Due to the university's winter closure, DRA requests submitted after Dec. 1, 2024, will be reviewed once regular operations resume starting Jan. 6, 2025.
Due to the university's winter closure, DRA requests submitted after Dec. 1, 2024, will be reviewed once regular operations resume starting Jan. 6, 2025.
As the volume of Stanford data continues to grow exponentially, so do the risks associated with storage, processing, and management. To safeguard sensitive information, the University Privacy Office (UPO) and Information Security Office (ISO) conduct data risk assessments (DRAs).
A DRA is a review of whether a proposed transfer Moderate or High Risk data to a non-Stanford entity is consistent with Stanford’s Minimum Security Standards and Minimum Privacy Standards. Before sending or receiving Moderate or High Risk data to or from a non-Stanford partner, you must submit a DRA to evaluate the extent of risk to the university. OneTrust is a tool to request, track, collaborate on, and automate DRAs at Stanford.
In the revised automated DRA submission form, you’ll be asked questions related to Stanford’s Minimum Security Standards (minsec.stanford.edu) and Minimum Privacy Standards (minpriv.stanford.edu). If you have all of the necessary details, it will take less than 45 minutes to complete the form.
Please be prepared to provide the following details in responding to the questions:
Note: For China-based studies, please reach out to the DRA team at dra_review@lists.stanford.edu for alternative means to complete the DRA process.
OneTrust optimizes Stanford’s DRA system, process, and user experience with many key features, including:
As you use OneTrust to walk through the DRA form and process, we invite you to share about your experience to help us continually improve the system.
*If working with a vendor, the system will notify the vendor to complete a separate assessment. External or non-Stanford entities that are not vendors should have a data use agreement (DUA) with the university and are not sent a separate assessment in OneTrust.
For the majority of DRA submissions, the automated report is generated immediately after submitting the assessment. Please note that the Notice of Completion after completing the DRA review is not an approval of your project. You will still need to secure approval from the Institutional Review Board (IRB), or any other body that is authorized to approve your project.
Follow the Risk Mitigation instructions to complete steps 3 and 4 in the process.
TIPS:
Some questions will require documentation before submitting the form. However, if you have additional documentation to add after submitting the form or to view current attachments, follow these steps:
After the requester completes their assessment, the vendor is notified to complete a separate assessment in OneTrust. Non-Stanford entities that are not vendors should have a data use agreement (DUA) with the university and are not sent a separate assessment in OneTrust.
Follow the Risk Mitigation instructions for step-by-step guidance on completing the process in OneTrust.