Skip to content →

Research Data Management

Policy Contacts

Rachel Talentino, J.D.
Research Compliance Officer, OVPR

Many Harvard faculty, staff, scholars, and student members engage in research that involves the collection or use of identifiable, sensitive or private information. Federal law and Harvard policy provide specific guidance and requirements for protecting identifiable research information.  

The Harvard Research Data Security Policy (HRDSP):
The basic principle of this Policy is that more exacting security measures must be followed as the risk posed by a research project increases. The HRDSP is designed to apply in conjunction with the Harvard Enterprise Information Security Policy (HEISP) and reflects consistent requirements for the protection of Harvard confidential and sensitive research data. For the full policy and approval processes please see the HRDSP section on this page. 

Principal Investigator (PI) Responsibility:

Compliance with data protection and use requirements is the responsibility of the principal investigator. Each PI should review her/his data use agreements, grants and other contracts to see if any such requirements are included. Harvard personnel working under such an agreement, grant, or contract must, at a minimum, comply with those protection requirements, as well as any disposition obligations. In addition, it is the PI’s responsibility to ensure any necessary reviews occur, including Data Safety/Security ReviewsDUA Reviews, and Institutional Review Board Reviews, and other research-related reviews governed by the Negotiating and Signing Authority Policy.

The Research Administration Portal shows faculty and researchers their outstanding research administration and compliance activities, including reviews related to data management, and provides an overview of their portfolio. The application includes projects and protocols from Agreements-DUAData Safety/SecurityESTRGMAS, and OAIR.

General Data Protection Regulation (GDPR) Research Guidance:

GDPR, effective as of May 25, 2018, is a far-reaching regulation applicable to organizations with European Economic Area (“EEA”) based operations and certain non-EEA organizations that process the Personal Data of individuals in the EEA. For purposes of GDPR, Personal Data refers to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.” OVPR developed the GDPR Research Guidance to support Harvard researchers in their engagement with Personal Data and European collaborators.

Other Sensitive Research:
Harvard researchers often deal with sensitive information that does not relate to human subjects. Examples can include proprietary information, data that is subject to confidentiality requirements, and information with national security implications. Most of these types of information will be categorized as Level 3 information under the categories described in the Information Security Guidance. However, information with national security implications, certain foreign and/or medical data, generally will be categorized as Level 4 information. Researchers must submit any such projects in the Research Safety Application for Security Review by a local information security reviewer. 

Working with Vendors:
University policy requires that written contracts be in place with all vendors that store or process confidential information for the University. University policy also requires that such contracts include specific information regarding security protection requirements. See Section 6.1 of the HEISP for more information. 

Additional Resources for Data Management:

Data Ownership

What is essential: The University has the proper resources to secure and manage research data, as well as protect associated intellectual property rights, and therefore is the appropriate administrator of such data. Consequently, the rights, responsibilities, and principles that determine how research data should be handled ultimately belong to the University.

How to comply: The University developed the Research Data Ownership Policy​ to clarify rights related to research data, and help guide research and administrators through the relevant processes.

Why it’s important: Consistent with the University’s overarching goals of creation and dissemination of knowledge, it is important that research data be shared and distributed openly. That said, there may be legitimate and compelling reasons why data must be kept confidential; for instance, when its release would reveal proprietary ideas and techniques of researchers and their partners or when it includes personal information regarding individual research subjects. There are also circumstances when questions arise regarding the ownership of the data generated from research projects, with one party claiming full ownership and preventing its use by other collaborators. These disputes often result in complaints and lengthy investigations, or even litigation, with lasting negative effects on all participants. In the most deleterious cases, withholding of data has delayed students in completing their theses and receiving their degrees. The Research Data Ownership Policy provides an infrastructure aimed at preventing such outcomes, and instead emphasizes consistent and transparent handling of research materials.

Helpful Resources (Contact information and other links):
OVPR contact: Rachel Talentino
Retention of Research Data and Materials Guidance

Trainings: Harvard Research Data Security Training Course (University-Wide)

Data Use Agreements (DUAs)

What is essential: A Data Use Agreement (“DUA”) is a binding contract governing access to and treatment of nonpublic data provided by one party (a “Provider”) to another party (a “Recipient”). DUAs are often required by external parties before they permit data to be received by Harvard and may also be necessary for Harvard data to be disclosed to another organization. DUAs are considered research-related agreements and must be reviewed and signed by the Office for Sponsored Programs or the Longwood Area Offices for Research Administration (HMS/ HSPH) in accordance with the Delegation of Signing Authority.

