Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Systems administrators, however, may gain access to users' data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules.

We train our systems administrators with care. We limit all system administration privileges, including the ability to access files, to those administrators who are required to perform maintenance and recovery of the systems for which they are responsible.

We abide by the Faculty of Arts and Sciences (FAS) policies on computer rules and responsibilities, and our users should read and follow these as well. These rules specify that individuals who are provided access to University computer facilities and to the campus-wide communication network assume responsibility for their appropriate use. The University expects individuals to be careful, honest, responsible, and civil in the use of computers and networks.

As system administrators, we also follow the SAGE (System Administrators Guild) expanded code of ethics. This requires system administrators to strive to:

    Treat everyone fairly.
    Maintain user privacy and confidentiality.
    Keep users informed about computing matters that may affect them.
    Ensure the integrity of the systems.
    Cooperate with computing professionals.
    Be honest about their competence.
    Continue to educate themselves.
    Enlarge their understanding of social and legal issues that arise in computing environments.
    Maintain safe, healthy and productive workplace for all users.
    Maintain a consistently high ethical standard and degree of professionalism in the performance of all duties.

We ask you to read and follow the the FAS policies on computer rules and responsibilities.

In addition:

    On shared systems, additional information on the use of the system may be intercepted, recorded, audited, inspected, and disclosed to authorized site and law enforcement personnel.
    If you obtain data from us, you may not redistribute it without written permission. If your affiliation lapses, you must destroy or return any data you obtained from us. You must also abide by any additional restrictions imposed by the data provider, as described by any licenses accompanying the data.
    If you obtain a login account from or through us, you may not share it with others.
    Users of public computer labs are expected to:
        Keep their area tidy in general, and to remove belongings when not logged in to the system.
        Log out when leaving the lab area for more than a few minutes, but not to reboot or shut down the systems when doing so.
        Refrain from food, beverages, and smoking.
        Leave the lab area locked if it was locked when you entered.
        Be quiet and considerate of others.
        Refrain from removing documentation or manuals from the lab.
        Yield to those doing higher priority work (required coursework is higher priority than general work which is higher priority than games and recreation).

Waiver: You recognize that systems and networks are imperfect, and waive any responsibility for lost work or time that might arise from their use. Our staff cannot compensate you for degradation or loss of personal data, software, or hardware as a result of your use of University-owned systems, software, or networks, or as a result of assistance you might seek from our staff.

By using HMDC facilities and services you consent to these policies.

It is the responsibility of IQSS staff and affiliates to be aware of University rules governing the collection, storage, transport, use, and disposal of confidential information, and to follow these rules. Below is a brief summary of these policies, with links to the full details.
Types of Confidential Information

There are two types of confidential information currently recognized at the University:

    High Risk Confidential Information (HRCI)
    This is data containing a person’s name and state, federal, or financial identifiers.
    Or, research data containing private sensitive information about identifiable individuals.
    Harvard Confidential Information (HCI)
    Business information specifically designated by the School as confidential.
    Or, identifiable business information that puts individuals at risk if disclosed.
    Or, research data containing private information about identifiable individuals.
    Or, student records (such as collections of grades, correspondence).

Harvard and IQSS staff and affiliates are responsible for information that they store, access, or share. These responsibilities include:

    Encrypting all laptops, portable storage, and network connections used with confidential information.
    Protecting systems you use to access confidential information through the use of firewalls, virus scanners, and regular software updates.
    Using individual accounts, not sharing account information, and choosing strong passwords.
    Protecting Harvard information and systems, and complying with specific the policies and procedures for use of those systems.
    Attaching only approved devices to the Harvard network.
    Disposing safely of confidential information through the use of approved, secure file-deletion and disk-cleaning tools
    Not sharing confidential information with people who are not approved to access it.

Approvals

All access to confidential information requires approval and a business or research need. In addition:

    Access to HRCI business information or HCI business information specifically designated by the School as confidential requires individual approval by the Director of Security for that school.
    Access to HRCI research information requires individual approval by the Principal Investigator of the research project managing such information. In addition, it is the responsibility of the Principal Investigator to delegate access in a manner consistent with an IRB-approved research plan.

More Information

For more information see the following resources:

    Harvard Information Security and Privacy web site:
    www.security.harvard.edu
    Harvard Enterprise Security Policy:
    www.security.harvard.edu/enterprise-security-policy
    Harvard policies on human subjects research:
    www.fas.harvard.edu/~research/hum_sub/
    Harvard personnel manual section on information privacy and confidentiality:
    harvie.harvard.edu/docroot/standalone/Policies_Contracts/Staff_Personnel_Manual/Section2/Privacy.shtml
    FAS information security policies and procedures:
    www.fas-it.fas.harvard.edu/services/catalog/browse/39

HMDC/IQSS IT support treats user data as private, but recognizes the need to access data or programs when necessary to maintain systems, consistent with the FAS Computer Rules and Responsibilities, section I, Privacy of Information[1]:

    "Information stored on a computer system or sent electronically over a network is the property of the individual who created it. Examination, collection, or dissemination of that information without authorization from the owner is a violation of the owner's rights to control his or her own property. Systems administrators, however, may gain access to users data or programs when it is necessary to maintain or prevent damage to systems or to ensure compliance with other University rules. "

Further, consistent with section II, HMDC/IQSS IT system activity is logged automatically:

    "Users understand that timesharing and network-based system activity is automatically logged on a continuous basis. These logs do not include private user text, mail contents, or personal data, but do include a record of user processes that may be examined by authorized system administrators."

and

    "The staff of FAS IT consider user accounts to be the private property of individuals who have opened them, and as a result will never ask users to reveal their passwords. However, users who request assistance from FAS IT give the staff implicit permission to view specific data in their accounts that is necessary to investigate, diagnose, or correct the problem."

