A data risk assessment (DRA) is a review of whether a proposed transfer of “High Risk” data is consistent with Stanford’s Minimum Security Standards (minsec.stanford.edu) and Minimum Privacy Standards (minpriv.stanford.edu), conducted by the Information Security Office (ISO) and University Privacy Office (UPO).
The deliverable of a DRA is a written determination by ISO and UPO that the use and transfer of data results in Low, Moderate or High risk to the university, and (in some circumstances) suggestions on specific controls that may mitigate risk.
When should you submit a DRA request?
- Stanford researchers and other teams should submit a DRA request before sending or receiving “High Risk” data (as defined under Stanford’s Risk Classifications) to or from a third party.
- If the "non-Stanford partner" sending or receiving the High Risk data has no direct relationship with Stanford but does have a contractual agreement with the sponsor or Chief Risk Officer (CRO) to provide the services — e.g., use of electronic data capture (EDC), electronic case report forms (CRFs), or electronic diaries — a DRA review of that non-Stanford partner is typically not required. The sponsor/CRO assumes the responsibilities for managing the privacy and security risks associated with that third party relationship.
Tip: If you’re not clear on whether you should submit a DRA request, we recommend completing our DRA Pre-Screening Form, which should only take 1 to 2 minutes. As soon as you click “Submit,” you will immediately be told if you do or don’t need a DRA (based on the information you provided in the form).