Data sharing engagements are escalated for review by the IT Governance Committee on Enterprise Information & Analytics if any of the below criteria are met. Please note that engagements that involve sharing data with third parties for clinical treatment, payment, or operational purposes should be reviewed by UCSF Health Leadership and are not subject to the below criteria.

1. Sharing any UC Protected Health Information (PHI) or Research Health Information (RHI) outside of an IRB-approved research study or clinical trial*.
2. Sharing sensitive and/or restricted UCSF data (i.e., P3 and P4) with:
   1. Any commercial entity, domestic or international. Commercial entities who will provide data hosting or analysis services only are exempt.
   2. Any entity determined to be high-risk using the Visual Compliance software or information from government or law enforcement authorities. 
   3. Any individuals or entities located in countries determined to be high-risk** (i.e., including and not limited to countries on the OFAC sanctioned countries list). 
3. Granting direct access to any third parties to UCSF or UC Enterprise P3 or P4 data sources (i.e., the UCSF APeX Clarity, APeX Clinical Data Warehouse/Cogito, or De-identified Clinical Data Warehouse databases).

*Applicable to research studies and clinical trials where study participants have explicitly consented to the planned data sharing.

**Determination to be made by the UCSF Export Control and contracting offices in accordance with the International Data Sharing Standard Operating Procedure and UC and UCSF policies.