Understanding the Privacy and Confidentiality Criteria in a SOC 2 Examination

As service organizations prepare for SOC 2 examinations, understanding the roles of the Privacy and Confidentiality Trust Services Criteria (TSC) can help them manage risk more effectively and optimize the scope of SOC 2 audits.

Privacy and Confidentiality are two of the five TSCs that can be considered in a SOC 2 review. The Security criteria is mandatory, while Confidentiality and Privacy, along with Availability and Processing Integrity, are optional areas for review.

The Confidentiality and Privacy criteria, although similar in nature, have important differences that a service organization should consider as it decides which criteria should be included in an upcoming SOC 2 review.

Understanding Privacy vs. Confidentiality

It’s important for companies scoping a SOC 2 audit to understand the differences between the Confidentiality and Privacy criteria:

Confidentiality

Confidentiality refers to a service organization’s ability to secure proprietary information from unauthorized access or disclosure. The types of data that need to be secured will vary among providers, but typically include:

  • Business plans
  • Trade secrets
  • And similar forms of information.

Privacy

Privacy refers to the service organization’s ability to collect, use, retain, dispose of, and disclose personally identifiable information (PII) in accordance with client agreements as well as any applicable laws or regulations. This will typically include:

  • Customer and employee names
  • Addresses
  • Medical or financial data
  • Purchase histories
  • And similar data that can be associated with a specific individual.

When to Choose Specific Trust Criteria

Deciding whether to include one, the other, or both criteria depends on several factors, including the types of data the service organization handles on behalf of its clients and the sensitivity of that data.

For example, the Privacy TSC is important for providers that interact directly with individuals or process PII on behalf of their clients. In these instances, the service organization’s client (and their customers) will share data with the system and thus may also want to understand the steps the service organization follows to protect that sensitive data within the system.

The applicability of the Confidentiality TSC will likely vary among service organizations and their clients, but it often comes into scope when the provider is processing or using information it is contractually required to protect.

For instance, a service organization that provides purchasing software for its clients will need to secure the customers’ purchase history from unauthorized access, but with perhaps less technical rigor than it would apply to someone’s health insurance claim or personally identifiable data.

Developing Privacy and Confidentiality Controls for Compliance

After classifying data and selecting the appropriate criteria, service organizations will need to design and implement appropriate controls to ensure compliance with the Privacy and Confidentiality TSCs.

Effective Privacy controls often include policies and procedures for:

  • Obtaining and documenting customer consent for data.
  • Limiting the collection of PII to what’s needed for legitimate business purposes.
  • Cleansing non-relevant data as it’s being collected.
  • Providing individuals with access to their information, as requested.
  • Destroying information that isn’t needed or for which a legitimate purpose has expired.

Effective Confidentiality controls may vary, but often address:

  • Classifying information based on its sensitivity.
  • Restricting access to a need-to-know basis.
  • Monitoring access to stored confidential information.
  • Encrypting confidential information while it’s being shared or stored.

Choosing the right TSC, or a combination of criteria, is important in mitigating risk while also developing an effective and cost-effective scope for a cloud service provider’s SOC 2 audit.

For more information about Privacy vs. Confidentiality or if you need help preparing for your SOC audit, contact our team.