Data Security Levels
DSL1 - Publicly available and unrestricted data
- Published research data
- Data that is publicly available
Non-restricted, publicly available data sets(e.g., Behavioral Risk Factor Surveillance System (BRFSS); NHIS: National Health Interview Survey) as long as the following criteria are met:
- Research will NOT involve merging any of the data sets in such a way that individuals might be identified
- Researcher will NOT enhance the public data set with identifiable, or potentially identifiable data
DSL2 - Unpublished non-sensitive research data, whether identifiable or not. Active research data at Harvard is at least DSL2 until published.
- De-identified data that has yet to be posted to an open-access repository
- Anonymous surveys (online or in-person w/o the collection of identifiers)
- Aggregate statistics
- De-identified biospecimens or genomic data
- Recipient receipt of coded data where the provider will not release the identifiers to the recipient
- Research data that is identifiable but is not considered sensitive
- Non-sensitive surveys, interviews, interventions
- Non-sensitive MTurk or SONA data
- Non-sensitive self-reported health history
- Anthropometric data, Biometric/physiological data (unless associated with sensitive data or diagnosis), MRI/EEG (unless associated with sensitive data or diagnosis)
- Usability data
- Non-sensitive audio or video data
- Private observations recorded with identifiers that are not capturing sensitive information (e.g., interviews in a church setting)
DSL3 - Sensitive Data: Some regulated data, or data that could be damaging to the subject’s financial standing, career or economic prospects, personal relationships, insurability, reputation, or be stigmatizing
- Education records covered by FERPA
- Employment records, employee performance data
- Sensitive self-reported health history
- Constellation of variables, when merged, becomes sensitive
- Personal or family financial circumstances (record via surveys or interviews)
- Data collection about controversial, stigmatized, embarrassing behaviors (e.g., infidelity, divorce, racist attitudes)
- U.S. prisoner administrative data that would not cause criminal or civil liability
- Information about U.S. criminal conduct that, if disclosed, could damage the subject’s reputation, relationships, or economic prospects1
- Other information about U.S. criminal conduct that, if disclosed, would not place the subject at risk of significant criminal punishment (see DSL4)
- Non-US criminal data: PI should consult with Research Compliance or OGC for guidance
- Data sets shared with Harvard under contractual obligation (e.g. corporate NDA, DUA, other contracts at OVPR) at DSL3 controls or with general expectation of confidentiality or data ownership
- GDPR data not reaching level of “extra sensitive” – this includes racial or ethnic origin, political opinions, religious, or philosophical beliefs, trade union membership, sex life or sexual orientation
1 This could include past crimes for which the subject has served time but that are not matters of public record or are not known to the subject’s family, employer, or local community.
DSL4 - Sensitive Data that could place the subject at risk of significant criminal or civil liability or data that require stronger security measures per regulation
- Government issued identifiers (e.g. Social Security Number, Passport number, driver’s license, travel visa, known traveler number)
- Individually identifiable financial account information (e.g. bank account, credit or debit card numbers)
- HIPAA-regulated PHI (including 18 identifiers)/ HIPAA-regulated Limited Data Set (even if Not Human Subject Research)2
- Information that, if disclosed, could place the subject at risk of significant criminal punishment (e.g., violent crimes, theft and robbery, homicide, sexual assault, drug trafficking, fraud and financial crimes)3
- Information that, if disclosed, could put the subject at risk of violent reprisals from the government or other social or political groups
- Identifiable U.S. prisoner data that could lead to additional criminal or civil liability
- Individually identifiable genetic information that is not DSL5
- Data sets shared with Harvard under contractual obligation at DSL4 controls (whether corporate NDA, DUA, other contracts at OVPR)
- GDPR “extra sensitive” data – biometric, genetic, or health information.
2 Harvard is a hybrid entity, meaning that only certain divisions (HUHS, HSDM Clinic) are HIPAA-covered entities. Each Harvard Investigator is required to comply with all applicable privacy and security policies of the HIPAA-covered entity in which that Investigator, as part of a research protocol, is handling PHI or from which the Investigator is drawing PHI. However, data that leaves the covered entity and is transferred to a non-HIPAA covered entity of Harvard is not considered to be HIPAA regulated data.
3 Investigators should consider the criminal laws applicable to the subject. For example, a subject’s abortion history could be Level 4 data if she resides in a jurisdiction that criminalizes abortion; and a subject’s political activism may expose the subject to prosecution in certain nations. Investigators should also take into account the likelihood of prosecution, considering, among other factors, how much time has passed, the severity of the conduct in question, and the nature and extent of punishment ordinarily imposed in the jurisdiction. Information about conduct that is punishable by civil or even criminal fines, but not imprisonment, often may not merit Level 4 classification.
DSL5 - Sensitive Data that could place the subject at severe risk of harm or data with contractual requirements for exceptional security measures
- Data with implications for national security
- Certain individually identifiable medical records and genetic information categorized as extremely sensitive.
- Data that would put subject’s life at risk, if disclosed
Using the Levels
Know the policy
Data management plans for all research data that contain elements from DSL 3, 4 or 5 are required to be submitted in the Data Safety Application for review with your School Security Officer. The full policy and additional resources are at the Harvard Research Data Security Policy website.
If you have questions or concerns about the policy, or if you know of data plans or protocols that are out of compliance with policy, please contact your IRB Coordinator, Faculty Advisor or a Research Compliance Officer.
Use good judgment
The lists above are only examples, not deﬁnitive classiﬁcations.