A common reason that a service organization may request that the privacy trust service category be covered in its SOC 2® examination, when it may not really be necessary, is related to a misconception of what privacy within the context of the SOC 2® examination actually covers.
So let’s start with the context of privacy and contrast it with the context of confidentiality, since the distinction between the two may not initially be clear to companies that have not previously had a SOC 2® examination performed.
Confidentiality refers to a company’s ability to protect information designated as confidential from its collection or creation through its final disposition and removal. Confidentiality requirements may be contained in laws or regulations or in contracts and agreements that contain commitments made to customers or others. The need for information to be confidential may arise for many different reasons such as the information may simply be proprietary.
Privacy refers to how personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
Accordingly, confidentiality is distinguished from privacy in that privacy applies only to personal information, but confidentiality applies to various types of sensitive or protected information. Confidential information may include personal information as well as other information that for a variety of reasons necessitates that the information be accessible to a limited number of individuals.
Based upon the definitions of the categories, privacy should only be assessed in a SOC 2® examination when a company is responsible for creating, collecting, transmitting, using or storing personal information. Typically, when the privacy category is relevant, the service organization has some type of direct interaction with the individual (data subject) about whom the personal information is collected.
A company will want to avoid including privacy unless it is truly relevant to its business or operating processes. Including privacy in a SOC 2®, if it does not apply, will not be particularly useful to the user of the report since most of the privacy criteria will not be applicable. Additionally, from a practical perspective, including the privacy category will lead to higher SOC 2® examination fees.
Speak to a Specialist for more detailed information relating to SOC 2® trust service categories.