Data Risk Assessment
What is a Data Risk Assessment (DRA)?
A DRA is a review of whether a proposed transfer of “High Risk” data is consistent with Stanford’s Minimum Security Standards (minsec.stanford.edu) and Minimum Privacy Standards (minpriv.stanford.edu), conducted by the Information Security Office (ISO) and University Privacy Office (UPO). The deliverable of a DRA is a written determination by ISO and UPO that the use and transfer of data results in Low, Medium or High risk to the University, and (in some circumstances) suggestions on specific controls that may mitigate risk.
When should a DRA be submitted?
Stanford researchers and other teams should submit a DRA request before sending or receiving “High Risk” data (as defined under Stanford’s Risk Classifications, https://uit.stanford.edu/guide/riskclassifications) to or from a third party.
If you’re not clear on whether you should submit a DRA request, we recommend completing our “DRA Pre-Screening Form” dra-prescreen.stanford.edu – which should only take 1-2 minutes. As soon as you click “Submit,” you will immediately be told if you do or don’t need a DRA (based on the information you provided in the form).
Additionally, if the third party sending or receiving the high-risk data has no direct relationship with Stanford but does have a contractual agreement with the sponsor or CRO to provide the services (e.g., use of electronic data capture (EDC), electronic case report forms (CRFs), or electronic diaries), a DRA review of that third party is typically not required since the sponsor/CRO assumes the responsibilities for managing the privacy and security risks associated with that third party relationship.
How do I submit a DRA request?
If you know your project requires a DRA (either based on the results of the Pre-Screening Form, your own knowledge and experience), then please complete a DRA Intake Form on Stanford REDCap.
What information will I need to provide with my DRA request?
In the DRA Intake Form, you’ll be asked questions related to Stanford’s Minimum Security Standards (minsec.stanford.edu) and Minimum Privacy Standards (minpriv.stanford.edu). Among other things, you should be prepared to provide information about:
- all the data elements to be sent or received by Stanford
- the number of individuals in your dataset
- the purposes of the data use and transfer
- your IRB protocol
- approvals you’ve received from the Privacy & Compliance for Stanford Health Care / Stanford Children’s Health, for any Hospital data
- all third parties that may send or receive the data, including any contracts with them (e.g., vendor or collaboration agreement)
- security and technical controls at any third party environment. (Typically, you will need to ask the third party to provide this information – and you can conveniently send them a link to the security section of the DRA Intake Form.)
Although the ISO and UPO frequently coordinate with other offices (e.g., RCO, RMG, OSR, Hospital Privacy, etc.), it is ultimately the responsibility of the person submitting the DRA (as the Stanford data owner) to provide the relevant information for review.
What happens after I submit my DRA request?
After you submit a completed DRA Intake Form (including supporting documentation), your request will be assigned to a representative in each of ISO and UPO, who will be your single points of contact for the DRA going forward. They will follow up with you directly to discuss the project, and request any additional information. Once their review is complete, they will send you an email report, stating whether your proposed data use and transfer results in Low, Medium or High risk to Stanford, and (in some circumstances) suggestions on specific controls that may mitigate risk.
How long does the DRA process take?
We typically need about two to four weeks to conduct a DRA, starting from the time that a complete DRA Intake Form and all supporting documents are submitted. Importantly, ISO and UPO generally cannot begin a DRA (and certainly cannot complete it) until the data owner provides all supporting documents – including answers to technical and security questions from any third party recipient of Stanford data.
Who can I contact with DRA questions?
If you have any questions about the DRA Intake Form or submission process, please contact us at firstname.lastname@example.org. After your DRA is submitted, you should contact your assigned ISO and UPO representatives directly.
If I don’t need a DRA but still want privacy or security guidance, can I request a consultation for informal advice?
Yes, we welcome your questions! In contrast to a DRA, a security or privacy consultation is where ISO and/or UPO supports a Stanford research, contracting or other team that desires guidance on a specific question or concern. For example, a contracting team may ask if the collection and transfer of data from the EU to the US raises privacy regulatory concerns. Or a research team may ask if Stanford may agree to non-standard security requirements in a research collaboration agreement. The deliverable of a consultation may be written or unwritten, formal or informal, advice that resolves a particular issue.
Requests for security consultation may be submitted at http://security-consultation.stanford.edu/
Requests for privacy consultation may be submitted at https://privacyrequest.stanford.edu/.