Research Data Management and Policy Compliance Resources

What is essential: HRDSP and Associated Guidance ​ establishes essential security measures tailored to the specific risks associated with each research project. Working alongside the Harvard Enterprise Information Security Policy (HEISP), it ensures robust protection of sensitive research data, including that related to human subjects, Data Use Agreements (DUAs), and data governed by regulatory and intellectual property requirements. This policy is applicable to all forms and media of research data, whether stored at Harvard or managed remotely, covering researchers, research teams, and administrators who handle confidential information. 

How to comply: To effectively protect research data, researchers, IRBs, Information Security Officers, Negotiating Offices, and administrators must understand and fulfill their data privacy and security responsibilities. The HRDSP and Associated Guidance​ ​ offers guidance on managing research data, along with associated support systems, procedures, and reviews. 

Resources: 

• HRDSP and Associated Guidance​  
• HRDSP Applications Summary and Order of Reviews 
• Quick Guide for Researchers 
• Research Data Security Examples 

What is essential: The HEISP Policy highlights its commitment to safeguarding crucial confidential information and IT systems. Faculty, staff, and students, are responsible for securing this information, following specific guidelines for compliance. The policy emphasizes authorized use, secure handling, regular updates, appropriate disposal, and careful third-party evaluation. Any potential data breaches must be reported promptly. 

How to Comply: Data protection requirements vary based on data classification levels: the more sensitive the data, the stricter the security measures. These information security requirements apply to everyone at Harvard. The HESIP web page offers detailed guidance on compliance and should be integrated into daily life at Harvard to protect both Harvard’s confidential data and your personal information. 

What is essential: The Harvard Genomic Data Sharing Policy mandates that large-scale human and nonhuman genomic data produced from NIH-funded research be shared with an NIH-designated data repository, provided it aligns with participant consent. This policy sets protocols for regulatory compliance, promoting transparency, collaboration, and reproducibility in genomic research. It balances data accessibility with rigorous privacy protections, ensuring ethical standards and legal obligations are met. 

How to comply: Researchers must secure IRB certification before data submission to NIH-designated repositories, ensuring data de-identification aligns with participant consent and privacy standards. This ensures that researchers handle human genomic data appropriately, fostering a responsible and open research environment. 

Resources: 

• Harvard Genomic Data Sharing Policy 

What is essential: The Research Data Ownership Policy​  outlines that Harvard University owns all research data generated through projects conducted under its authority or using its resources. While the PI and researchers manage and safeguard the data, the University is ultimately responsible for compliance with legal and sponsor requirements, ensuring confidentiality and security. The policy outlines roles, responsibilities, and data retention guidelines, and specifies procedures for transferring data if a researcher departs. 

How to comply: To comply with Research Data Ownership Policy​, researchers must acknowledge the University’s data ownership and collaborate in its management. Principal Investigators are responsible for ensuring proper data management, storage, and accessibility, meeting all University, legal, and sponsor requirements. This involves setting up procedures for data retention, confidentiality, and sharing while respecting data use agreements. Researchers should update records and coordinate with the Vice Provost for Research on data transfers or inquiries to ensure secure, compliant data handling. 

Resources:  

• Research Data Ownership Policy​  

What is essential: Retaining research records is crucial for supporting the integrity and validation of research findings, ensuring accountability in the use of research funds, and protecting intellectual property. Adhering to these guidelines enables researchers to provide clear documentation during audits and reviews, thereby enhancing the transparency and credibility of their research. 

How to comply: The Retention and Maintenance of Research Records and Data Frequently Asked Questions (“FAQs”) has been developed to outline the minimum University requirements for retaining research records and data, organized by principle. Each school is responsible for designating a representative to oversee retention issues and offer discipline-specific guidance. Researchers should exercise prudent judgment and consult field-specific standards to determine which records are critical for retention. 

Resources: 

• Retention of Research Data and Materials Guidance 
• Retention and Maintenance of Research Records and Data Frequently Asked Questions (“FAQs”) 

What is essential: The GDPR is a comprehensive regulation that imposes various obligations on organizations managing personal data of individuals in the European Economic Area (EEA). For Harvard, this means maintaining high standards of data protection regardless of where the processing takes place. 

How to comply: The  GDPR Research Guidance and the GDPR Readiness website are provided to help researchers prepare for GDPR compliance. These resources provide tools, checklists, and educational materials to reinforce the protection of personal data. 

Resources: 

•  GDPR Research Guidance  
• GDPR Readiness website 

The NIH has implemented the Data Management and Sharing (DMS) policy, effective January 25, 2023, to encourage scientific data sharing. All NIH-funded projects generating Scientific Data must include a DMSP. 

Resources:  

• Harvard NIH DMSP Budgeting and Application Instructions – Tip Sheet (09/21/2023): Guidance for Principal Investigators and grant managers on completing applications, including the required DMSP. 
• NIH DMS Policy Central Reviewer Tip Sheet: Instructions for central reviewers evaluating applications, JIT requests, or awards involving the DMSP. 
• Harvard Briefing Sheet for the 2023 Policy: Overview of the policy, responsibilities, and resources. 
• Harvard FAQ for the 2023 Policy: Harvard-specific answers to questions based on current NIH guidance. 
• SEAS Research Data Management: Support and consultation on Data Management Plans 
• Longwood Research Data Management (RDM): Information and resources on NIH Data Management Plans 
• DMPTool: A web-based platform offering step-by-step guidance for drafting DMPs, including NIH-specific templates and samples. 
• Harvard Library Research Data Management Program: Connects members of the Harvard community to services and resources that span the research data lifecycle, to help ensure that Harvard’s multi-disciplinary research data is findable, accessible, interoperable, and reusable (FAIR) 

Since 2011, the NSF has required DMPs for all grant applications. These plans have become a critical component of the review process and are thoroughly evaluated. These plans are essential to the review process, as they detail data preservation strategies and associated costs. DMPs are evaluated as part of proposal review. 

