In cases where Harvard is outsourcing management or processing of confidential information to an external service provider, the University contracting agent is required to choose an external service provider capable of maintaining appropriate safeguards for covered data. All vendors having access to Harvard confidential information or performing functions such as credit card processing must agree to protect this information.
The confidentiality language in the OGC model consulting agreement can ordinarily be used for vendors who may access or process confidential information other than High Risk Confidential Information or other confidential personally identifiable data.
Contracts for service providers who will handle, maintain, process, or otherwise have access to HRCI or other confidential personally identifiable data must include the first contract rider below.
The second rider is to be used when a vendor is dealing with credit cards on Harvard's behalf.
FERPA - Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act of 1974, as amended ("FERPA") is a federal law that gives students certain rights with respect to their education records.
DMCA - Digital Millennium Copyright Act
Harvard complies fully with the federal Digital Millennium Copyright Act of 1998 ("DMCA") and has in place the mandated process for receiving and tracking alleged incidents of copyright infringement.
GDPR - European Union General Data Protection Regulation
The General Data Protection Regulation (GDPR) requires security measures for processing data relating to an identified or identifiable individual located in the European Union, Iceland, Liechtenstein or Norway (GDPR Processing). Harvard units or programs must comply with the GDPR when conducting GDPR Processing
PCI DSS - Payment Card Industry Data Security Standards
Office of Treasury Management’s Cash Management Office (CMO) is responsible for managing the University’s banking and credit card payment card industry data security standards (PCIDSS).
Read more about PCI Compliance at otm.finance.harvard.edu/pages/cash-management.
Standards for the protection of personal information of residents of the Commonwealth of Massachusetts
Read more at mass.gov