How to Comply: The DUA Guidance and Policy ​elaborate on reviews and processes associated with DUAS, and provide step-by-step instructions for researchers on the procedures for submitting and managing DUA requests in the Agreement System.

Why it’s important: DUA terms and conditions vary depending on the laws and regulations governing the specific type of data to be shared, as well as the policies and/or requirements of the Provider and Recipient. Formal agreements in these cases help to avoid misunderstandings and disputes over the use and storage of data, appropriate access and security measures, and other important matters, including publication rights and ownership of results.

Helpful Resources (Contact information and other links):

Committee: Negotiations Policy Committee; Agreements System Workgroup

Trainings: Harvard Research Data Security Training Course (University-Wide)

Harvard Research Data Security Policy (HRDSP)

What is essential: Harvard University’s Enterprise Information Security Policy effectively addresses the need to protect confidential and sensitive information that is maintained in the various spheres of University administration. The research setting poses particular information security risks and challenges, including regulatory and contractual constraints that require additional policy provisions and protective measures. The HRDSP and Associated Guidance​ ​focuses on proper management and stewardship of research data, inclusive of human subjects research, data exchanged pursuant to a data use agreement (DUA), and other data subject to foreign, federal or state regulations, sponsor requirements or intellectual property protections.

How to comply:  To protect research data appropriately and effectively, the University’s researchers, Institutional Review Boards, Information Security Officers, Negotiating Offices and research administrators must understand and carry out their responsibilities related to data privacy and security. The HRDSP provides specific guidance for managing research data, and the relevant support systems, procedures and reviews that are associated with such data.

Why it’s important: The Harvard community creates and exchanges many types of data and materials while engaging in its research-driven mission to promote the free exchange of academic, scientific and other types of intellectual works. Federal, state and international laws and regulations, as well as University policies and best practices, impose obligations on the University, as well as its administrators and researchers, to protect the confidentiality, integrity and security of such data and information. The misuse of data could result in fines, and revocation of sponsored funds or access to data.

Helpful Resources (Contact information and other links):

OVPR contact: Rachel Talentino

Committee: Research Data Security Operations Committee, Data Safety Workgroup

Trainings: Harvard Research Data Security Training Course (University-Wide)

Research Records Retention

What is essential: At the direction of Provost Steve Hyman, a number of University stakeholders collaborated to outline a set of basic principles to guide the retention and maintenance of research records by Harvard faculty and staff. In June 2011, outgoing Provost Steve Hyman and incoming Provost Alan Garber adopted these Principles, expounding that Harvard researchers and staff should have systems or practices for maintaining the essential Research Records that they create in order to support research findings, justify the uses of research funds and resources, and protect any resulting intellectual property. In determining which records are essential, Harvard researchers and staff should use prudence and reasoned judgment and may seek to refer to the prevailing standards in their relevant academic or professional disciplines. In general, researchers and staff should keep those records that will document research findings and justify the uses of research funds and other resources.

How to comply: Stakeholders developed the Retention and Maintenance of Research Records and Data Frequently Asked Questions (“FAQs”), organized by Principle.  The FAQs establish the minimum University requirements for research records and data retention.

Why it’s important: Systems and procedures for maintaining essential Research Records are necessary to protect researchers, students, trainees and the University by ensuring accountability in sponsored research projects and research integrity in all research conducted at, or under the auspices of, the University. Researchers have certain obligations to record, maintain and retain research records, and to make those records available for grant monitoring and auditing purposes, as well as to enable investigators and the institution to respond to questions of research integrity and stewardship. See, e.g., 2 CFR 200, 42 CFR 93.106(b). The University and its researchers are accountable for ensuring the integrity of, and access to, research data and materials and documents, materials and information that relate to the administration and financial management of research, reporting of research results, sponsored award applications, and human research records. This responsibility continues even after researchers who originally collected those data and materials have left the University.

Helpful Resources (Contact information and other links):

OVPR contact: Rachel Talentino 
Research Data Management Website
Research Integrity and Responsible Conduct of Research (RCR) guidance
Guiding Principles for Communication in Research Misconduct Proceedings

Committee: Each School must appoint a representative responsible for research records and data retention issues, consider discipline-specific issues and provide further guidance beyond these minimal requirements, consistent with best practices of the disciplines contained within that School. The Provost’s Office is charged with assuring that each School appoints such a representative and develops discipline-specific additional guidance for each School that will be consistent with the Principles and this guidance. Once a year, all School representatives, the Provost’s Office and the consultative group described above will meet to discuss outstanding issues and best practices that can be shared across all Schools.

Published in Uncategorized