Confidential Information Policy Summary

It is the responsibility of IQSS staff and affiliates to be aware of University rules governing the collection, storage, transport, use, and disposal of confidential information, and to follow these rules. Below is a brief summary of these policies, with links to the full details.
Types of Confidential Information

There are two types of confidential information currently recognized at the University:

    High Risk Confidential Information (HRCI)
    This is data containing a person’s name and state, federal, or financial identifiers.
    Or, research data containing private sensitive information about identifiable individuals.
    Harvard Confidential Information (HCI)
    Business information specifically designated by the School as confidential.
    Or, identifiable business information that puts individuals at risk if disclosed.
    Or, research data containing private information about identifiable individuals.
    Or, student records (such as collections of grades, correspondence).

Harvard and IQSS staff and affiliates are responsible for information that they store, access, or share. These responsibilities include:

    Encrypting all laptops, portable storage, and network connections used with confidential information.
    Protecting systems you use to access confidential information through the use of firewalls, virus scanners, and regular software updates.
    Using individual accounts, not sharing account information, and choosing strong passwords.
    Protecting Harvard information and systems, and complying with specific the policies and procedures for use of those systems.
    Attaching only approved devices to the Harvard network.
    Disposing safely of confidential information through the use of approved, secure file-deletion and disk-cleaning tools
    Not sharing confidential information with people who are not approved to access it.

Approvals

All access to confidential information requires approval and a business or research need. In addition:

    Access to HRCI business information or HCI business information specifically designated by the School as confidential requires individual approval by the Director of Security for that school.
    Access to HRCI research information requires individual approval by the Principal Investigator of the research project managing such information. In addition, it is the responsibility of the Principal Investigator to delegate access in a manner consistent with an IRB-approved research plan.

More Information

For more information see the following resources:

    Harvard Information Security and Privacy web site:
    www.security.harvard.edu
    Harvard Enterprise Security Policy:
    www.security.harvard.edu/enterprise-security-policy
    Harvard policies on human subjects research:
    www.fas.harvard.edu/~research/hum_sub/
    Harvard personnel manual section on information privacy and confidentiality:
    harvie.harvard.edu/docroot/standalone/Policies_Contracts/Staff_Personnel_Manual/Section2/Privacy.shtml
    FAS information security policies and procedures:
    www.fas-it.fas.harvard.edu/services/catalog/browse/39
altmanconfidentialdata_sm.pdf1.49 MB