Listen to: "Privacy vs. Confidentiality in a SOC 2: Do You Know the Differences?"
Developed and maintained by the ASEC Trust Information Integrity Task Force, the Trust Services Criteria (TSC), serve as the cornerstone set of controls for SOC 2 examinations. The TSC are control criteria used throughout consulting agreements and for attestations as a guideline for auditors to accurately evaluate and create a report on controls over an organization’s information and systems.
Each control is important in investigating and attesting to a company’s system security and may cover the following:
- Everything across the entire entity
- A subsidiary, division or some other operating unit
- A function relative to the business’s operational, reporting or compliance goals
- A specific type of information used by the company
The five crucial controls that comprise the TSC are:
Many business leaders may have a firmer grasp on some of the controls than on others. The only control that is mandatory for a SOC 2 examination is security, so that leaves four others to understand and decide whether they are necessary or not..
Two of the controls that leave many business leaders slightly perplexed are privacy and confidentiality since the differences may seem—at least on the surface—somewhat subtle.
What Are the Basic Definitions of Privacy and Confidentiality?
FindLaw notes that many of people, in a variety of settings, use “privacy” and “confidentiality” fairly interchangeably. It is particularly easy to confuse them when they are both used in the context of a particular environment or process, like a SOC 2 examination. However, it is crucial to understand the finer and broader definitions of the two terms to pave the way for a successful SOC 2 audit and report.
The best way to sort out the differences between the two important terms is to start by taking a look at the basic definition of each.
Any personal information collected, used, stored, transferred, disclosed or destroyed in accordance with the requirements in the business’s privacy notice. The same personal information must also meet the criteria set forth in the generally accepted privacy principles (GAPP).
Any information designated as “confidential” is protected and secured as agreed upon. In the broader scheme, beyond SOC 2, personal information is that which is shared with a therapist, attorney, physician or any other professional individual or entity.
Such information, protected under the agreement of confidentiality, cannot be shared with any third-party without the consent of the client.
What Is the Primary Difference Between Privacy and Confidentiality?
The most important difference between privacy and confidentiality is that one protects personal data while the other safeguards non-personal information and data. But it is important to dig deeper into the details of each criteria to understand precisely what it protects and how organizations go about guaranteeing that protection to valued clients.
The Details of Privacy That Set it Apart
Personal information includes any records or information that can easily be used to identify the individual to whom it is attached, setting them up for identity theft and other types of fraud.
Following are just a few examples of personal information that could put customers, clients and patients at risk:
- Street address
- Email address
- Telephone number
- Personal identification number, such as social security number, social insurance number or driver’s license number
- Physical characteristics
- Healthcare-related information
- Financial information
- Purchase history
- Information regarding past criminal activities or convictions
Any of this information, in the wrong hands, could pose great risk to the person who placed their trust with a business.
Working according to the privacy TSC, organizations will have a set of controls that ensures the protection of this data.
The Most Distinguishing Characteristics of Confidentiality
“Confidentiality” isn’t quite as simple to break down since its meaning can vary from one business or geographical region to another. It may also cover a broad range of information security practices. Essentially, the confidentiality TSC comes down to the specific contractual commitments outlined by the service organization to its clients and how that service organization, serving as the data custodian, will abide by them.
Following are just a few types of information that may fall under the confidentiality TSC:
- Business plans
- Financial information
- Legal documents
- Transactional details
- Engineering drawings and proprietary schematics
- Intellectual property
What Is Included in the Privacy TSC?
Businesses that choose to include the privacy TSC in a SOC 2 audit do so to provide independent assurance that the organization’s personnel comply with good privacy and data protection practices, according to GAPP.
Following are 10 of the core privacy principles with which businesses, known here as the “entity,” must comply:
The entity develops, documents and communicates its privacy policies and procedures.
3. Choice and Consent.
The entity provides information to the individual about their choices regarding the collection, use, storage and disposal of their private information.
The entity only gathers and retains information according to the reasons provided in the notice.
5. Use. Retention and Disposal.
The entity lays out the purposes for collection, retaining and disposing of data. The entity generally agrees to retain data only as long as necessary.
The entity provides access to individuals so they know what the entity has collected and retained.
7. Disclosure to Third-Parties.
The entity may only disclose information to third-parties for the purposes identified in the notice and only with the explicit consent of the individual.
8. Security for Privacy.
The entity secures and protects data against any unauthorized access.
The entity must maintain complete, relevant and accurate personal information only for the purposes identified in the notice.
10. Monitoring and Enforcement.
The entity monitors and enforces compliance with its privacy policies and procedures. The entity must also have policies and procedures in place to address any privacy-related complaints and disputes.
What Is Included in the Confidentiality TSC?
The confidentiality TSC principle focuses on testing any information designated as confidential, according to what has been committed or agreed to with the clients. Auditors performing SOC 2 examinations will closely look at the following:
Identification and Confidential Information.
Identify and designate any confidential information, as well as when it is received or created and to decide how long that information should be retained.
Protection of Confidential Information Regarding Disposal or Destruction.
Inspect the procedures in place that serve to protect confidential information from any sort of destruction, erasure or other disposal during the agreed upon period of retention of data.
Destruction of Confidential Data.
Review procedures in place to identify confidential information set for destruction, per the agreed upon terms.
Is the Difference Between Privacy and Confidentiality a Little More Clear Now?
If you still have questions about the differences between privacy and confidentiality in anticipation of your upcoming SOC 2 audit, we can help. At I.S. Partners, LLC., we frequently work with clients who need extra clarification on the TSC and which criteria they need to include.