OneTrust — a new tool to request, track, and automate data risk assessments (DRAs) at Stanford — is now available as a beta test version. To learn more about and launch OneTrust, visit the DRAs in OneTrust webpage.
RETIRED: Data Risk Assessment
Overview
A data risk assessment (DRA) is a review of whether a proposed transfer of “High Risk” data is consistent with Stanford’s Minimum Security Standards (minsec.stanford.edu) and Minimum Privacy Standards (minpriv.stanford.edu), conducted by the Information Security Office (ISO) and University Privacy Office (UPO).
The deliverable of a DRA is a written determination by ISO and UPO that the use and transfer of data results in Low, Moderate or High risk to the university, and (in some circumstances) suggestions on specific controls that may mitigate risk.
When should you submit a DRA request?
- Stanford researchers and other teams should submit a DRA request before sending or receiving “High Risk” data (as defined under Stanford’s Risk Classifications) to or from a third party.
- If the "non-Stanford partner" sending or receiving the High Risk data has no direct relationship with Stanford but does have a contractual agreement with the sponsor or Chief Risk Officer (CRO) to provide the services — e.g., use of electronic data capture (EDC), electronic case report forms (CRFs), or electronic diaries — a DRA review of that non-Stanford partner is typically not required. The sponsor/CRO assumes the responsibilities for managing the privacy and security risks associated with that third party relationship.
Tip: If you’re not clear on whether you should submit a DRA request, we recommend completing our DRA Pre-Screening Form, which should only take 1 to 2 minutes. As soon as you click “Submit,” you will immediately be told if you do or don’t need a DRA (based on the information you provided in the form).
Previously vetted vendors
The DRA process is quicker when working with previously vetted vendors (see table below). Please note that a DRA submission is still required even when working with previously vetted vendors.
Although services listed on the Approved Services list do not require a DRA, a consultation with ISO and UPO is required to ensure compliance with data protection and privacy regulations before using them.
This table displays previously vetted vendors that have established Business Associate Agreements (BAAs) with the university to satisfy HIPAA regulations.
| Vendors | Description | BAA |
|---|---|---|
| GRAND ROUNDS HEALTH | Guidance in healthcare | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| IMBIO | Artificial intelligence image analysis for acute and chronic pulmonary and cardiothoracic conditions | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| KINDUCT TECHNOLOGIES | Wellness and fitness services | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| KITMAN LABS | Sports analytics and performance solutions | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| RADANCY | Talent management and solutions | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| REDOX | Healthcare software solutions | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| RUFFALO NOEL LEVITZ | Higher education solutions and services | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| SALESFORCE | Customer relationship management software | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| TRANSCRIBEME | Transcription software and services | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
| YUZU LABS PUBLIC BENEFIT CORPORATION | Computer software development | BAAs (Business Associate Agreement) satisfy HIPAA regulations. |
What's the process
The process to conduct a DRA typically takes four to six weeks — starting from the time the DRA intake form and all supporting documents are submitted.
Importantly, ISO and UPO generally cannot begin a DRA (and certainly cannot complete it) until the data owner provides all supporting documents, including answers to technical and security questions from any third party recipient of Stanford data.
Tip: Speed up the process by working with previously vetted vendors. Refer to the table in the section above.
How to submit a DRA request
If you know your project requires a DRA (either based on the results of the Pre-Screening Form, your own knowledge and experience), then please complete a DRA Intake Form on Stanford REDCap.
- View what information you'll need to provide in your DRA request
-
In the DRA Intake Form, you’ll be asked questions related to Stanford’s Minimum Security Standards (minsec.stanford.edu) and Minimum Privacy Standards (minpriv.stanford.edu). Among other things, you should be prepared to provide information about:
- All the data elements to be sent or received by Stanford
- The number of individuals in your dataset
- The purposes of the data use and transfer
- Your IRB protocol
- Approvals you’ve received from the Privacy & Compliance for Stanford Health Care / Stanford Children’s Health, for any hospital data
- All third parties that may send or receive the data, including any contracts with them (e.g., vendor or collaboration agreement)
- Security and technical controls at any third party environment. (Typically, you will need to ask the third party to provide this information – and you can conveniently send them a link to the security section of the DRA Intake Form.)
Although the ISO and UPO frequently coordinate with other offices (e.g., RCO, RMG, OSR, Hospital Privacy, etc.), it is ultimately the responsibility of the person submitting the DRA (as the Stanford data owner) to provide the relevant information for review.
After you submit
Assigned to ISO/UPO representatives
After you submit a completed DRA Intake Form (including supporting documentation), your request will be assigned to a representative in each of ISO and UPO, who will be your single points of contact for the DRA going forward.
Follow-up with representatives
Your ISO and UPO representative will follow up with you directly to discuss the project and request any additional information.
Emailed DRA report
Once review is complete, you will receive an email report that states whether your proposed data use and transfer results in Low, Moderate or High risk to Stanford. In some circumstances, the report will include suggestions on specific controls that may mitigate risk.
Additional help
Questions about the process
If you have any questions about the DRA Intake Form or submission process, please contact us at dra_review@lists.stanford.edu. After your DRA is submitted, you should contact your assigned ISO and UPO representatives directly.
Request a consultation
In contrast to a DRA, ISO and UPO offer consultations to Stanford research, contracting, or other teams seeking guidance on specific security or privacy questions. A consultation may be written or unwritten, formal or informal advice that resolves a particular issue.
Request a security consultationRequest a privacy consultation
DRA Office Hours
All DRA questions are welcome!
Every Wednesday, 11 a.m. to 12 p.m. PT (except for holidays)
