Protecting Data at HBS

Data Classification Levels ("DCL")

To ensure a common understanding, Harvard uses a 5-step scale for data sensitivity. The higher the number, the more sensitive the data is, and the stronger protections you need to take when accessing and storing it. Not following these steps could be seen as negligence in the eyes of not only our customers, but in the view of numerous regulations and laws.

Harvard's Classification follow this progression:

  • DSL 1: Publicly available and unrestricted data.

    • Non-sensitive information that is intentionally made available to the public and can be used, reused, or redistributed without restriction.

  • DSL 2: Business Sensitive or unpublished data.

    • Non-sensitive confidential information that may be shared internally within the Harvard community, or within a school, unit or specific department

  • DSL 3: Confidential Information. Data:

    • Sensitive information that must be safeguarded as confidential and shared only with individuals with a need to know.

      • Most university data falls into this broad classification

      • This includes personal information, whether it can be used directly or indirectly to identify individuals.

  • DSL 4: High Risk Confidential Information.

    • Sensitive "Restricted Personal Information", credentials, security secrets, or contractually restricted data.

  • DSL 5: Information which could be life threatening or which must be safeguarded in accordance with federal requirements

Data Classification Examples

Harvard maintains this page for Data Classification documents with examples of how to consider your data.

Where can you store data?

Once you have determined the DCL of the data, you can determine where it is appropriate to store that data.

Level 1 Only

  • Personal Email Accounts

  • Personal Slack or Discord accounts

  • Personal Dropbox, Google, OneDrive or other cloud accounts

Up to Level 2

Up to Level 3.

Up to Level 4