Working with Confidential Information

May I send Confidential Information in unencrypted email?

Level 1 and 2 information may be sent via email.

Level 3 information should not be directly emailed. Instead, store the information in a Harvard-contracted file storage service, limit the permissions to only intended recipients, and share the link via email. Public or so-called anonymous links should not be used. Examples of Harvard-contracted file storage services include g.Harvard apps and Office 365.

Level 4 information may be sent via Accellion. Please confirm that recipients understand and are ready to appropriately protect the data before sending. 

What are the rules for storing Confidential Information on my computer?

Level 2 or 3 Confidential Information must be protected on your computer. Disk or file encryption are examples of suitable protection. Your personal device must be configured to restrict access to the person who uses the device. Smart phones and tablets must be configured to require a PIN or password for access, and must be set to automatically wipe their storage after 10 bad PIN or password guesses.

 

Reminder: Level 4 high risk confidential information must never be stored on your computer or storage device.

Do I need permission to work with High Risk Confidential Information?

Yes. This information is considered high risk and is very carefully managed. Access to this information must be controlled and reviewed periodically. If you need to gather High Risk Confidential Information from sources within the University, from non-University sources, or from the individuals themselves or provide such information to a vendor, you must obtain permission to do so from the School or University CIO. HUIT Security or your school security officers will work with you to develop a plan to provide sufficient protection for the Level 4 data.