Shield Data
Data handling involves activities such as collection, storage, processing, and disposal. For students, faculty, and staff, it is important to ensure the confidentiality, integrity, and availability of university data when it is in your control. When executed properly, secure data handling protects Confidential Information from unauthorized access or exposure. The actions required may vary depending on the classification.
- For additional guidance on the management, retention, and disposition of university records, reference the General Records Schedule (GRS).
- Contractual or legal requirements may override these standards.
- Consent may be required for collecting or processing personal data.
Contracts with Funding Agencies: A research grant contract might require you to store data for a specific number of years or to use a particular secure platform for storage.
Vendor or Cloud Agreements: A software vendor contract may specify that only certain systems or regions can be used to store or process University data.
Legal Holds: If data is subject to a legal hold due to litigation or investigation, you may not be permitted to delete it, even if it otherwise requires deletion.
International Data Laws: Laws like the European Union’s GDPR or other international regulations may restrict transferring personal data outside the region.
HIPAA, FERPA, or Other U.S. Regulations: Health, student, or financial data are subject to strict federal regulations that can impose requirements stricter than University baseline policies.
Research Studies: Collecting personally identifiable survey responses or biological samples from study participants typically requires written or electronic consent.
Mailing Lists or Newsletters: Gathering email addresses for newsletters or event invitations generally requires that individuals opt in and consent to the use of their data.
Photography or Media Collection: Taking and using photos or video of individuals may require their explicit consent, especially if they will be published or shared.
Sensitive Data Collection Forms: Collecting demographic, health, or financial information on a form or survey usually requires informing individuals and sometimes obtaining their permission.
University Data Handling Standards
- Classify data using the University Risk Classification schema to determine required handling procedures.
- Level 1 (Public): Covers information that can be freely shared and does not require special protection, so it’s not included here.
- Level 5 (Federal Requirements): Reserved for exceptional cases. If you think your data meets Level 5, contact your School Privacy & Security Officer for guidance.
Physical Records Standard
Download a Quick Reference Guide
| Activity | What to do | Level 2-3 | Level 4 |
|---|---|---|---|
Sharing | Limit access to those with a business need. Do not display confidential data publicly. | ✔️ | ✔️ |
Physical Access | Secure confidential info in locked areas. Do not leave confidential documents unattended. | ✔️ | ✔️ |
Faxing | Use approved secure fax services. Limit print access to authorized personnel. | ✔️ | ✔️ |
Printing | Use University managed print services. For off campus printing, use services that encrypt print job data and require authentication before releasing a document. | ✔️ | ✔️* |
Disposal | Destroy paper records with cross-cut shredders or dispose in locked office bins. | ✔️ | ✔️ |
Logging | Log access to facilities and records. Review logs regularly. | ❌ | ✔️ |
Transferring | Use secure, traceable transfer methods (e.g.,courier services). Confirm and retain receipt. | ❌ | ✔️ |
Certificates | Obtain a Certificate of Destruction and retain if required to meet contractual obligations. | ❌ | ✔️ |
*Crimson print is approved for Level 4 data.
Digital Records Standard
Download a Quick Reference Guide (coming soon)
| Activity | What to do | Level 2–3 | Level 4 |
|---|---|---|---|
Collection/Creation | Limit data collection/creation to what is needed for work, research, law, or contract. | ✔️ | ✔️ |
Sharing | Limit access to individuals/groups with a business need. Do not share publicly. | ✔️ | ✔️ |
Storage (Computer/Device) | Store on University-issued/personal devices meeting Minimum Standards. | ✔️ | ❌ |
Storage (University Online System) | Store on contracted online systems. Level 4: Encrypt | ✔️ | ✔️ |
Storage (USB/External) | Level 2: Password-protected; Level 3: Encrypted/password-protected drives. | ✔️ | ✔️ |
Data in Transit/Sharing | Share using contracted systems. Minimize sharing. Level 3: Encrypt. | ✔️ | ✔️ |
Deletion | Use “Delete” and empty trash. Level 4: Encrypt. | ✔️ | ✔️ |
Destruction: Devices/Drives | Level 2: Reuse/recycle; Level 3: Factory reset or destroy; Level 4: Secure destruction only. | ✔️ | ✔️* |
Vendors/3rd Parties | Contract required. Level 3: Must include Univ. privacy/security language. Level 4: Risk assessment and approved contract. | ✔️ | ✔️ |
*For destruction of devices/drives at Level 4, reuse and recycling are not permitted; secure destruction is required.
Privacy Insight
At Harvard, we are dedicated to safeguarding personal data. Secure data handling is an important step but not all that is required. Certain information, including health and financial data, may require additional steps to comply with a law and/or regulation beyond securing an asset. For more information, reference the Privacy Principles guide and training.
Collaboration Tools Matrix
Conducting university business through supported services helps ensure compliance and leverages security measures that consumer tools often lack.
| Tool | Level 1 | Level 2 | Level 3 | Level 4 |
|---|---|---|---|---|
Consumer Google Drive - All tools | ✔️ | * | ❌ | ❌ |
Consumer Dropbox, Evernote | ✔️ | * | ❌ | ❌ |
Consumer Encrypted External Drive | ✔️ | ✔️ | ✔️ | ✔️ |
Consumer email (Gmail, Yahoo, etc) | ✔️ | * | ❌ | ❌ |
Harvard email (M365, Gmail) | ✔️ | ✔️ | ❌ | ❌ |
Harvard M365 email with message encryption | ✔️ | ✔️ | ✔️ | ✔️ |
Harvard Confluence/Wiki | ✔️ | ✔️1 | ✔️1 | ❌ |
Harvard GitHub code.harvard.edu | ✔️ | ✔️1 | ✔️1 | ❌ |
Harvard Dropbox | ✔️ | ✔️1 | ✔️1 | ❌ |
Harvard Google Drive/Docs (g.harvard) | ✔️ | ✔️1 | ✔️1 | ❌ |
Harvard Slack | ✔️ | ✔️ | ✔️ | ❌ |
✔️ | ✔️ | ✔️ | ❌ | |
Harvard KiteWorks | ✔️ | ✔️ | ✔️ | ✔️ |
Harvard CrimsonPrint | ✔️ | ✔️ | ✔️ | ✔️ |
Harvard M365 SharePoint with L4 configuration | ✔️ | ✔️ | ✔️ | ✔️2 |
Harvard Qualtrics with L4 configuration | ✔️ | ✔️ | ✔️ | ✔️2 |
Harvard Zoom | ✔️ | ✔️ | ✔️ | ✔️3 |
Notes:
*Consumer versions not recommended for university business.
1 No “public” repositories
2 Special configuration/request required
3 No “local” recording