Drug, Device and Technology Guidance

Data Security Risk Assessment and Data Transfer Agreement

A Data Security Risk Assessment by UCSF IT Security & Policy AND Data Transfer Agreement by the Office of Sponsored Research (OSR -- Industry Contracts Division) must be completed if your study involves: the collection, transmission, or storage of information when that data will be shared with or be accessible to any non-UCSF entity (e.g., pharmaceutical companies, UCSF Affiliated Institutions) or individual. This includes the use of third-party or vendor-hosted applications. UCSF or department-hosted applications may also need to be assessed in accordance with UCOP Policy IS-3 Electronic Information Security, particularly if they are new applications or have never been reviewed by UCSF IT Security & Policy.

• Third-party or vendor-hosted applications include cloud-hosted applications and applications hosted by collaborating institutions
• UCSF or department-hosted applications include any application managed by UCSF or developed by the department

These requirements apply for both identifiable and de-identified data for funded and unfunded research. Questions about these policies must be directed to UCSF IT and OSR, not to the IRB. 

• To determine if a Data Security Risk Assessment is required, contact the intake team at [email protected]. More information about the assessment process is available at https://it.ucsf.edu/service/it-security-risk-assessment
• For information about Data Sharing Reviews: Visit https://data.ucsf.edu/data-sharing or email [email protected]
• For information about establishing contracts for data sharing engagements: Visit https://icd.ucsf.edu/material-transfer-and-data-agreements or email [email protected]