Harvard offices should always maintain appropriate security over their information. This includes both paper and electronic information. Special care should be taken with confidential information. Harvard defines Confidential Information as including information about a person or an entity that, if disclosed, could reasonably be expected to place either the person or the entity at risk, or be damaging to financial standing, employability, or reputation. In addition to any University penalties, inappropriate disclosure or misuse of confidential information may, in some cases, lead to criminal or civil liability.
High-Risk Confidential Information can cause harm or because the information is specifically protected under law or under contract and includes a person's name in conjunction with the person's Social Security, credit or debit card, individual financial account, driver's license, state ID, or passport number, or a name in conjunction with biometric information about the named individual human subject information and personally identifiable medical information.
Confidential information includes human resources information, information governed by the Federal Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA), and all other non-public information about Harvard.
For a complete definition of confidential information, see the glossary at the Harvard University Information Security and Privacy web site.
Some of things you should do to protect confidential information are:
- Realistically assess your need for any confidential information. If there is no legitimate business need to collect or keep it, don't.
- Control access
- Limit access, both for electronic and paper information, to those who have a legitimate need to use the information.
- Lock file cabinets when not in use and keep them in a secure location.
- Computers that contain confidential information should be located in computer facilities where access is controlled and monitored or, in rare cases, secured in locked cages in other locations.
- Confidential information must never be stored on internet-accessible servers.
- Ensure that transfers of information are secure
- For paper, be sure you can trust anyone transporting the materials. All vendors that have access to or otherwise work with Harvard confidential data must have a contract with the University. The contract must include the appropriate rider to require the vendor to protect the information and to notify the University in the case of a breach of security.
- For electronic information, encrypt any transfers of confidential information on any network. This means that you may not send confidential information via e-mail except with specially installed encryption software.
- Dispose of the information securely. Massachusetts law requires that records containing personal information be destroyed "so that personal data cannot practicably be read or reconstructed." ( M.G.L. c.93I §2)
- For physical records, use secure shredding. The University has a preferred records destruction vendor who has been vetted by the University. The vendor can also set up shred bins in your office when appropriate.
- For electronic information, appropriate steps should be taken to completely remove any information from discarded computers. When information is no longer needed, it should be rendered unreadable using appropriate software. (For more information visit the Harvard University Information Security and Privacy web site.)
Some of the things you should do to protect all information are:
- Limit access to only those who need it. While this is critical for confidential information, it is a good practice for all information.
- Make sure that identification of files and folders accurately reflects their contents. This applies to both physical records and electronic folders and is especially important if confidential information is included.
- Have information management and security policies in place and follow them
This is only a brief list of security issues. Bear in mind that many safeguards that are advisable for confidential information are required under law or Harvard policy for high-risk confidential information. For more complete information, and University policies on security and privacy, visit the Harvard University Information Security and Privacy web site.
If you believe a breach of security regulations has occurred, call the Office of the General Counsel at 6-3006 or, confidentially, at 1-877-694-2ASK.
|
