#  University-Wide Privacy Principles 

 



   ![colorful lockers](/sites/g/files/omnuum12036/files/styles/hwp_1_1__360x360_scale/public/it-security/files/moren-hsu-vlakstkmvhk-unsplash.jpg?itok=9TjbDzd4) 

 

## Harvard strives to be a trustworthy steward of personal information.

Here at Harvard, we’re leading a movement: we’re taking the progressive approach of combining privacy and security into a single program, where they can act in concert and on equal footing.



 

---

 

##  Privacy Principles 

Our university-wide privacy principles are best practices and reflect common elements found in privacy regulations worldwide, many of which apply to Harvard. To the extent possible, these principles should be incorporated into new and existing business operations, research activities, technologies, and other processes involving personal information.

 

 



 window 

## Transparency

Before collecting personal information, provide a notice that clearly and simply describes how Harvard plans to use it, including the specific purposes for collection. Respond candidly to questions from individuals regarding the collection and use of their personal information.



 

 

 content\_cut 

## Minimum Necessary

Limit the collection of, access to, and use of personal information to the minimum that is directly relevant and necessary to accomplish a legitimate institutional purpose.



 

 

 person\_off 

## De-Identification

To the extent practical, remove personal identifiers or use aggregation, pseudonymization, or other anonymization methodologies.



 

 

 

 

 

 

 

 handshake 

## Responsible Use

Use personal information only for the purposes for which it was collected, with the consent of the individual, or as required by law.



 

 

 stop\_screen\_share 

## Limited Sharing

Share personal information with third parties only where consistent with applicable regulatory and contractual requirements and when adequate privacy and security controls are in place.



 

 

 toggle\_off 

## Choice and Control

To the extent practical and when doing so would not impair important institutional objectives, give individuals explicit choice and control as to how their personal information will be used, disclosed, and/or deleted.



 

 

 

 

 

 

 

 supervisor\_account 

## Stewardship

For each dataset containing personal information, designate an individual to be responsible for ensuring that these principles are adopted, that regulatory and contractual obligations are met, that data are accurate, and for responding to questions and concerns regarding its use.



 

 

 security 

 [## Security Controls

 ](/information-security-policy)Ensure that Harvard’s Enterprise Information Security Policy is followed for systems that store, process, or transmit personal information.



 

 

 auto\_delete 

 [## Retention and Deletion

 ](https://grs.harvard.edu/)Retain or archive personal information only as long as needed (using Harvard’s General Records Schedule as a guide) or as required by law or agreement. Securely delete personal information when no longer needed.



 

 

 

 

 

 

 

##  The Companion Guide 

This Companion Guide is intended to provide additional context and specificity to assist us in the application of the Principles. Privacy concerns should always be weighed against other University requirements and goals. For the full, accessible version of The Companion Guide, please click the link below to download a .PDF version.

 

 [ Download the Privacy Principles Companion Guide arrow\_circle\_right ](https://privsec.harvard.edu/sites/g/files/omnuum12036/files/2026-01/harvard-university-privacy-principles-companion-guide_dec_2025.pdf) 

 





###    What is The Companion Guide?  expand\_more  

 

Harvard strives to be a trustworthy steward of personal information. Our Privacy Principles establish a Harvard-wide framework for considering and applying a privacy-protective mindset to the work that we do at the University.

The strategy behind these Principles is threefold: 1) promote a culture that values privacy, 2) create a foundation for operationalizing privacy at Harvard, and 3) satisfy existing and anticipated regulatory compliance obligations.

The collection, use, and disclosure of personal information are essential to Harvard’s operations and its teaching and research mission. At the same time while doing this critical work, we need to consider privacy protections. That’s where these Principles come into play. The Privacy Principles are best practices for handling personal information during the course of our work activities. These best practices should be applied using a risk-based approach, taking into account the sensitivity of the data and the potential for harm. For help assessing data sensitivity, refer to the Risk Classification Table, which outlines common types of data and their associated risk levels.

This Companion Guide is intended to provide additional context and specificity to assist us in the application of the Principles. Privacy concerns should always be weighed against other University requirements and goals.

We recognize that not all of the Privacy Principles can be achieved in all situations. For example, we regularly use and share personal information in connection with our work at the University, often informally and in non-systematic ways. A teaching fellow may communicate information about a student to a faculty member, or administrators may exchange emails about an employee. By contrast, an information system used for administration at the University may generate, store, and make accessible a large data set containing information about a large number of persons—and indeed academic researchers at Harvard may obtain access to large data sets of personal information. While the Privacy Principles can inform the use of personal information at both small (one-off communications) and large (system-generated data sets) scales, the Principles should be applied flexibly, depending on the form and context of the information at issue.

  
Finally, neither the Privacy Principles, nor this Companion Guide, create any contractual or other legal obligation on Harvard’s part, or any contractual or other legal right or expectation in or for any individual person.



 

 

 



###    What is the origin of the Principles?  expand\_more  

 

While these Principles are tailored specifically to Harvard’s needs (now and future) and to anticipated regulatory developments, they are based on the internationally recognized Fair Information Practice Principles ([FIPPs](https://iapp.org/resources/article/fair-information-practices/)) that were developed in the 1970s and provide the core values underlying many federal, state and international privacy laws.



