Information Security and Privacy

Information resources are vital University assets. All employees who use or provide information have a responsibility to maintain and safeguard these assets. Employees are expected to use these shared resources with consideration and ethical regard for others and to be informed and responsible for protecting the information resources for which they are responsible.

University Information

University information may be broadly classified into one of three categories:

  1. Information that is generated publicly or is intended to be made public.
  2. Information that is gathered or generated for the University’s internal use.
  3. Confidential information pertaining to the University’s individual students, faculty and staff.

The information that employees generate or maintain in the course of their duties belongs not to them individually but to the University, which entrusts it to their custody. The custody of University information is the responsibility both of the custodian and his or her supervisors. Managers should adopt, announce and enforce safeguards and procedures to protect the confidentiality of such information. Everyone must protect the confidentiality of University information that is not intended to be made public. University staff may not use non-public University information for personal ends, nor obstruct its use for proper University purposes.

Particular care must be taken by supervisors and custodians with personally identifiable confidential information, such as a student’s financial aid, grades and academic evaluations; employee’s salaries and performance evaluations; and family data and medical records. Such information must be accorded the strictest safeguards, so that access is given only to those whose duties require it. In addition, disclosure of information pertaining to students is subject to the restrictions of the Family Educational Rights and Privacy Act (FERPA), a federal law.  Please see Harvard’s Enterprise Security Policy for more information about protecting the integrity and privacy of confidential information at http://security.harvard.edu.

Rules about the retention of University information can be found at the web site of the Records Management Office.

Privacy, Access, Confidentiality, and System Security

Access to and use of Harvard’s computer systems, telecommunications and network connectivity are provided to members of the Harvard community to assist in fulfilling the education, research and service missions of the University. Harvard’s technology resources include e-mail, telephone, voice mail, computer hardware and software, Internet access and the campus computer network. All University-purchased technology resources and their components or peripheral parts are the property of Harvard University. Access to such resources is limited to authorized users and is for approved purposes only. Users may not install peripherals or software they purchase with their own money on University owned computers or use their own computers on Harvard networks without the specific permission of their supervisor. All users have the responsibility to use those resources in an efficient, ethical, and legal manner. This policy is not intended to limit use of technology for scholarship, research, instruction or other academic pursuit, consistent with the rules and regulations of the respective Faculties and applicable laws.

Privacy/Management’s Right to Access Information

Employees have no expectation or right of privacy in anything they create, store, send, or receive on Harvard’s computers, networks or telecommunications systems. Although many employees have individual computers or computer accounts, and while employees may make incidental personal use of University technology information systems, ultimately Harvard University has ownership over, and the right to obtain access to, the systems and contents. Incidental personal use is permitted so long as it does not interfere with job performance, consume significant time or resources, interfere with the activities of other employees or otherwise violate this policy, the rules of an employee’s local unit, or other University policies. Electronic files, e-mail, data files, images, software and voice mail may be accessed at any time by management or by other authorized personnel for any business purpose. Access may be requested and arranged through the system(s) user, however, this is not required.

University Confidentiality

University records or information that employees create, maintain, access or store in the course of performing their jobs may include confidential and/or proprietary content. Given the sensitivity of such information, care, judgment and respect must be exercised to preserve individual privacy and to protect the University’s interests. Each employee is accountable for organizing and controlling access to information and data created or maintained by their office. Information may be shared or accessed on a limited, need-to-know basis, with consideration and ethical regard for others. In addition to these University requirements to keep information private there are a number of government laws and regulations that require specific types of data be kept confidential.

Access and System Security

Each employee affiliated with the University is assigned a unique identification number by Harvard (HUID). This number is not the person’s Social Security Number nor is it a National Identity Number. The HUID is used to identify the employee in many Harvard systems, can be used to provide access to systems and facilities, grant authorization to perform various functions and to authenticate the employee’s identity. For instance, the HUID is used on an employee’s Harvard identification card (ID card). An employee may also use their HUID to obtain a Personal Identification Number password (PIN). The HUID and PIN in combination provide access to some information technology resources and to many systems at the University and should be carefully protected. HUIDs should not be shared outside the University without specific permission and the PINs should not be shared under any circumstances. Local units may provide additional identification numbers for local purposes.

