GDPR & Other Data Privacy Laws

In the past few years, many countries and states have enacted laws to protect individuals' privacy. These laws cover any information that may be obtained when someone participates or interacts with a Harvard system. This includes email addresses, IPs, or similar information.

The most notable is the European Union's General Data Protection Regulation (GDPR), but other countries are adopting similar resolutions.

From Harvard's GDPR Resource Website: The General Data Protection Regulation (GDPR) requires security measures for processing data relating to an identified or identifiable individual located in the European Union, Iceland, Liechtenstein or Norway (GDPR Processing). Harvard units or programs must comply with the GDPR when conducting GDPR Processing. The GDPR requires that security measures be appropriate in light of the potential risks to the affected individuals, taking into account the scope and purposes of such processing and the nature of the data. The GDPR identifies the following categories of data as meriting special protection: identifiable personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or containing genetic, biometric or health data or data concerning sex life or sexual orientation, and criminal convictions and offenses. Identifiable genetic, biometric and health data are Level 4 data, to be handled accordingly. The other types of GDPR sensitive data listed above should be treated as Level 3 data when subjected to GDPR Processing, except when the data has been made public or otherwise widely shared by the relevant individual. Any GDPR Processing of such sensitive data should comply with the GDPR’s Articles 9 and 10.

Examples: Information a French applicant for admissions shares confidentially in their admissions essay about their religion should be treated as Level 3 data. Information about an individual’s political beliefs the individual shares widely in a blog post online would not require special protections.

What does this mean?

Any collection of information which may include individuals who are from or may be currently in the EU must be considered Level 3 data, as it is considered personally identifiable information (PII) by EU regulations.