Some of the vast amount of data that groups at Harvard deal with is confidential in some way. Some data about individuals and some data about University operations and plans should be protected against general disclosure.

The University is required by law to protect some categories of data about individuals including, for example, heath records, student records, records about human subjects, and some financial and employment records. In addition, the University has developed policies requiring protection of other types of data about individuals. The University also considers some data that is not specific to individuals confidential including, for example, internal discussions of University plans prior to reaching a consensus plan.

University employees who have access to confidential information are required to properly protect it and to not distribute the data in a way that compromises the confidentiality. Such employees are generally required to sign a confidentiality agreement.

A number of core systems at the University maintain databases of information about individuals. These systems include, for example, the HU ID system, the University LDAP server and the PeopleSoft HR system. These databases include directory, employment and other information about individuals associated in some way with Harvard.

Many of the applications around the University that deal with individuals get data about the individuals by accessing these core systems or by getting regular data feeds from these systems. Such access is carefully controlled to be sure that the applications get only the data they need and to be sure that the applications are designed and operated in a way to protect any confidential information they deal with. See Harvard's rules for protecting confidential information.

Anyone whose work requires access to confidential information maintained by the HUID system or in the university LDAP directory, or whose work requires that they view or handle personally identifiable data about individuals, must contact the University Help Desk to arrange for access and consultation regarding data policy and handling requirements prior to beginning application development (uis_helpdesk@harvard.edu)

Application owners must manage access privileges and must ensure that access to servers changes when an authorized user's employment status changes due to job change or move. The Auth Proxy service must be implemented in these cases, allowing an automatic lookup of the user's profile. Access will be denied if there is not a match with the original profile of the authorized user.

Application owners are advised to review Auth Proxy role descriptions in preparation for assigning roles to authorized users.

Researchers dealing with human subjects are required by federal regulation and Harvard policy to take very special care that information about individual subjects in an experiment is not released. Please see the 'Human Subject' section of this site.

Vendors who deal with Harvard confidential information, whether or not they obtain the data directly from Harvard, must contractually agree to protect the data before they can be authorized to do work on behalf of the University. Please see the 'Working with Vendors' section of this site.