 

 

 



###    What is personal information?  expand\_more  

 

 Personal information is any data that relates to an identifiable individual person, including their character traits, history, and activities. Personal information not only includes name, address, and other direct identifiers, but also indirect information such as purchasing history, Internet activity, and, in some cases, information about personal activities, such as resource consumption.

 Owing to the ever-expanding availability of large data sets of personal information and activity logs, it has become possible to re-identify individuals from seemingly anonymized data sets. A data set may on its own be fully anonymized, in that it contains no personal identifiers, but when paired with outside information, including publicly available data, it may well be possible to identify individual subjects in the original set. Accordingly, if a piece of information could tell you something about a person, even if you need (but do not yet have) additional information to “unlock” who it is, it may be appropriate to treat it as personal information.



 

 

 



###    What do the Principles apply to?  expand\_more  

 

**Do the Principles apply to all forms of personal information (or just electronic)?** The Privacy Principles apply to all forms of personal information collected, stored, and processed by Harvard, including in paper or electronic form.

**Do the Principles apply to all types of personal information?** Yes, however, some categories of information—such as health or financial information, religious affiliation, or sexual orientation—are more sensitive than others and may cause greater harm if improperly secured or disclosed. As the risk level rises, it becomes increasingly important to implement these principles more rigorously and, when appropriate, incorporate additional privacy protections such as a Data Protection Impact Assessment (DPIA). When personal information is especially sensitive or processed at a larger scale, additional privacy requirements may apply to ensure the data is handled appropriately. Harvard’s Risk Classifications and privacy tools reflect these considerations. Contact ISDP or your School Privacy and Security Officer for assistance with making these determinations regarding risk and requirements.



 

 

 



###    How do the Principles relate to existing Harvard policies?  expand\_more  

 

**How do the Principles relate to existing Harvard policies?** The Privacy Principles are not policy but instead a set of principles to consider and apply in appropriate circumstances weighing privacy against other institutional goals.

The Privacy Principles do reflect and are consistent with the conceptual underpinnings of several existing Harvard policies, including:

- [Policy on Access to Electronic Information ](https://provost.harvard.edu/files/provost/files/policy_on_access_to_electronic_information.pdf)
- [Policy on Installation and Use of Video Cameras ](https://provost.harvard.edu/sites/g/files/omnuum12476/files/2025-10/final_video_camera_policy_may_25_2016_2.pdf)
- [IT Professional Code of Conduct to Protect Electronic Information](https://huit.harvard.edu/it-professional-code-conduct-protect-electronic-information)



 

 

 



###    What do the Principles mean for me?  expand\_more  

 

Each of us should be mindful about how we manage and use personal information that is entrusted to us and in the systems we use and create. These Principles can inform and guide our decisions and actions as trustworthy stewards, providing a touchstone for bringing privacy to life across the breadth and depth of Harvard’s activities.



 

 

 



###    How do I apply these Principles?  expand\_more  

 

The overarching goal is to infuse privacy considerations into all that we do at Harvard. The Principles are therefore intentionally general and succinct. When you are considering the collection, use, or disclosure of personal information, we ask that you think about the Principles in their totality, considering their purpose and spirit, and then apply your best judgment. If you are uncertain or have questions, contact the [Information Security and Data Privacy (ISDP) team](https://privsec.harvard.edu/about/) for advice.

- If you are establishing new business operations, research activities, technologies, or other processes involving personal information, consider whether you can incorporate the relevant principles into your system design (i.e., “Privacy by Design”). When we consider privacy from the earliest stages and throughout the data life cycle (i.e., collection, use, retention, processing, disclosure, and destruction), we are best positioned to implement privacy protections.
- If you aim to introduce privacy protections to existing business operations, research activities, technologies or other processes involving personal information, review your data practices for alignment with the Principles. Where the practices do not align with the relevant Principles, and where practical, adjust your practices to bring them into alignment.
- In all cases, it is a best practice to consider the principle of data minimization, as this is highly effective in reducing risks associated with privacy incidents.



 

 

 



###    What does each of these Principles mean?  expand\_more  

 

See the full Companion Guide for each of the Privacy Principles to help you understand and, where appropriate, implement them.



 

 

 



 

 

 

 

##  Training 

Familiarize yourself with the Privacy Principles by attending self-paced, online training through the Harvard Training Portal.



 

 



 [ Attend the Privacy Principles Training arrow\_circle\_right ](https://trainingportal.harvard.edu/Saba/Web_spf/NA1PRD0068/common/ledetail/cours000000000042783) 

 

 

 

 

##  What about GDPR? 

The General Data Protection Regulation (GDPR) is a regulation that applies to any organization that controls or processes the personal data of individuals in the European Economic Area (EEA), regardless of the organization’s location. GDPR sets out strict obligations - such as being open about how personal information is used, minimizing what data is collected, ensuring data is handled safely and accurately, and responding appropriately to breaches.

[Learn more by visiting our website](https://gdpr.fad.harvard.edu/) (HarvardKey required) which provides helpful resources, guidance, and tools to help you understand your responsibilities and protect personal data in accordance with GDPR.



 

##  Building Privacy, Building Trust with Trevor Hughes 

Trevor Hughes, the President and CEO of the International Association of Privacy Professionals (IAPP), speaking at a recent ISDP Retreat on Privacy Principles.