The Identity & Access Management program at Harvard maintains a database (the University ID database, or IDdB) that contains directory and status information about members of the Harvard Community. This directory information includes personally identifiable information (PII) such as names, job titles, email and postal addresses, telephone numbers, date of birth, and other similar items. The status information includes University roles — such as student, faculty, staff, alumnus/a, etc. — as well as the dates that the roles are active. A subset of this information is available to the public via the Harvard Web Directory. See here for a list of information we maintain.
Harvard students or former Harvard students can request that information about them be omitted from the public directory under the Family Educational Rights and Privacy Act (FERPA). Learn more about "FERPA blocks" here. Within constraints, other members of the Harvard community can also control what information about them is included in the public directory. See here for more information.
The Harvard IAM program also provides services that can be used by applications for authentication and to access directory information about individual users. These services include HarvardKey, a Central Authentication Service (CAS) server, and a Shibboleth identity provider (IdP), as well as directory servers. These services provide information about the user being authenticated to the applications as part of the authentication process.
Applications directly operated by University IT groups are considered to be official University functions, and therefore have general access to PII from the University ID database — although this access is configured to limit each application to the information that it actually needs. Applications operated by vendors with which the University has contracts are considered to be agents of the University, and operate under the same general rules as do Harvard-run applications.
PII provided to applications that are not operated by University IT groups or by vendors under contract is tightly controlled on a per-application basis. See here for a list of external applications using Harvard IAM authentication services that have been configured to receive personally identifiable information.