Similarly, IQSS/HMDC users give HMDC/IQSS IT staff implicit permission to view specific data in their accounts that is necessary to investigate, diagnose or correct a current problem.

HMDC/IQSS IT staff will use minimally invasive means necessary to diagnose and correct reported problems. For example:

    HMDC/IQSS IT staff will never ask users for their passwords.
    HMDC/IQSS IT staff will not use user credentials to access non HMDC/IQSS accounts or files, unless specifically requested by the user in writing.
    HMDC/IQSS IT staff will use pattern matching tools (for example, grep) rather than viewing the content of files that potentially are personal or confidential, wherever feasible; and only when necessary to diagnose or correct reported problems.
    HMDC/IQSS IT staff will never view the content of files identified as HRCI unless authorized explicitly in writing by the FAS Director of Security, and/or IRB-authorized faculty.

[1] Available at http://www.fas-it.fas.harvard.edu/services/facultyStaff/policies/rules_a....

Harvard policy governs the publication and the use of identifiable information about students, staff, and faculty, and is defined at the following location:

    http://security.harvard.edu/enterprise-security-policy/

With regard to publication, Harvard policy, consistent with the Family Educational Rights and Privacy Act (FERPA) states the following:

    "Harvard maintains a lot of information about its faculty, staff and students. Much of this information is considered to be confidential either by Harvard policy or by government regulations. A subset of the information is considered to be directory information and is subject to public disclosure. This information includes name, email address, office location, phone number and some other information.

In some cases people have requested that they not be included in directories or that particular types of information about them not be included in online directories. FERPA gives students and former students the right to request that none of their information can be displayed. In addition, Harvard faculty and staff can, subject to school and department policies, request that they not be included in directories or that particular information about them not be included.

It is IQSS policy not to publish to the public or general Harvard community, either in print or online, information about identified faculty, staff, or students unless (1) such information is available publicly through the current Harvard online directory and the IQSS publication is updated regularly to maintain consistency with the Harvard online directory; or (2) permission is obtained from the individual to publish the information. When identifiable information is published, this information must be reviewed regularly to ensure that only information currently in the Harvard online directory is retained.

IQSS provides some services that are limited to Harvard staff, faculty, and students. To protect student and staff confidential information IQSS staff will:

    not request that clients reveal their Harvard University personal identification number (PIN)
    not transmit Harvard University ID (HUID) numbers unencrypted, except in the case where individuals supply their own HUID numbers only
    will identify individuals only on the following basis, in order of preference:
        client's use of the Harvard PIN service; or
        client's presentation of a valid Harvard ID card; or
        client's response to a message sent to their e-mail address as listed in the Harvard directory or other authorized source

Except where otherwise stated, HMDC-provided storage services are backed up by default. The schedule and retention policy varies depending on the aplication.

Generally, back ups are retained for 3 months.  The highest chance of success for recovering a file occurs if it exists on disk for 24 hours and HMDC is notified as soon as possible when corruption or deletion occurs.

Regardless of how old or new lost data is, always contact us and we will do our best to recover what we can.

For additional information regarding custom back up solutions or for assistance determining the backup schedule for different storage, please contact us.

The following discloses our information gathering and dissemination practices for this web site (support.hmdc.harvard.edu).

Information Gathering

Our web server software generates logfiles of the IP addresses of computers that access this web site and of what files they access. These web server logs are retained on a temporary basis and then deleted completely from our systems.

Use of Information

We use your IP address and files you access to help diagnose problems with our server and to administer our Web site by identifying (1) which parts of our site are most heavily used, and (2) which portion of our audience comes from within the Harvard network. We also use this information to tailor site content to user needs, and to generate aggregate statistical reports. At no time do we disclose site usage by individual IP addresses.

We do not link IP addresses to anything personally identifiable. This means that user sessions may be analyzed, but the users will remain anonymous.  We also do not use cookies.
Security

This site has security measures in place to protect the loss, misuse and alteration of the information under our control.

Contacting the Homepage

If you have any questions about this privacy statement, the practices of this site, or your dealings with this site, you can contact us by using our form: http://support.hmdc.harvard.edu/contact.

This web site may contain links to other web sites. We are not responsible for the privacy practices or the content of such web sites.

Changes to this Policy

An announcement of any changes to this policy will be posted prominently on the first page of our web site for three months before any changes go into effect.

Effective Date

The effective date of this policy was November 1, 2009.