Many members of the HGSE community engage in research that involves the collection or use of legally protected information including Human Subject Information (HSI). In conjunction with HGSE and Harvard security policies, the Harvard Research Data Security Policy (HRDSP) specifically outlines protections around the collection and use of research data.
While there are many angles to research data security throughout the lifecycle of a research project at the University, one of the first steps required is for a researcher to submit their proposed research activities for approval.
To start, you can familiarize yourself with HGSE's general research Approval Process section. While data security is woven in to all steps of the research approval process, the most notable interactions between the researcher and security at HGSE is within Steps #3 and #4.
Understanding Your Security Requirements
In Step #3 of the general research approval process, once the IRB has reviewed all materials submitted by the researcher, they will make a "Sensitive" or "Non-Sensitive" binary data determination for the project. HGSE researchers with 1.) Projects determined to be sensitive by the IRB, 2.) Research data that appears to be DSL 3, 4, or 5 based on HUIT guidance, is not managed via a DUA, and is Not Human Subjects Research, or 3.) Data that is subject to a DUA, the University requires the researcher to submit a request for security review in the University’s Data Safety Application. All requests listing HGSE as the researcher’s primary affiliation will automatically be routed to HGSE's DSO for review, and a follow-up consultation may be scheduled.
This consultation allows the DSO to assist the researcher with the implementation of any data security tasks required according to the project's data classification level (assigned by HGSE's DSO based upon the type(s) of data the researcher is anticipated to work with) and/or by any accompanying DUAs. The basic principle behind this data classification process is that the greater the sensitivity of the data collected by the researcher, the higher the classification level assigned. As the classification level increases, so do the number or type of security requirements.
Researchers can set up an appointment with the DSO by navigating here: calendly.com/sarah_pruski
Customized data classification level guides have been developed for the HGSE community to help keep them on track when planning for their project's specific information security needs and to help visually consolidate the same requirements outlined on the University's security website. Visit HGSE's Data Classification section to review and download the guides.
Secure Storage & Collaboration Services
HGSE business and research activities conducted using an appropriate University-provided tool is in compliance with University policy, and is protected by contractual and other security measures not available to consumer tools. As such, consumer versions of tools (e.g., DropBox, Google Drive, Gmail, etc.) are only permitted for use with data classified at Level 1. Review HGSE's section on Secure Collaboration to help choose an appropriate HGSE/Harvard-provided or approved third-party service provider (vendor) solution to your secure storage, collaboration, or platform needs according to your type of data.