Data Storage and Ownership

Does the collection of data include human subjects data? 

  • If the data involves human subjects, see the section on IRB approval, above, and bring it to the attention of the IRB at the time of application.
  • Work with OSP/SPA to ensure appropriate data use terms are inserted into the subaward or negotiated in a separate Data Use Agreement (DUA):
  • If you are receiving data under a DUA, also consult with the IRB to determine the data security level.
  • Work with appropriate school IT security officer to ensure that the data is stored in accordance with any data security requirements:

Do you know what data security level your project belongs to and the according responsibilities? 

How can you protect the security of your devices and the data on your devices? 

  • The security of devices and in particular, the data on those devices, should be considered in any international project. The risks can take many different forms from surveillance and theft to malware and hacks. The degrees of privacy and security can vary greatly from one country to the next.
  • To protect your information and devices—especially if you’ll be conducting research—it’s important that you develop a data security plan that both serves your project’s needs and adheres to the import and export controls and local laws of the host country. HUIT and GSS can support in developing an appropriate data security plan and further information can be found here:
  • You may find it helpful to review the joint HUIT and GSS International Data Security Guide for Travelers and the general HUIT Advisory Resources. Many of the tips and recommendations for travelers are applicable while conducting an international project. See
  • If secure network access is available, always connect to Harvard’s network via VPN. And if a secure network is not available, consider using an “empty” machine to collect the data. Consider using an iron key (provided by HUIT) or an encrypted external hard drive to store documents. Access to a SharePoint site of cloud service may also be accessible. If your project involves working with human subject data, contact your School’s Institutional Review Board (IRB) for approval. They may be able to connect you with a foreign IRB that can help you navigate the host country’s privacy and data protection regulations. The foreign IRB may also need to approve your research.
  • And if you’re working with sensitive or confidential information, refer to the Research Data Security & Management Guidance from the Office of the Vice Provost for Research. See
  • Cyberattacks and cyber monitoring are becoming more prolific and sophisticated. Be aware of and comply with visa, customs, and security rules to minimize the chances that you or your devices will be easy targets or selected for scrutiny.
  • If you’re taking a group of students, faculty, or staff overseas and you’re concerned about IT security, GSS and HUIT and coordinate an IT security overview for your group, conducted by your local IT group or HUIT. Contact GSS as soon as possible and at least a month before your travel.
  • If you believe you’re an especially high-risk traveler due to the nature of your work or your destination, contact GSSfor a personalized IT security plan in consultation with your local IT group or HUIT.