1.0 High Risk Confidential Information (HRCI)

Harvard Enterprise Security Policy:

Policy Excerpt
Certain categories of information are classified as high risk, either because the exposure of this information can cause harm or because the information is specifically protected under law or under contract. Extra care must be taken to protect high-risk confidential information in both electronic and paper form.

High-Risk Confidential Information includes a person's name in conjunction with the person's Social Security, credit or debit card, individual financial account, driver's license, state ID, or passport number, or a name in conjunction with biometric information about the named individual. High-risk confidential information also includes human subject information (see  Section 1.2) and personally identifiable medical information (see Section 1.3).

HLS Policy:

The HLS also includes HUID as a high risk data element.

Approved Solution:

HRCI may be stored on protected servers or secure shared file systems, also know as ‘shares’.

HRCI must not be emailed. The exception to this policy is when emailing an individual’s name and HUID to HR or ITS. In these cases there should never be more than two names and HUIDs in the same email.

All physical copies of HRCI must be disposed of securely (See section 9.1).

ITS will ensure the secure disposal of all electronic media contact. Please contact the helpdesk for additional information.

Individual departments with HRCI on paper for proper destruction must use the Harvard preferred vendor listed in Section 9.1.

Frequently Asked Questions:

Q: Is it ok to email my name and HUID to HR, ITS or my manager?
A: Yes, individuals can email their HUID in combination with their name to departments such as HR, ITS or their managers.