Device and Technology Guidance

Research Involving


Data Sharing

Data Security Risk Assessment and Data Transfer Agreement

A Data Security Risk Assessment by UCSF IT Security & Policy AND Data Transfer Agreement by the Office of Sponsored Research (OSR -- Industry Contracts Division) must be completed if your study involves: the collection, transmission, or storage of information when that data will be shared with or be accessible to any non-UCSF entity (e.g., pharmaceutical companies, UCSF Affiliated Institutions) or individual. This includes the use of third-party or vendor-hosted applications. UCSF or department-hosted applications may also need to be assessed in accordance with UCOP Policy IS-3 Electronic Information Security, particularly if they are new applications or have never been reviewed by UCSF IT Security & Policy.

  • Third-party or vendor-hosted applications include cloud-hosted applications and applications hosted by collaborating institutions
  • UCSF or department-hosted applications include any application managed by UCSF or developed by the departmentt

These requirements apply for both identifiable and de-identified data for funded and unfunded research. Questions about these policies must be directed to UCSF IT and OSR, not to the IRB. 

Last updated: September 27, 2023