Data Classification

Know Your Data

Classifying data is the process of categorizing data according to its sensitivity. Legally protected information, or what's called 'high risk confidential information' (HRCI) at Harvard (e.g., SSNs, credit card numbers, heath information, etc.), requires a greater level of protection, while lower risk data (e.g., published information, publicly available information, etc.), requires proportionately less protection. 

The University has defined a data classification schedule for information which directly correlates to the sensitivity of the data, with Level 1 indicating public or non-confidential data, and Level 5 indicating information protected by law and considered of the highest risk. You are encouraged to begin with the following resources to better familiarize yourself with data classification at Harvard:

  • University Data Classification Table: Outlines the five levels of classification that cover all the types of data at the University. PDF downloads included for the full classification table, an abridged version, and a quick reference guide.
  • Administrative Data Security Level Examples: Outlines some of the most common administrative data examples within the University's data classification levels.
  • Research Data Security Level Examples: Outlines some of the most common research data examples within the University's data classification levels for researchers.
  • Know Your Data: The information contained within this section of the University's 'Small Actions, Big Difference' security campaign provides specific procedures and requirements for protecting data based upon its assigned data classification level.
  • Harvard Enterprise Security Policy: Requirements and guides on how to handle different levels of data at Harvard. 

Data Classification Level Determination

Research Data

If you are working with research data, your respective data classification level is assigned by HGSE's Director of Security Operations (DSO) based upon the type(s) of data you are anticipated to work with. You must first formally apply to your Institutional Review Board (IRB) (either Longwood Medical Area or University Area) before being assigned a data classification level. To start, you can familiarize yourself with HGSE's general research approval process and where/how to begin securing your research data.

Non-Research Data

If you are not engaged in research and are unsure about your data's classification level after reviewing the University Data Classification Table, please contact please contact HGSE's Director of Security Operations (DSO) through the IT Service Center. For more in-depth 1x1 or group (team, department, etc.) security consultations or awareness training around data classification, you're encouraged to schedule some time with the DSO:

Secure Storage & Collaboration Services

HGSE business and research activities conducted using an appropriate University-provided tool is in compliance with University policy, and is protected by contractual and other security measures not available to consumer tools. As such, consumer versions of tools (e.g., DropBox, Google Drive, Gmail, etc.)  only permitted for use with data classified at Level 1. Review HGSE's section on Secure Collaboration to help choose an appropriate HGSE/Harvard-provided or approved third-party service provider (vendor) solution to your secure storage, collaboration, or platform needs according to your type of data.

Quick Guides

Customized data classification level guides have been developed for the HGSE community to help keep them on track when planning for their project's specific information security needs and to help visually consolidate the same requirements outlined on the University's security website. Given that Level 1 information is intended for public consumption, no guide is provided. Similarly, given the complexity, sensitivity, and ad hoc nature of Level 4 and Level 5 data, no guides are provided, and users with the potential to engage with these types of data should 1.) Consult with HGSE's Director of Security Operations (DSO) by contacting the IT Service Center, as well as 2.) Carefully review the University's Level 4 and Level 5 data requirements before writing their IRB research protocol for review: