HOME / RESOURCES / GUIDES /

The Data Lifecycle

The best time to secure information in your project is before you even collect it. Use this guide to think through how your project will handle data at each stage, from creation to deletion.

Plan

This is where you are now. As you scope your project, here are things to consider.

  • Define a Data Owner: Who is ultimately responsible for the stewardship of this data? If it isn’t you, make sure they are involved in this planning stages of this project.
  • Classify the Data: What is the security level of the data you will be handling? Is it personal information? This will determine the types of security controls you’ll need to have in place. Refer to Harvard’s Data Classification Table.
  • Minimize the Data: Think about the objectives of your project. Only collect the data you need to meet those objectives. This will make it easier to manage and reduces the impact of a security issue.

Create/Collect

This is the first stage where you begin receiving or creating data.

  • Encrypt data in transit: Make sure the data comes to you via VPN, encrypted email, or a website with TLS encryption. (This is usually indicated by a lock icon by the URL.)
  • Review data use agreements: When receiving data from another institution, you will often need to follow the terms of a Data Use Agreement. Review and confirm you can meet those requirements before receiving this data.
  • Transparency, choice, and control: When collecting personal information, be sure to inform the person providing the information of how it will be used. When possible, give them options to limit what they disclose.

Store

You begin storing data immediately upon receiving it. Even if this isn’t the data’s ultimate destination, make sure it is secured at this stage.

  • Encrypt at rest: Data should be stored on an encrypted device or cloud storage service.
  • Store in an approved location: Any device or service that stores information must be configured for the highest security level present in the data. Many services and devices are provided by Harvard for this purpose. Our Information Security Policy outlines the required controls for other services or devices you may need.
  • Make a backup: Data should be backed up in a secure location, either an encrypted flash drive or in an approved cloud storage location.
  • Delete any unnecessary copies of data: When receiving data, working copies are often generated to prepare it for import into another system. Make sure they are deleted after use.
  • Remove unnecessary personal identifiers: De-identification is the process of removing personal identifiers from your working data set. For information that cannot be removed completely, you can use a key file or other strategy to minimize the risk of exposure in the case of a security incident.

Use

This is the stage where your project work happens.

  • Choose or create a platform that has sufficient security controls: Sensitive and personal information must be protected wherever it is used. Confirm that the tool, platform, or service you are using is approved at the appropriate security level for the data. If you are building your own system, follow the relevant policy and architecture standards.
  • Use data only for stated purposes: Data collected for a specific purpose should only be used for that purpose. If a new purpose arises, confirm the change with the individuals or organization who provided the information.

Share

Most projects will involve more than one collaborator or audience. This is the stage where people are given access to the data.

  • Require authentication to access: Group accounts or public links should not be used to share access to information. Access should be granted to named individuals with their own accounts and authentication.
  • Limit access to those with a business need to access: Systems storing sensitive or personal information should be designed to limit sharing to named individuals with a business or project need to access the data. Limit the access to what they need (i.e., Don’t make everyone a full administrator.)
  • Revoke access when appropriate: When a person’s need for access has ended, suspend or delete their account.

Archive/Destroy

The final stage of the project determines what will happen with the data when the project has completed.

  • Follow the general records schedule: Harvard’s General Record Schedule outlines how long data should be stored, when it should be deleted, and what data should be given to the Harvard Archive.
  • Retain the data no longer than necessary: For information outside of the scope of the General Record Schedule, delete data from systems where it is no longer in use. Refer to your data use agreement or disclosure to confirm you are compliant with any data retention statements.
See also: Know Your Data Resources, Guides