The recent ID card incident has brought forth a number of questions on the proper use of HUIDs. The incident was made more complicated because of the use of HUIDs as an account identifier by Crimson Cash. Because of this use, HUIDs can be considered financial account numbers under the Massachusetts law requiring the protection of financial account numbers and notification of the affected parties in case of a misuse of such numbers.

Over time, Crimson Cash will be moving away from using HUIDs as account identifiers. Until that happens, protections for HUIDs accompanied by the name of the HUID holder, must meet the requirements of new Massachusetts law. Given the new Mass law, HUIDs should not be used as financial account numbers. In cases where it is used that way today, a plan should be developed to adopt an alternative approach as soon as possible. The following guidelines are provided to assist in ensuring protection of HUIDs.

I. HUIDs as confidential information.

Even without the use of HUIDs by Crimson Cash, the HUIDs of students and former students when accompanied by the names of the HUID holders should be treated as confidential information. HUIDs without names are not considered confidential, unless there is enough other information present to identify an individual (a phone number, for example).

II. Viewing and Displaying HUIDs.

Harvard's general guidance on displaying confidential information applies to HUIDs. Display HUIDs only when they are needed for an application. Include HUIDs in a report only when they are required for the use of the report. Compile HUIDs in a database only if needed for that application.

Examples in which HUIDs are acceptably compiled:

• A Help Desk that serves the entire University may have all University HUIDs in its database.
• An application that is restricted to users in a particular School should only include HUIDs from that School.

Examples in which HUIDs may acceptably be displayed:

• A directory application used only within an administrative group to look up its students or employees.
• A lookup of an individual by HUID. Displaying the HUID of an individual as part of the result of a lookup is acceptable even if the lookup is done by name or some other key, provided there is a business reason to include the HUID in the result.
• Where the HUID is not needed every time a lookup is done, it may be better to not include the HUID as part of the default display, but instead to provide the HUID on demand if the user clicks on a special button.
• When displayed on demand in this way, it is advisable to log which users ask for the HUID as a deterrent against improper use of the HUID, provided users are informed about the logging.

Examples in which HUIDs may not acceptably be displayed:

• Posted lists of names of people. It is not acceptable to include HUIDs on lists of the names of people where the list will be publicly posted.
• Mailing labels. It is not acceptable to print the HUID on mailing labels.

III. HUIDs in Reports.

Printed or electronic reports should only contain HUIDs if there is a business requirement to do so. Any report that contains HUIDs should be treated as confidential. Paper reports should be stored in locked file cabinets and electronic reports should not be sent via email.

Report creators should ensure that any recipients of the report understand that the report contains confidential information and that the recipient has a responsibility to protect it.

IV. HUIDs in Logs.

Logs that include HUIDs, such as those of building access systems, should be treated as confidential. Access to such logs should be restricted to those with a business reason to access the logs.

V. Transporting HUIDs over the network; transporting by email.

Lists of HUIDs with names, or with enough information to identify the individuals, should be treated as confidential information and thus should not be sent over a network unless they are encrypted. Such lists should not be sent via email since most email systems do not encrypt their messages. Where possible, transferring such files by other methods, such as via files on share drives, is preferable. Files can also be encrypted before transmission via normal email.

It is acceptable for people to send their own HUIDs via email, in person or via phone for a business related purpose. It is also acceptable for someone to send a single HUID, even with a name, via email or phone. An example of this use is a request for someone to be added to the list of people allowed in a building. This does not present a significant risk and is acceptable.

See also
Confidential Information for information on protecting Harvard confidential information.