The University's researchers and administrators are responsible for properly managing and securing research data. This includes protection of data subjects and intellectual property rights, continued access to data for research purposes, and compliance with applicable laws, regulations and University policies. Each school has information security officers that can consult with and/or instruct on ensuring data security during the research lifecycle, including compliance with the Enterprise Information Security Policy.
These resources support researchers' use and management of data, especially sensitive and confidential or restricted data.
University Policies
Harvard Enterprise Information Security Policy (HEISP): This is the university-wide data governance and information security policy set and managed by HUIT Information Security. Everyone at Harvard has a responsibility for proper handling and protection of Harvard confidential information and Harvard systems as set out in the Policy Statements. These policies apply to the entire Harvard community including faculty, staff, and students, and third parties acting on your behalf (vendors and other service providers). Supplemental resources and guidance can be found here including the university data classification table, and Research Data Classification Examples Research Data Classification Examples.
Researchers typically receive information security consulting from their School Security Officer or the HUIT Information Security Education and Consulting team as part of their Data Safety or Agreements workflows, but they should familiarize themselves with university data classification and general policy before beginning either process. Consulting for those outside of these defined workflows is also available upon request.
Harvard Research Data Security Policy (HRDSP): The HRDSP, set and managed by the Office of the Vice Provost for Research (OVPR), is specific to research activities at the university, and refers to the HEISP for data governance. OVPR provides training and consultation on the HRDSP requirements and the applications (ESTR, Agreements, Data Safety) which support research compliance at Harvard.
Data Safety (HarvardKey required):This application supports the review, approval and management process for research data under the Harvard Research Data Security Policy (HRDSP). Researchers who are collecting, accessing or taking custody of research data from a third party should submit (and per the HRDSP may be required to submit) a request for security review via the Data Safety Application. The Application will automatically connect the submitter with their school's security reviewer.
Data Ownership Policy: As the owner of the Data Ownership Policy, OVPR provides training and consultation on the requirements and application. If you have one or more non-Harvard collaborators, it is likely that you will need a Collaboration Agreement to satisfy this policy.
Data Retention Policy: As the owner of the Data Retention Policy, OVPR provides training and consultation on the requirements and application.
Other Data Security Services
General Data Protection Regulation (GDPR) Research Implementation Coordinator: Available to consult on research projects involving subjects in the EEA, or activities that otherwise fall under the purview of GDPR. As part of the consultation, the GDPR Research Implementation Coordinator is available to provide more information on the GDPR and the Data Protection Impact Assessment explained below.
General Data Protection Regulation (GDPR) Data Protection Impact Assessment (DPIA): GDPR requires a DPIA for certain projects involving sensitive personal data (if there is a large population involved and/or a number of datapoints collected, monitoring, new technology, etc.). If a researcher or administrator believes their project may need a DPIA, they can contact the Office of the Vice Provost for Research (OVPR).
Export Controlled Data Review: If there is a concern that data may be exchanged with a sanctioned or otherwise restricted country, or export controlled materials are being exchanged, researchers should consult with their local export control officer.
Other Legal and Regulatory Data Requirements (FERPA, DMCA, PCI DSS, PII, CMR 201) https://security.harvard.edu/legal-and-regulatory-data-requirements