Confidentiality vs. Privacy in a SOC 2

In a SOC 2 examination, two of the five Trust Services Principles and Criteria are Privacy and Confidentiality. These two principles can be confusing and may seem to overlap. The following definitions come from the document titled, “Generally Accepted Privacy Principles,” written by the Privacy Task Force of the American Institute of Certified Public Accountants, Inc. and Canadian Institute of Chartered Accountants, which I have served on since its inception in 2001:

Privacy: The rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information

Confidentiality: The protection of nonpersonal information and data from unauthorized disclosure

The main difference between Privacy and Confidentiality is that one protects personal information while the other protects nonpersonal information and data. Personal information includes any information that can be attributed to an identified individual, such as:

  • Name
  • Home or email address
  • Identification number (Social Security Number, Social Insurance Number, etc.)
  • Physical characteristics
  • Consumer purchase history
  • Information on medical or health conditions
  • Financial information
  • Information related to offenses or criminal convictions

Many other types of personal information exist. Unlike personal information, confidential information is not so easily defined. Any nonpersonal information or data can be designated as confidential, and once it is, it needs to be protected. Interpretations of this type of information often vary significantly from one company to another. Some examples of confidential information include, but are not limited to:

  • Transaction details
  • Engineering drawings
  • Business plans
  • Banking information about businesses
  • Legal documents

Leave a Reply

Your email address will not be published. Required fields are marked *