Legal And Regulatory Data Requirements

Contract Riders

In cases where Harvard is outsourcing management or processing of confidential information to an external service provider, the University contracting agent is required to choose an external service provider capable of maintaining appropriate safeguards for covered data. All vendors having access to Harvard confidential information or performing functions such as credit card processing must agree to protect this information.        

The confidentiality language in the OGC model consulting agreement can ordinarily be used for vendors who may access or process confidential information other than High Risk Confidential Information or other confidential personally identifiable data.        

Contracts for service providers who will handle, maintain, process, or otherwise have access to HRCI or other confidential personally identifiable data must include the first contract rider below. 

Personal Data Protection Contract Rider (Login Required) 

The second rider is to be used when a vendor is dealing with credit cards on Harvard's behalf. 

Credit Card Data Protection Contract Rider (Login Required)        

FERPA - Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act of 1974, as amended ("FERPA") is a federal law that gives students certain rights with respect to their education records. 

Read more about FERPA from the Registrar’s Office at the Faculty of Arts and Sciences.


DMCA - Digital Millennium Copyright Act 

Harvard complies fully with the federal Digital Millennium Copyright Act of 1998 ("DMCA") and has in place the mandated process for receiving and tracking alleged incidents of copyright infringement.

Read more about DMCA at


GDPR - European Union General Data Protection Regulation

The General Data Protection Regulation (GDPR) requires security measures for processing data relating to an identified or identifiable individual located in the European Union, Iceland, Liechtenstein or Norway (GDPR Processing). Harvard units or programs must comply with the GDPR when conducting GDPR Processing

Read more about GDPR at


PCI DSS - Payment Card Industry Data Security Standards

Office of Treasury Management’s Cash Management Office (CMO) is responsible for managing the University’s banking and credit card payment card industry data security standards (PCIDSS). 

Read more about PCI Compliance at


CMR 201

Standards for the protection of personal information of residents of the Commonwealth of Massachusetts