Research Data Security
Many Harvard faculty, staff, and student members engage in research that involves the collection or use of identifiable private information. Federal law and Harvard policy provide specific guidance for protecting identifiable research information. Additional information for researchers regarding technology and policy may be found on the Office of the Provost website.
Harvard Research Data Security Policy
The Harvard Research Data Security Policy (HRDSP) defines a 5-level categorization schedule for research information and defines the minimum protections required for each level. The HRDSP is designed to apply in conjunction with the Harvard Enterprise Information Security Policy (HEISP) and reflects consistent requirements for the protection of Harvard confidential and research information. Harvard Research Data Security Policy Protection Memo Harvard Research Data Security Level 2 Requirements Harvard Research Data Security Level 3 Requirements Harvard Research Data Security Level 4 Requirements Harvard Research Data Security Level 5 Requirements Researcher Attestation Form: Affirm Security Protections
Research Using Human Subjects
Harvard's Policy Concerning Research Using Human Subjects was adopted by the Corporation in 2003. Research using human subjects is legally defined to include research that involves obtaining either data through interaction/ intervention with the individual or identifiable private information. Harvard policy and federal regulations require that researchers conducting Human Research submit their proposed research activities to their affiliated Institutional Review Board (IRB) prior to starting the research. In most cases specific approval from an IRB is required before the research can begin. Some types of research are exempt from the approval requirement, but the review is still needed since the Harvard IRBs must make the determinations about exemptions. Harvard has three IRBs. One covers research at the School of Public Health, another covers research at the Medical and Dental Schools and the third covers research in the Cambridge-area of the University. If your research involves, or may involve, human subjects, you must confer with the appropriate Institutional Review Board to determine if IRB review is required.
Information Use Agreements; Grants and Other Contracts
Research information from non-Harvard sources is often accompanied by a data use agreement that states use limitations and/or protection requirements for the information. Harvard personnel working with such research information must, at a minimum, comply with the use limits and protection requirements in the use agreement. However, in every case, research conducted at Harvard must comply with Harvard policies as determined by an IRB, even if the use agreement calls for lesser levels of protection (or if there is no use agreement). Note that individual researchers do not have the authority to sign an information use agreement on behalf of the University. Only offices that have been specifically authorized may sign such agreements, even when the agreements do not include any transfers of funds. Authorized offices are the University Office for Sponsored Programs, the Medical Area Sponsored Programs Administration, the School of Public Health Sponsored Programs Administration, and the Office for Technology Development. The process to be followed for obtaining an authorized signature can be found here. Some grants and other contracts also include information protection requirements.
Principal Investigator (PI) Responsibility
Compliance with information protection and use requirements is the responsibility of the principal investigator. Each PI should review her/his information use agreements, grants and other contracts to see if any such requirements are included. Harvard personnel working under such an agreement, grant, or contract must, at a minimum, comply with those protection requirements. In addition, it is the PI's responsibility to discuss the protection requirements with the relevant School CIO or IT Director to ensure that the protection requirements can be met.
Other Sensitive Research
Harvard researchers often deal with sensitive information that does not relate to human subjects. Examples can include proprietary information subject to confidentiality requirements, and information with national security implications. Most of these types of information will be categorized as Level 3 information under the categories described in the HRDSP. However, information with national security implications generally will be categorized as Level 4 information. Researchers should consult with their School CIO or IT Director to determine the proper level for these types of information if they are not sure what category is appropriate.
Working with Vendors
University policy requires that written contracts be in place with all vendors that store or process confidential information for the University. University policy also requires that such contracts include specific information regarding security protection requirements. See Section 6.1 of the HEISP for more information. LAPTOPS AND PORTABLE DEVICES The HEISP includes some policies specific to laptops and other portable computing devices. It is University policy that Level 4 and Level 5 information must never be stored on a laptop or other portable computing device. See Section 1.1 of the HEISP for more information. It is also University policy that all University-owned laptops be encrypted. See Section 2.8 of the HEISP for more information. Most School IT groups can also help encrypt non-University owned laptops that might be used to store confidential information. Traveling researchers should note that the use of encryption is illegal in some countries. Further information and precautions for traveling with a laptop may be found at "Advice for Travelers".
Freedom of Information Act
When a PI receives a request under the Freedom of Information Act (FOIA), for their research data gathered under a federally funded project, the PI should direct such a request to the Office of the General Counsel (5-1280) for adjudication.
The University will not accept research that carries security classification, requires security clearance of University personnel, or otherwise precludes general publication of results. Furthermore, in situations where the sponsor determines research being conducted at the University requires a security classification, the University shall have the absolute right to withdraw from conducting further research under the funded project.
Advice for Research Travelers
Researchers who collect information in the field should review "Collecting Information in the Field" section at the bottom of the appropriate security level requirements document as well as the Advice to Travelers advisory.
Payment for Research Subjects
The University has recently updated the rules governing the processes that must be followed and the record keeping required when paying human subjects.