What is the Purpose of the SOC 2 Privacy Principle?

by Sarah Harvey / February 20th, 2018

Why Choose the Privacy Principle?

Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Criteria you want to include in your SOC 2 audit report. Typically, service organizations that are concerned about the Privacy Principle are collecting, using, retaining, disclosing, and/or disposing of personal information to deliver their services.

A classic example is a doctor’s office. What’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, list of medications that you’re on. So, what if the office shares that personal information with some type of a marketing company to help market services or prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with.

Including the Privacy Principle in your SOC 2 audit report ensures that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon. The Privacy Principle also demonstrates that you’re handling client data in accordance with criteria issued by the AICPA, including:

1. Management: Service organizations must define, document, and implement privacy policies and procedures, which govern how personal information is used.
2. Notice: Service organizations must provide notice to consumers about its privacy policies and procedures, fully informing them of how personal information is used.
3. Choice and Consent: Individuals must have the ability to choose how personal information is used and give consent for the use their personal information.
4. Collection: Service organizations only collect personal information for the purposes described in the notice; services organizations will not use it for any another reason.
5. Use, Retention, and Disposal: Service organizations will have privacy policies and procedures that define how personal information is used, retained, and disposed of.
6. Access: Service organizations provide individuals with the ability to access their information for review and updating.
7. Disclosure to Third Parties: Service organizations will only disclose personal information to third parties identified in the notice.
8. Security: Service organizations protect personal information through physical and logical access controls.
9. Quality: Service organizations need to have quality management procedures in order to not only protect personal information, but make to sure it’s complete and accurate in the way it’s used.
10. Monitoring and Enforcement: Service organizations must monitor their compliance with privacy practices.

If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Criteria you should include, contact us today.

When you include the Privacy Principle in your SOC 2 audit report, it’s important to understand the purpose of the Privacy Principle and the generally-accepted Privacy principles issued by the AICPA. Typically, organizations that are concerned about the Privacy Principle are collecting information directly from consumers. They are using that information in some way in the course of providing their service and you have to determine if this applies to you.

The classic example is when you walk into a doctor’s office, what happens? They ask you to sign an acknowledgement that you have been given a Privacy Notice. That’s very obvious why that applies in that situation. You’re about to see a medical provider, you’re about to provide personal information about your medical conditions, you’re going to give them your data of birth, insurance information, the medications that you’re on, and they may use that information to share with some type of a marketing company to help market services or prescriptions to you. They might share that information with a research organization who’s conducting research about treatments and experiences with your medical providers. They might share that information with other physicians who are providing services to you. They might be sharing that information with insurance companies. That Privacy Notice is supposed to disclose that and let you know what you have the option to opt out and fully inform you as a consumer.

If you, in your business, are implementing the Privacy Principle, you have to have a method for managing your privacy policies and procedures that you will put into place to govern how personal information is used. You will provide notice to consumers about how you’re going to use their information so that they’re fully informed, you’re going to give them the ability to have some choice in the matter, and you’re going to ask them to give you consent to use their information in the way that you are intending to use it. You’re only going to collect information that is for the purpose of delivering your service, you’re not going to use it for another reason that you have not notified them about. You’re going to have privacy policies and procedures about how personal information is used, how you retain it, and how you dispose of it. Do you keep that information perpetually? Do you keep it for 20 years, 10 years, 7 years? You have to have those things defined in your policies about how you will keep and then eventually dispose of that information. You have to provide consumers with the ability to access their information; they have a right to know what you have and how you’re using it. You have to have privacy policies and procedures that govern how you disclose information to third parties who might be service providers to you and help you in the delivery of your services. You have to have security procedures in place in order to protect that information while you have it within your custody. You will have to have some quality management procedures in order to not only protect the information, but make sure it’s complete and accurate in the way that you’re using it and you don’t make mistakes in sharing information that you shouldn’t or misrepresent the consumers information in some way. Finally, you have to have your own monitoring practice in order to monitor that you are in compliance with your policies and procedures and you are monitoring how personal information is used on a daily basis.

There’s a lot of things to think about with the 10 principles within the SOC 2 Privacy Principle, and please contact us if we can help you understand this any further.