Data Security Levels - Research Data Examples

• Published research data
• Data that is publicly available
• Non-restricted, publicly available data sets(e.g., Behavioral Risk Factor Surveillance System (BRFSS); NHIS: National Health Interview Survey) as long as the following criteria are met:
  1. Research will NOT involve merging any of the data sets in such a way that individuals might be identified
  2. Researcher will NOT enhance the public data set with identifiable, or potentially identifiable data

• Self-collected de-identified data, anonymized survey data or aggregate statistics 
• Self-collected, de-identified biospecimens or genomic data  
• Other research data that is identifiable but is not considered sensitive 
• Self-collected non-sensitive survey data, qualitative data such as interviews, or intervention outcome data 
• Usability data 
• Non-sensitive audio or video recordings   
• Non-sensitive observational notes

• Education records covered by FERPA
• Employment records, employee performance  data 
• Sensitive self-reported health history 
• Constellation of variables, when merged, becomes sensitive 
• Personal or family financial circumstances (record via surveys or interviews) 
• Data collection about controversial, stigmatized, embarrassing behaviors (e.g., infidelity, divorce, racist attitudes) 
• U.S. prisoner administrative data that would not cause criminal or civil liability 
• Information about U.S. criminal conduct that, if disclosed, could damage the subject’s reputation, relationships, or economic prospects¹
• Other information about U.S. criminal conduct that, if disclosed, would not place the subject at risk of significant criminal punishment (see DSL4)
• Non-US criminal data: PI should consult with Research Compliance or OGC for guidance
• Data sets shared with Harvard under contractual obligation (e.g. corporate NDA, DUA, other contracts at OVPR) at DSL3 controls or with general expectation of confidentiality or data ownership 
• GDPR data not reaching level of “extra sensitive” – this includes racial or ethnic origin, political opinions, religious, or philosophical beliefs, trade union membership, sex life or sexual orientation

1 This could include past crimes for which the subject has served time but that are not matters of public record or are not known to the subject’s family, employer, or local community.

• Government issued identifiers (e.g. Social Security Number, Passport number, driver’s license, travel visa, known traveler number)
• Individually identifiable financial account information (e.g. bank account, credit or debit card numbers)
• HIPAA-regulated PHI (including 18 identifiers)/ HIPAA-regulated Limited Data Set (even if Not Human Subject Research)²
• Information that, if disclosed, could place the subject at risk of significant criminal punishment (e.g., violent crimes, theft and robbery, homicide, sexual assault, drug trafficking, fraud and financial crimes)³
• Information that, if disclosed, could put the subject at risk of violent reprisals from the government or other social or political groups
• Identifiable U.S. prisoner data that could lead to additional criminal or civil liability
• Individually identifiable genetic information that is not DSL5
• Data sets shared with Harvard under contractual obligation at DSL4 controls (whether corporate NDA, DUA, other contracts at OVPR)
• GDPR “extra sensitive” data – biometric, genetic, or health information.

2 Harvard is a hybrid entity, meaning that only certain divisions (HUHS, HSDM Clinic) are HIPAA-covered entities. Each Harvard Investigator is required to comply with all applicable privacy and security policies of the HIPAA-covered entity in which that Investigator, as part of a research protocol, is handling PHI or from which the Investigator is drawing PHI. However, data that leaves the covered entity and is transferred to a non-HIPAA covered entity of Harvard is not considered to be HIPAA regulated data.

3 Investigators should consider the criminal laws applicable to the subject. For example, a subject’s abortion history could be Level 4 data if she resides in a jurisdiction that criminalizes abortion; and a subject’s political activism may expose the subject to prosecution in certain nations. Investigators should also take into account the likelihood of prosecution, considering, among other factors, how much time has passed, the severity of the conduct in question, and the nature and extent of punishment ordinarily imposed in the jurisdiction. Information about conduct that is punishable by civil or even criminal fines, but not imprisonment, often may not merit Level 4 classification.

• Data with implications for national security
• Certain individually identifiable medical records and genetic information categorized as extremely sensitive.
• Data that would put subject’s life at risk, if disclosed