In the final installment of McKonly & Asbury’s ongoing series of articles focused on System and Organization Controls (SOC) engagements, we will focus our discussion on the Privacy criteria of a SOC 2 examination.
Before we dive into Privacy criteria, let’s do a quick recap of what a SOC 2 examination covers, and you can refer back to our previous articles to read more about SOC 2 Considerations for Small Service Organizations as well as SOC 2 Additional Criteria.
A SOC 2 examination is used by service organizations to meet the needs of a broad range of users that need detailed information and assurance about the controls at the service organization relevant to security, availability, and processing integrity of the systems at the service organization, and the confidentiality and privacy of the information processed by these systems. The AICPA has established specific trust services criteria within each of the trust services principles which the service organization’s controls must meet in order for the principle’s criteria to be satisfied. The AICPA requires that all SOC 2 examinations cover the Security principle (also known as the common criteria). However, service organizations have the opportunity to select additional criteria (availability, processing integrity, confidentiality, and privacy) to be included within their SOC 2 examination.
The Privacy criteria apply only to personal information such as health information and records, credit card/banking information, or other personally identifiable information (PII). If you recall from our last installment this differs from the confidentiality criteria which applies to specific sensitive information such as proprietary client information, customer information, and client lists. The Privacy criteria provide a very thorough and extensive list of criteria that are required to be met by the service organization. The additional criteria for privacy are quite extensive and include 18 additional criteria that are required to be met by the service organization to achieve the requirements of the Privacy criteria. Due to the extensive list of criteria, we will not list all 18 additional criteria; however, we will identify the 8 functional privacy areas and activities that must be met to meet the Privacy criteria.
- Privacy Area 1.0 – Privacy Criteria Related to Notice and Communication of Objectives Related to Privacy
- Privacy Area 2.0 – Privacy Criteria Related to Choice and Consent
- Privacy Area 3.0 – Privacy Criteria Related to Collection
- Privacy Area 4.0 – Privacy Criteria Related to Use, Retention, and Disposal
- Privacy Area 5.0 – Privacy Criteria Related to Access
- Privacy Area 6.0 – Privacy Criteria Related to Disclosure and Notification
- Privacy Area 7.0 – Privacy Criteria Related to Quality
- Privacy Area 8.0 – Privacy Criteria Related to Monitoring and Enforcement
As noted within the eight functional areas above, the criteria for Privacy centers around the entire process of collecting, maintaining, and monitoring PII data at the service organization. The functional areas are broken into the policy/objectives, choice/consent related to private data, collection of information, appropriate use, retention, and disposal of data. This criterion is extensive and the processes related to privacy are robust as they address the full cycle of controls for handling this data. Service Organizations primary focus for addressing privacy should be to determine what aspects of the above areas are applicable to the services they perform on behalf of their clients. The scope of services and commitments to user entities will determine the extent of the Privacy criteria applicable to their SOC 2 examination.
The information above is a brief summary of what the Privacy criteria entail. It is up to your organization to make the determination if service commitments and system requirements for privacy are applicable to the services your organization provides. Adding the additional criteria noted above can strengthen your SOC 2 Report and provide your customers with additional assurance over the system of controls related to privacy.
If you’d like to discuss how to incorporate the Privacy criteria into your SOC 2 Report, please contact our team. We’d love the opportunity to help your organization strengthen your SOC 2 Report.