Research Data Security

I'm not required to submit an application with the IRB, how do I determine the Security Level of my data?

Researchers often deal with sensitive information that does not relate to human subjects or is not classified as "research" under DHHS regulations (See the IRB's Is My Project Regulated Research? for helpful background information). Examples can include proprietary information subject to confidentiality requirements, information pertaining to deceased individuals, and information with national security implications. Because this type of research is not required to be submitted to the IRB, the faculty member overseeing the data collection or acquisition is responsible for determining the appropriate Data Security Level (DSL) based on the type of data they are working with. (See also Information Security Quick Reference Guide).

Harvard's Research Data Security Policy states that compliance with the protection and use requirements dictated by the appropriate DSL is the responsibility of the faculty member. He or she, as well as any researchers working on the project should review the terms of any applicable Data Use Agreement, Research Protocol, consent form, grant and/or other contract to see if any additional requirements apply. Harvard personnel working under such an agreement must, at a minimum, comply with those protection requirements. In addition, it is the faculty's responsibility to discuss the protection requirements with the relevant School CIO or IT Director to ensure that the protection requirements can be met. 

Researchers should consult with their School CIO or IT Director to determine the proper DSL if they are not sure what category is appropriate.

How and where should I store sensitive research data?

When collecting data from researchers or other sources, proper data security is critical for maintaining researchers' intellectual property rights and participants' right to privacy. Federal and state laws as well as Harvard University policies, specifically Harvard's Research Data Security Policy, require that sensitive, personally identifiable, confidential, or private information collected during a research project be secured against unauthorized access and accidental exposure. The term “data security” is broadly used to include the network security and physical security of devices, computer files, and systems.

To assist researchers with data security requirements, Harvard University has established “The Harvard Research Data Security Policy” (HRDSP), which establishes security measures that must be followed as the information risk posed by a research project increases.

Harvard's storage options for sensitive data (Security Level 3 and 4):

Sensitive data support Level 3Level 4 Level 3 Level 3 Level 3Level 4