The terms “privacy” and “confidentiality” are often used in the same context relating to security processes. In System and Organization Controls (“SOC 2”) for service organizations, privacy and confidentiality are different in purpose and function, and how they differ is important.
Privacy and confidentiality are just two of five categories in the Trust Service Criteria which can be utilized to evaluate and report on controls in a SOC 2 examination. The other three categories include security, availability, and processing integrity. Because privacy and confidentiality are often confused to be the same, let’s break down how they differ.
- Privacy – Refers to data that meets the Generally Accepted Privacy Principles (GAPP) and includes personal information that is collected, used, retained, disclosed and disposed of to meet the entity’s objectives.
- Confidentiality – Refers to information designated as confidential and can include legal documents, business data, information and plans, histories, and most anything that is not public information. Confidentiality ensures that this data is protected from third-parties without proper consent.
How Privacy and Confidentiality Differ
The Short Answer: When a company commits to protecting a user’s privacy, it refers to personally identifiable information (“PII”). When it comes to confidentiality, a company protects data relating to non-personally identifiable information.
Data that is maintained or collected among parties, but is not personal in nature, falls into the category of confidentiality. Any data that is not public information is usually confidential. Confidentiality is often protected through non-disclosure agreements and security policies and practices intended to keep such data concealed from third parties.
SOC 2 privacy policies will address significant elements of GAPP briefly mentioned above. GAPP consists of ten privacy principles listed below:
- Management – The entity defines, documents, communicates and assigns accountability for its policies and procedures
- Notice – The entity provides notice about its privacy policies and procedures and identifies the purpose for which personal information is collected, used, retained and disclosed.
- Choice and Consent – The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
- Collection – The entity collects personal information only for the purposes identified in the notice.
- Use, Retention, and Disposal – The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
- Access – The entity provides individuals with access to their personal information for review and update.
- Disclosure to Third Parties – The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
- Security for Privacy – The entity protects personal information against unauthorized access (both physical and logical).
- Quality – The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice.
- Monitoring and Enforcement – The privacy statement should identify how the company remains compliant with their policies and reveal how they handle privacy-related complaints or disputes.
Privacy and SOC 2 Compliance
Why is a SOC 2 audit needed and when is it required?
Service Organizations seek to gain the trust of their customers, and customers will often demand SOC compliance from their vendors. A SOC 2 report will help a service organization become more competitive by offering customers confidence services and processes are more reliable, secure and transparent through regular audit by an independent third party. A SOC 2 audit always covers the security criteria of the Trust Services Criteria. When applicable, the availability, confidentiality, processing integrity or privacy criteria may also be included in SOC 2 compliance. Entities may voluntarily include any of these applicable criteria in regular SOC 2 audits, or such compliance may be required by a customer(s) agreement.
A business that creates, collects, stores, transmits, or processes PII gives customers peace of mind through an independent third party SOC 2 audit which includes the privacy criteria. Similarly, the confidentiality criteria provides customers assurance confidential data is protected from unauthorized third parties. Often the confidentiality criteria is included in a service organization’s SOC 2 audit without the privacy criteria, however, if the privacy criteria is included, usually the confidentiality criteria is also included in the SOC 2 report. It is up to each service organization to determine the applicable Trust Services Criteria to include in a SOC 2 report.
We hope this understanding of SOC 2 audits and how they pertain to privacy and confidentiality is helpful. SOC 2 audits can be an important component of a service organization’s compliance with system and security policies, and ultimately the customers they serve.
Contact us to discuss the costs and benefits of a SOC report, or to learn more about our full suite of consulting, audit, and assurance services.