subpage_img01 subpage_img02 subpage_img03 filler
Images for the Office of the Provost - Harvard University
Home > Enterprise Security Policy > 2. Confidential Information > 2.1 Obtaining Harvard Confidential Information

2.1 Obtaining Harvard Confidential Information

Policy

The University Helpdesk must be contacted (617.496.2001 or helpdesk@harvard.edu) to obtain access to any Directory Services resource (e.g., the ID management system) containing confidential information about individuals.

Access to Harvard core financial or reporting applications (e.g. Oracle Financials and Peoplesoft) should be requested via the local Authorized Requester for the application.

In addition, anyone working with or collecting high risk confidential information about individuals, even if they do not obtain this information from the University core databases, must contact security@harvard.edu or their local school security officer or CIO to discuss data policy and handling requirements before beginning application development.

Only the confidential information reasonably necessary to accomplish a legitimate business purpose should be obtained and the time that such information is retained should be limited to that reasonably necessary to accomplish such purpose.

Discussion

People or organizations at Harvard who wish to obtain High Risk
Confidential Information from sources within the University, from non-University sources, or from the individuals themselves or to provide such information to a vendor must obtain permission to do so from the School or University CIO before undertaking any such activity. See the High Risk Information Request Process for more information.

State and federal regulations mandate that a group only obtain and maintain the high risk confidential information or student record information needed to accomplish a legitimate business purpose.   The regulations also mandate that such information only be retained for as long as it is needed for that purpose.

Online request forms and additional information regarding the Authorized Request process may be found at
http://vpfweb.harvard.edu/fss/ or
http://vpf-web.harvard.edu/fss/client_services/

See the Harvard General Record Schedule for more information on information retention.

Best Practice

The Best Practice for obtaining approved access to High Risk Confidential Information is to review the process description and to use one of the Request forms found at http://www.security.harvard.edu/resources/forms

Supported by WDS