The researcher managing the overarching project is responsible for assessing the sensitivity of the data throughout the project's lifecycle. This includes being aware of associated internal and external requirements and limitations that may apply to the management of the data, either per Harvard policy, IRB documentation, contractual obligations, or regulatory mandate. If the research team has any questions pertaining to the applicable DSL, they should speak to their local Information Security Officer. If at any point during the project’s period of performance the data is determined to be Sensitive Research Data, the research team must immediately submit a request for security review in the Data Safety Application.
Harvard researchers frequently deal with sensitive information that relates to human subjects and other research areas. Examples can include proprietary information, personally identifiable information, and data that is subject to confidentiality requirements or domestic regulations. Most of these types of information will be categorized as DSL 3. However, certain personally identifiable data that could directly impact individuals’ safety or financial standing, as well as certain regulated data (e.g. GDPR, CMMC, NIST 800-171), information with national security or export control implications, and medical information, is usually categorized as DSL 4 data. Harvard researchers must submit any such projects for Security Review by a local information security reviewer in the Data Safety Application.