University-Wide Privacy Principles

Harvard strives to be a trustworthy steward of personal information. Our Privacy Principles establish a Harvard-wide framework for considering and applying a privacy-protective mindset to the work that we do at the University.

The strategy behind these Principles is threefold: 1) promote a culture that values privacy, 2) create a foundation for operationalizing privacy at Harvard, and 3) satisfy existing and anticipated regulatory compliance obligations. 

The collection, use, and disclosure of personal information are essential to Harvard’s operations and its teaching and research mission. At the same time while doing this critical work, we need to consider privacy protections. That’s where these Principles come into play. The Privacy Principles are best practices for handling personal information during the course of our work activities. These best practices should be applied using a risk-based approach, taking into account the sensitivity of the data and the potential for harm. For help assessing data sensitivity, refer to the Risk Classification Table, which outlines common types of data and their associated risk levels. 

This Companion Guide is intended to provide additional context and specificity to assist us in the application of the Principles. Privacy concerns should always be weighed against other University requirements and goals. 

We recognize that not all of the Privacy Principles can be achieved in all situations. For example, we regularly use and share personal information in connection with our work at the University, often informally and in non-systematic ways. A teaching fellow may communicate information about a student to a faculty member, or administrators may exchange emails about an employee. By contrast, an information system used for administration at the University may generate, store, and make accessible a large data set containing information about a large number of persons—and indeed academic researchers at Harvard may obtain access to large data sets of personal information. While the Privacy Principles can inform the use of personal information at both small (one-off communications) and large (system-generated data sets) scales, the Principles should be applied flexibly, depending on the form and context of the information at issue.

Finally, neither the Privacy Principles, nor this Companion Guide, create any contractual or other legal obligation on Harvard’s part, or any contractual or other legal right or expectation in or for any individual person. 
 

Do the Principles apply to all forms of personal information (or just electronic)? The Privacy Principles apply to all forms of personal information collected, stored, and processed by Harvard, including in paper or electronic form. 

Do the Principles apply to all types of personal information? Yes, however, some categories of information—such as health or financial information, religious affiliation, or sexual orientation—are more sensitive than others and may cause greater harm if improperly secured or disclosed. As the risk level rises, it becomes increasingly important to implement these principles more rigorously and, when appropriate, incorporate additional privacy protections such as a Data Protection Impact Assessment (DPIA). When personal information is especially sensitive or processed at a larger scale, additional privacy requirements may apply to ensure the data is handled appropriately. Harvard’s Risk Classifications and privacy tools reflect these considerations.  Contact ISDP or your School Privacy and Security Officer for assistance with making these determinations regarding risk and requirements. 

How do the Principles relate to existing Harvard policies? The Privacy Principles are not policy but instead a set of principles to consider and apply in appropriate circumstances weighing privacy against other institutional goals. 

The Privacy Principles do reflect and are consistent with the conceptual underpinnings of several existing Harvard policies, including: 

• Policy on Access to Electronic Information 
• Policy on Installation and Use of Video Cameras 
• IT Professional Code of Conduct to Protect Electronic Information

The overarching goal is to infuse privacy considerations into all that we do at Harvard. The Principles are therefore intentionally general and succinct. When you are considering the collection, use, or disclosure of personal information, we ask that you think about the Principles in their totality, considering their purpose and spirit, and then apply your best judgment. If you are uncertain or have questions, contact the Information Security and Data Privacy (ISDP) team for advice.

• If you are establishing new business operations, research activities, technologies, or other processes involving personal information, consider whether you can incorporate the relevant principles into your system design (i.e., “Privacy by Design”). When we consider privacy from the earliest stages and throughout the data life cycle (i.e., collection, use, retention, processing, disclosure, and destruction), we are best positioned to implement privacy protections.
• If you aim to introduce privacy protections to existing business operations, research activities, technologies or other processes involving personal information, review your data practices for alignment with the Principles. Where the practices do not align with the relevant Principles, and where practical, adjust your practices to bring them into alignment.
• In all cases, it is a best practice to consider the principle of data minimization, as this is highly effective in reducing risks associated with privacy incidents.