consult with their research center or program, the HKS IT department (ty_smith@harvard.edu), and the HKS Research Administration Office (matthew_alper@harvard.edu) for assistance in determining the required review process, proper categorization, and associated data handling procedures in each case, or for any other questions related to this policy.

Level 5 - Extremely sensitive information about individually identifiable people
Level 4 - Very sensitive information about individually identifiable people
Level 3 - Sensitive information about individually identifiable people
Level 2 - Benign information about individually identifiable people
Level 1 - De-identified research information about people and other non-confidential research information

Print print | Email email