By Data Security Level

“Confidential Information” refers to all types of data Levels 2-5. The higher the data level, the greater the required protection.

Unpublished Intellectual Property

Maps and Building Layouts

Level 2 is information the University has chosen to keep confidential but the disclosure of which would not cause material harm.

Level 2 information includes unpublished research work and intellectual property not in Level 3 or 4. Level 2 also includes information classified as Level 2 by an Institutional Review Board (IRB).

Examples:

• Patent applications and work papers
• Drafts of research papers
• Building plans
• Information about the University physical plant

Level 2 Requirements
View detailed requirements for users, devices, servers, and paper records.

Harvard ID (HUID)

University Financial Information

Student Information

Level 3 information could cause risk of material harm to individuals or the University if disclosed.

Level 3 information includes individually identifiable information which if disclosed could reasonably be expected to be damaging to reputation or to cause legal liability. Level 3 also includes research information classified as Level 3 by an Institutional Review Board (IRB).

Examples:

• Information protected by the Family Educational Rights and Privacy Act (FERPA), to the extent such information is not covered under Level 4, including non-directory student information and directory information about students who have requested a FERPA block
• HUIDs when associated with names or any other information that could identify individuals;
• Harvard personnel records
• Harvard institutional financial records
• Individual donor information
• Other personal information protected under state, federal and foreign privacy laws and not classified in Level 4 or 5

Data use agreements, research consent forms and other contracts under which Harvard personnel receive confidential information from outside parties often state specific data use and protection requirements. Harvard personnel working with such information must comply with such requirements. Use of such information must also comply with the applicable Harvard data security requirements if the contract calls for lesser levels of protection than the Harvard rules.

Harvard's Confidential Information policy does not restrict or limit the rights of employees to discuss terms and conditions of their employment, including salary and benefits, with each other or with third parties.

Level 3 Requirements
View detailed requirements for users, devices,servers, paper records, and working with vendors.

Credit Card Numbers

Social Security Numbers

Personally Identifiable Genetic Information

Personally Identifiable Healthcare Information

Human Research Data

Student Financial Information

Level 4 information would likely cause serious harm to individuals or the University if disclosed.

Level 4 information includes High Risk Confidential Information (HRCI), as defined below, and research information classified as Level 4 by an Institutional Review Board (IRB). Level 4 also includes other individually identifiable information which if disclosed would likely cause risk of serious social, psychological, reputational, financial, legal or other harm to an individual or group.

“High Risk Confidential Information” means an individual’s name together with any of the following data about that individual: social security number, bank or other financial account numbers, credit or debit card numbers, driver’s license number, passport number, other government-issued identification numbers, biometric data, health and medical information, or data about the individual obtained through a research project.

Examples:

• Individually identifiable financial or medical information
• Information commonly used to establish identity that is protected by state , federal or foreign privacy laws and regulations, such as Massachusetts law protecting personal information, and not classified in Level 5
• Individually identifiable genetic information that is not in Level 5
• National security information (subject to specific government requirements)
• Passwords and PINs that can be used to access confidential information.

* Note on Medical Records and HIPAA: Harvard units or programs that are so-called "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA) must comply with HIPAA’s data security rules. As of the effective date of this policy, the covered entities are University Health Services, Harvard Dental Services, and certain University benefits plans. Other units or programs may be required to comply with HIPAA data security rules for limited purposes under the terms of specific contracts, such as a business associate agreement. See HIPAA Advisory.

Level 4 Requirements
View detailed requirements for users, servers, paper records, and vendors.

Level 5 information would cause severe harm to individuals or the University if disclosed.

Level 5 information includes individually identifiable information which if disclosed would create risk of criminal liability, loss of insurability or employability, or severe social, psychological, reputational, financial or other harm to an individual or group.

Level 5 includes research information classified as Level 5 by an Institutional Review Board (IRB).

Examples:

• Information covered by a regulation or agreement that requires that data be stored or processed in a high security environment and on a computer not connected to the Harvard data networks
• Information required to be handled in the same manner as the University’s most sensitive data
• Certain individually identifiable medical records and identifiable genetic information categorized as extremely sensitive

Note: Due to the unique level of risk associated with Level 5, special precautions are required. Download the standalone set of Level 5 Requirements.