Maybe. All research conducted at Harvard must comply with Harvard policies, even if the Data Use Agreement calls for lesser levels of protection. A data-use agreement may require additional protections, in which case the researcher must also meet the requirements in the data-use agreement. 

Before transferring or disposing of a Harvard-owned computer, the hard disk must be securely "wiped.” Deleting or reformatting the HD is not sufficient. To have this done, please call 5-9000. Harvard computers cannot be transferred outside of Harvard unless approved by Peter Brown and unless the operating system has been removed.

Do not use e-mail to transmit CI (Confidential Information). Please, use Harvard's Accellion Secure File Transfer server: http://fta.fas.harvard.edu. To get help with this, call 5-9000. HRCI can only be transferred out of Harvard if Harvard has a contract containing specific security requirements with the destination of the transfer.

Information is confidential if its disclosure could cause civil or criminal liability to or damage the financial standing, employability, reputation, or other interests of the exposed person. Student grades, reference letters and applications would be common examples of CI.

When this happens, you are required to inform the University immediately. Please click here for notification guidelines.

If you have any questions, please do not hesitate to contact the economics department IT security officer:

Peter Brown
617 496-4108 (pbrown@harvard.edu)

Only with specific permission from Peter Brown, which will only be given if there is sufficient business reason and if the laptop is protected as well as a Harvard-owned one (see question 4)

Given a specific business reason for doing so, CI may be kept on an encrypted laptop if it is properly configured. It must have a timeout password controlling access to the desktop; the operating system must be updated regularly; it must have updated anti-virus software; have its firewall active; kept in a secured location, etc. In other words, all common-sense steps must be taken so that the laptop may be used to work with CI to securely complete a specific business related task. Once the task is completed, the data should be removed to a secure FAS file server, such as \\fas-depts, ( commonly known in the Economics Department as the H: drive), and the files deleted from the desktop machine using an approved secure erase program, such as Secure Erase or Darik’s Boot-And-Nuke. For info about secure-erase software and access to a secure FAS file server, please call 5-9000.

Given a specific reason for doing so, CI may be stored on some handheld devices if they are configured and managed appropriately.  If you need to do this, please contact security@fas.harvard.edu  for guidance as to the treatment of your specific device.

No. HRCI may not be kept on any laptops or portable devices, even if the devices are encrypted.  If you have questions about this, please contact Peter Brown (pbrown@harvard.edu) or the HUIT security group (ithelp@harvard.edu).

The recommended location for all CI is a secure Harvard file server, such as the network location commonly known in our department as the H: drive. Confidential student information such as grades or reference letters must not be kept on a desktop or even an encrypted laptop unless there are specific business reasons for doing so and the personal computer is configured appropriately. Once the business task is completed, the data should be removed to a secure Harvard server and the files overwritten using an approved secure-erase program. For more details, see question:  

The hard disks of all Harvard-owned laptops must be encrypted. To get this done, please call 5-9000.

CI may be kept on desktop computer if it is properly configured. It must have a timeout password controlling access to the desktop, the operating system must be updated regularly, have updated anti-virus software, have its firewall active and kept in a secured room, etc. In other words, all common-sense steps must be taken so that the computer may be used to work with CI to securely complete a specific business related task. If you still need the data once the task is completed, the data must be moved to a secure FAS file server, such as \\fas-depts (commonly known in the Economics Department as the H: drive), and the files deleted from the desktop machine using an approved secure-erase program, such as Secure Erase or Darik’s Boot-And-Nuke. For info about secure-erase software and access to a secure FAS file server, please call 5-9000.

Only when there is a business reason to do so, non-HRCI confidential info may be kept on USB drives, CDs or external hard drives only if those devices are encrypted. In these cases, please contact IT Security (ithelp@harvard.edu) to request an IronKey secure flash drive, which will be provided at no cost.

Student info (such as grades, reference letters, transcripts, personal statements, class work) must be treated as CI. As a general rule, it is best for faculty and staff to treat all student data as CI, unless there are specific reasons not to.

Some students are identified as having a Family Educational Rights and Privacy Act (FERPA) “block,” which means ALL information relating to them (including contact info) may be kept only on a secure server and not on a desktop computer. Since you may not always know which students have FERPA blocks, the best practice would be to not to keep any student contact info on a desktop or laptop computer.

These parties must have a written contract covering their services, including a requirement to protect CI. Please the Harvard Information Security contract-riders page.

Those who wish to contract with a vendor to collect or work with HRCI must obtain prior approval from the University CIO. For information, contact security@fas.harvard.edu.

Users should not depend on the built-in file locking in Microsoft Office for confidential info. Any number of programs can be used to circumvent the protections instead, users can encrypt such files using PGP or, for Windows computers, WinZip.

Please contact pbrown@harvard.edu or security@fas.harvard.edu for an analysis of your needs, so that we can make necessary arrangements.

A web survey must be approved by the Committee on the Use of Human Subjects. Also please check with the IRB. For details and forms, please visit http://cuhs.harvard.edu