Device and Technology Guidance

Research Involving

Data Sharing

Data Security Risk Assessment and Data Transfer Agreement

A Data Security Risk Assessment by UCSF IT Security & Policy AND Data Transfer Agreement by the Office of Sponsored Research (OSR -- Industry Contracts Division) must be completed if your study involves: the collection, transmission, or storage of information when that data will be shared with or be accessible to any non-UCSF entity (e.g., pharmaceutical companies, UCSF Affiliated Institutions) or individual. This includes the use of third-party or vendor-hosted applications. UCSF or department-hosted applications may also need to be assessed in accordance with UCOP Policy IS-3 Electronic Information Security, particularly if they are new applications or have never been reviewed by UCSF IT Security & Policy.

  • Third-party or vendor-hosted applications include cloud-hosted applications and applications hosted by collaborating institutions
  • UCSF or department-hosted applications include any application managed by UCSF or developed by the department

These requirements apply for both identifiable and de-identified data for funded and unfunded research. Questions about these policies must be directed to UCSF IT and OSR, not to the IRB. 


UCSF Versa – a UCSF IT-supported Artificial Intelligence (AI) ecosystem that connects AI tools with UCSF data and systems. 

For initial applications:

  • If the investigator expects to analyze data on the Versa platform, we’d like to know, but just so we have an idea of how widespread the use is. 
  • Not applicable to new aims

Already Approved Protocols Now Using Versa Platform:

  • There is no need to submit a modification if the study is approved to collect and analyze Electronic Health Record (EHR) or Personally Identifiable 


Last updated: February 5, 2024