In a SOC 2 examination, there are five possible Trust Service Criteria (TSC) that can be included – two of the five are privacy and confidentiality. These two criteria can be confusing and may seem to overlap or be interchangeable. Often times both get talked about in the same context although their underlying definitions are different. Privacy and confidentiality are defined in the SOC 2 audit guide from the American Institute of Certified Public Accountants (AICPA) as follows:
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in generally accepted privacy principles (GAPP).
- Confidentiality: Information designated as confidential is protected as committed or agreed.
What is the Difference Between Privacy and Confidentiality?
The main difference between Privacy and Confidentiality is that one protects personal information while the other protects non-personal information and data. Personal information includes any information that can be attributed to an identified individual, such as:
- Name
- Home or email address
- Identification number (Social Security Number, Social Insurance Number, etc.)
- Physical characteristics
- Consumer purchase history
- Information on medical or health conditions
- Financial information
- Information related to offenses or criminal convictions
The term “confidential information” and its meaning can vary between organizations or geographical location and potentially cover a wide range of information security practices. If the service organization has outlined contractual commitments with its clients related to the protection of information as the data custodian, then the confidentiality principle can be considered.
Unlike personal information, confidential information is not so easily defined. Any personal or non-personal information or data can be designated as confidential, and once it is, it needs to be protected. Interpretations of this type of information often vary significantly from one company to another. Some examples of confidential information include, but are not limited to:
- Transaction details
- Engineering drawings
- Business plans
- Banking information
- Legal documents
Is There a Difference Between Security and Privacy?
Security is the only TSC that is required in a SOC 2. A lot of times this is sufficient because service organizations with possession of PII are just expected to properly secure the data from unauthorized disclosure. The privacy TSC is needed when the service organization interacts directly with the individuals themselves, whose personal information they process on behalf of their clients. It is necessary to demonstrate good security practices, and therefore the privacy TSC should be included.
What is Included in the Privacy TSC?
Including the privacy TSC gives independent assurance that the service organization personnel adhere to good privacy and data protection practices. The SOC 2 audit report including the privacy TSC includes a CPA firm’s opinion as to an organization’s compliance with the Trust Services Criteria on Privacy, as well as representations made in the organization’s published privacy policy or notice. The Privacy criteria should be looked upon as a collection of processes, procedures, legal documents, and other best practices for ensuring the safety and security of highly sensitive consumer/client data.
The framework developed by the Privacy Task Force is called the Generally Accepted Privacy Principles (GAPP). The GAPP consists of ten privacy principles, which are reviewed as part of the SOC 2 Privacy Criteria. The privacy principles are listed and summarized below:
- Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
- Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
- Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
- Collection. The entity collects personal information only for the purposes identified in the notice.
- Use, retention, and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and thereafter appropriately disposes of such information.
- Access. The entity provides individuals with access to their personal information for review and update.
- Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
- Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
- Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
- Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy related complaints and disputes.
For additional information on the 10 generally accepted privacy principles, see The 10 Generally Accepted Privacy Principles.
What is Included in the Confidentiality TSC?
The Confidentiality TSC focuses on testing that information designated as confidential is protected as committed or agreed to with clients. When testing this TSC it is important that a policy is documented that defines the various types of data that a service organization has in their possession and how they then handle each type of data. Specific areas of review will cover:
- Identification of confidential information: Procedures are in place to identify and designate confidential information when it is received or created and to determine the period over which the confidential information is to be retained.
- Protection of confidential information from destruction: Procedures are in place to protect confidential information from erasure or destruction during the specified retention period of the information.
- Destruction of confidential information: Procedures are in place to identify confidential information requiring destruction when the end of the retention period is reached.
Summary
In summary, there are differences between the privacy and confidentiality TSCs in a SOC 2, and it depends on the type of data a service organization has in their possession and what they are doing with it that will determine which (or both) TSC should be included in the examination. Contact us if we can help with SOC 2 or HIPAA audits. For more related information on privacy, HIPAA, and SOC 2 examinations, see the following blog posts:
- HIPAA Record Retention Requirements: How Long Should We Retain ePHI Data?
- The 10 Generally Accepted Privacy Principles
- When is Consent Required to Disclose PHI Under the HIPAA Privacy Rule?
Nicole Hemmer started her career in 2000. She is the co-founder of Linford & Co., LLP. Prior to Linford & Co., Nicole worked for Ernst & Young in Indianapolis, Chicago, and Denver. She specializes in SOC examinations and royalty audits and loves the travel and challenge that comes with clients across all industries. Nicole loves working with her clients to help them through examinations for the first time and then working together closely after that to have successful audits.