Key Takeaways
- Confidentiality Protects Sensitive Business Data: The Confidentiality criterion applies to various types of sensitive business information, such as proprietary product data, internal financial details, wholesale pricing, or customer lists.
Privacy Protects Personal Information: The Privacy criterion is specifically focused on non-public personal information (PII) that can identify an individual, including health data, payment details, or customer profiles.
Required Report Scoping: Unlike the mandatory Security criterion, the Privacy criterion is only required for your SOC 2® report if your organization stores, processes, collects, or transmits this non-public personal information.
Privacy & Confidentiality in SOC 2®*
Did you know that there is a difference between “Privacy” and “Confidentiality” when it comes to assessing SOC 2®* compliance? Let’s break down what both terms mean and how they can impact SOC 2® compliance and reporting.
The Difference Between Privacy & Confidentiality
First off, it’s very important to define these two terms in relation to SOC 2®* standards:
- Confidentiality refers to multiple kinds of sensitive information. Examples of confidential information would be financial information used for internal or external reporting, customer lists, confidential wholesale pricing information, product information, proprietary information provided by business partners, and more.
- Privacy refers specifically to personal information, which requires unique considerations. This is non-public information. Personal information is non-public information that could identify an individual such as: health information, payment information, customer profile information, and more.
Speak to a Compliance Specialist.
A SOC 2® report that analyzes “Privacy” in the context of the Five Trust Services Criteria will likely address the following, as applicable:
- Your organization’s privacy commitments and practices,
- How your organization protects personal information from being used inappropriately,
- A user’s ability to choose the use and disclosure of their personal information,
- A user’s right to access their personal information for review,
- Your organization’s inquiry, compliant, and resolution processes.
Scoping Your SOC 2®* Report
Did you know that your SOC 2® report may not have to address the privacy criteria? If your organization’s systems do not transmit, store, collect, create, or use personal information, then the privacy criteria may not need to be addressed at all. In these situations, the confidentiality criteria may make more sense. An experienced assessor like Auditwerx can help you analyze your system and documentation to ensure that your SOC 2® assessment is properly scoped.
Choosing an Experienced SOC 2®* Partner
Take the guess work out of SOC 2® assessments by partnering with an experienced team. Our thorough evaluation process ensures that your SOC 2® assessment is completed in a timely and transparent manner. If you are ready to start the SOC 2 assessment process, contact Auditwerx today.
FAQs
How does the SOC 2® framework define the difference between Confidentiality and Privacy?
In the SOC 2® framework, Confidentiality covers sensitive business information where unauthorized disclosure could cause harm (e.g., proprietary corporate data). Privacy is narrower and focuses specifically on controls for Personal Information (PII), ensuring it is collected, used, retained, and disclosed according to defined commitments.
What kind of data is covered by the Confidentiality criterion in a SOC 2® compliance engagement?
Confidentiality covers a broad range of sensitive information, including internal or external financial reports, customer lists, product specifications, proprietary business intelligence, and information supplied under a nondisclosure agreement from business partners.
What types of sensitive data are protected under the Privacy criterionin a SOC 2® compliance engagement?
The Privacy criterion focuses on non-public data that can identify an individual. This includes health records, payment information, customer profile details, and other identifiable attributes. It addresses a user’s rights to access and control the use and disclosure of their own personal information.
How do organizations determine if the Privacy criterion needs to be included in their SOC 2® report?
If an organization’s systems do not collect, create, store, or transmit non-public Personal Information (PII), the Privacy criterion may not need to be addressed in the attestation. Organizations should analyze their systems and data handling with a compliance partner to ensure the SOC 2® assessment is correctly scoped.
About the Author
