For most companies preparing for SOC 2 examinations, deciding which Trust Services Categories (TSCs) should be in scope of services is a difficult and sometimes confusing decision. Two of the categories that leave many organizations confused are the privacy and confidentiality categories, since these terms are used interchangeably in the information security industry. However, in a SOC 2 examination, the differences between these two categories are clear and should be understood before making a decision on which should be included in your SOC 2 report. In this post, we will describe the differences between Privacy and Confidentiality, and also explain a few key reasons why it is important to understand those differences.
When the AICPA originally adopted the privacy category for SOC 2, they had in mind covered (healthcare) entities. The effect of that can still be seen today in the main difference between privacy and confidentiality in a SOC 2 examination. The main difference being the privacy Trust Services Criteria applies to personal information, whereas confidentiality applies to various types of sensitive information.
Here is a simple sniff test: If the system or service organization (i.e. your company) being evaluated in a SOC 2 examination does not create, collect, transmit, use, or store personal information (of the end-user), a SOC 2 examination that addresses the privacy criteria may not be useful because many of the privacy criteria will be not applicable.
If readers of your report need information regarding how you maintain the confidentiality of sensitive information used by your system, the confidentiality criteria may be more applicable.
The AICPA SOC 2 Guide outlines that privacy is only applicable to personal information. Personal information includes personally identifiable information or personal health information (read the lengthy definition here). Sensitive information is defined internally by your organization and will be evaluated when confidentiality is in-scope.
It is common for consumers and professionals to use privacy and confidentiality interchangeably when discussing information technology systems. However, in the scope of a SOC 2 examination, understanding the difference and its applicability to your organization can save you thousands of dollars and hours of time spent with auditors.
The privacy category adds an additional layer of complexity to your SOC 2 examination which results in additional auditor interviews, evidence requests, a longer system description, and a significant uplift in reporting requirements for your auditors. A miscalculation to add the privacy category when not needed would add that additional level of effort, and may not provide value to your organization or the readers of your report if the majority of the criteria include “not applicable language”.
For example, within the privacy criteria, there is a section related to the quality of personal information. “The entity must maintain complete, relevant, and accurate personal information only for the purposes identified in the notice.” If your organization does not have control over the quality of personal information in your system (that is you are a processor of the information, not the controller) this criterion would be not applicable.
In most cases, the confidentiality criteria will provide the readers of your report with the information they need to be confident in your organization’s ability to protect sensitive data. Ultimately saving your organization time, money, and most importantly, producing a relevant, quality SOC 2 examination report that your customers can trust.
At ByteChek, it is important to us that your SOC 2 examination provides value to the readers of your report and does not include criteria that are not relevant or include a plethora of not applicable statements.