Resources:  

• NSF’s Dissemination and Sharing of Research Results 
• NSF’s Award and Administration Guide (AAG) Chapter VI.D.4 
• NSF’s Grant Proposal Guide, Chapter II.C.2.J 
• SEAS Research Data Management: Support and consultation on Data Management Plans 
• Longwood Research Data Management (RDM): Information and resources on NSF Data Management Plans 
• DMPTool: Aids in creating and sharing Data Management Plans with NSF-specific templates and samples. 
• Harvard Library Research Data Management Program: Connects members of the Harvard community to services and resources that span the research data lifecycle, to help ensure that Harvard’s multi-disciplinary research data is findable, accessible, interoperable, and reusable (FAIR) 

All DUA requests must be submitted for review, negotiation, and endorsement through the University-wide Agreement System. Researchers are required to link their DUA submissions to a corresponding Research Data Safety submission to ensure that security measures are properly assessed. The Harvard Data Requestor initiates and manages these submissions, working closely with the Negotiating Office. Comprehensive guidance on these procedures, including step-by-step instructions, is provided in the  DUA Guidance and Policy  and the Agreements-DUA Submission Guide, which details the processes and reviews associated with DUAs within the Agreement System. 

Resources: 

• OVPR contact:  Emre Keskin 
• For additional information and best practices on using the Agreements System, view the Agreements-DUA Submission Guide  
• Harvard T.H. Chan School of Public Health: Sponsored Programs Administration (SPA): dua@hsph.harvard.edu 
• Harvard Medical and Dental Schools: Office of Research Administration (ORA): SPAContracts@hms.harvard.edu 
• University Area, all other Harvard schools: Office for Sponsored Programs (OSP): dua@harvard.edu 
• Research Administration Portal reflecting outstanding research administration activities  

Schools with active Centers for Medicare & Medicaid Services (CMS) DUAs are required to submit semi-annual and annual reports to meet University and federal standards. These reports, due by August 31st and every six months thereafter, are crucial for ensuring transparency, facilitating data-driven decision-making, and maintaining compliance. 

The Office of the Vice Provost for Research (OVPR) will specify the data required for annual reports by March 1st each year. Prompt submission is critical; failure to comply may delay approval for new CMS Data requests and could lead to University-wide sanctions under the new CMS Data Management Plan Self-Assessment Questionnaire (DMP-SAQ) requirements. 

The annual report for, must include the following components:  

• Contacts: Provide contact details for the primary point of contact for the report and a list of any other contributors. 
• Executive Summary: A concise summary highlighting:  
  • The number of CMS DUAs active during the reporting period,  
  • The number of active CMS DUAs as of the end of the reporting period,   
  • The number of active CMS DUAs for physical files,  
  • The number of active CMS DUAs for VRDC access,  
  • The number of new CMS DUAs initiated during the reporting period,  
  • The number of CMS DUAs that were closed during the reporting period
  • For closed DUAs for physical files:  
    • Was all data destroyed and certification of destruction provided to CMS?  
    • If no, was data approved for re-use under another active DUA?  
    • If yes, please provide information on closed DUA and the active DUA re-using the data  
    • If no, please explain.  

• Details on Active CMS DUAs: A detailed breakdown of the existing Active CMS DUAs, specifying: 
  • PI or PIs (their current affiliations) 
  • associated data safety review(s) and expiration date(s) 
  • location of CMS data (and consistency of data location with what is on the DUA), 
  • whether the IT infrastructure satisfies CMS requirements (and if not, what are the plans to achieve compliance), 
  • and notes on any amendments to the DUAs that are in progress.  

Criteria for OVPR review: 

• DUAs: Any agreement involving a System Security Plan (SSP) according to NIST standards (e.g., SP 800-53, SP 800-171). 
• CMS DUAs: All new or extended Centers for Medicare and Medicaid Services (CMS) DUAs need approval from prior to submission of the signed DUA or extension request to CMS. 
• Grant Submissions: Projects involving regulated data that may pose management or reputational risks. 

Submission Process for OVPR review:  

• For Data Use Agreement (DUA) Review: Within the Data Safety module, the PI/DUA Team assigns an ancillary review to the University Research Data Officer organization which will email the OVPR to notify them there is a project pending their review. The URDO reviews the project. If there are no concerns, they electronically sign to approve, permitting the Submitting Office to proceed with the DUA submission. 
  
• For Sponsored Proposals/Awards review: The Central Reviewer will edit the Required Signatures in GMAS and add the “Provost Signatory” role to the list, which alerts the University Research Data Officer (URDO) that there is a Regulated Data Project for OVPR Review. The URDO, with any necessary additional reviewers, evaluates the proposal. Upon approval, the URDO signs electronically, allowing the Submitting Office to proceed with the agreement. 

The Research Administration Portal shows faculty and researchers their outstanding research administration and compliance activities, including reviews related to data management, and provides an overview of their portfolio. The application includes projects and protocols from: 

•  Agreements-DUA 
• Data Safety/Security 
• ESTR 
• GMAS 
• OAIR 

To comply with the Data Safety/Security Plan, researchers must ensure that data storage aligns with the required Data Security Levels (DSL) and adhere to the terms outlined in the Data Use Agreement (DUA). In the event of a breach or unauthorized access to data, it is essential to promptly notify the Research Team, Negotiating Office, and any other relevant parties such as the IRB, in accordance with the Harvard Enterprise Information Security Policy (HEISP). This ensures that proper steps are taken to mitigate risks and maintain the integrity of the research data. 

Resources: 

• Data Safety Levels website  
• Data Safety/Security Agreement System