All authorized users of technical information systems assume responsibility for acting to preserve the integrity of these systems and any University data they may have access to. Users are expected to exercise current best practices consistent with systems security as directed by departmental Information Systems specialists. Users should be informed of and abide by directives including the use of University and personal identification numbers, software installation, remote access, network security, virus prevention, spam management, backup procedures and other technical practices. State and federal law prohibit unauthorized access to computer and telecommunications systems. Unauthorized access, and attempts to gain unauthorized access, to equipment, records or privileges are prohibited. Particular care must be taken to ensure the lawful use of University software, and compliance with the Digital Millennium Copyright Act, as indicated in the policy below. All software is copyrighted. The University obtains licenses to use specific pieces of software and may use that software only according to the terms of the software license. Copying, removal or transfer of licensed software without authorization is prohibited. Software under University license may not be copied and used on a home computer except for University business, and then only when the license allows such use. Employees who violate either the license or the copyright of University software are answerable to the University and also may be legally liable to the license issuer or copyright holder.

The use of University technology resources for any illegal activity is prohibited.

Additional Information

University technology resources should not be used in connection with lobbying (except official University lobbying activities authorized by the Office of the Vice President for Government, Community and Public Affairs) or political campaigns. In addition, such resources must not be used for private business or commercial activities, except where such activities are otherwise permitted under applicable University policies.

Faculties and departments may supplement this policy with more unit-specific policies not inconsistent with this statement. It is the responsibility of university employees to be familiar with University and faculty/departmental policies.

For information regarding use of the Harvard domain name and other related matters, please refer to: The Use of Harvard Names and Insignias.

Violations of This Policy

Any violation of this policy or applicable City, State and Federal laws will be subject to investigation and/or disciplinary action, up to and including termination of employment and referral to state or federal law enforcement authorities in the appropriate cases. Questions concerning any aspect of this policy should be directed to the Office of Human Resources or the Office of Labor and Employee Relations.

Employee Compliance under the Digital Millennium Copyright Act

Harvard complies with the federal Digital Millennium Copyright Act (DMCA) by respecting the copyright protection of works accessible through computers connected to University networks. Such works include but are not limited to the following: music, movies, television shows, software, photographs, video productions and any copyrighted document or file that can be conveyed electronically.

Installing Software to Facilitate the Exchange of Copyrighted Materials

Harvard expressly forbids the use of the Harvard network for illegal activities, including copyright infringement. Harvard also forbids University employees from installing software whose common use is to share copyrighted material on University computers without specific authorization. (For example, such software includes peer-to-peer file sharing software.) Employees violating this policy will be subject to the full measure of disciplinary action up to and including warnings, suspension without pay and termination of employment. In addition, the employee may also be subject to civil or criminal penalties. In the case where such applications are required for performing assigned job responsibilities, the software application must be reviewed by school or department desktop or network support personnel to certify that its use will not pose a network security threat.

Exclusion: Legal use of copyrighted material with the permission of the copyright owner or under the fair use or another exemption under copyright law is permitted for legitimate purposes as required by an individual’s position at Harvard (such as research, education and medical diagnosis). Such uses are not considered violations of this policy.

Using the University Network to Download or Distribute Copyrighted Materials

No employee shall use University networks or other resources to download or distribute copyrighted materials without permission of the copyright owner, unless fair use or another exemption under copyright law applies.

Violation of this Policy

In the case of a first confirmed violation of these rules, the staff member will be required to sign a statement of acknowledgment regarding the policy and its consequences, unless it is determined that the staff member is not at fault. In the case of a second, and therefore repeat, infringement, the staff member’s computer and network access will be terminated, unless it is determined that the staff member is not at fault. The outcome of this action is likely to result in job termination in cases where network use is necessary for an employee to effectively perform the duties of the position.