The SOC 2 Privacy Principle is one (1) of the five (5) Trust Services Principles (TSP) put forth by the American Institute of Certified Public Accountants (AICPA) within the SOC 2 reporting framework. In today’s growing world of regulatory compliance, much emphasis is now being placed on the “Privacy” principle, for which the AICPA defines as the principle that “…addresses the system’s collection, use, retention, disclosure, and disposal of personal information in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and Canadian Institute of Chartered Accountants…”.
Source: http://www.aicpa.org/
Many service organizations think that their actual privacy policy on one’s website suffices for such a mandate for the actual SOC 2 Privacy Principle. This is generally not true. Instead, the Privacy Principle should be looked upon as a collection of processes, procedures, legal documents, and other best practices for ensuring the safety and security of highly sensitive and confidential consumer data. Often known as Personally Identifiable Information (PII).
Therefore, meeting the rigors of the AICPA Privacy Principle should generally consist of the following:
1. Management. The entity defines, documents, communicates and assigns accountability for its privacy processes and procedures.
Analysis: A good starting point is having a comprehensive set of privacy processes in place that speak to different types of sensitive and confidential information that needs to be protected. Personally Identifiable Information (PII) is the umbrella framework of privacy as it essentially consists of eighteen (18) unique identifiers that should be disclosed. Additionally, it means that all service organizations should include comprehensive language within all contracts and other legal documents that strive to ensure the safety and security of PII within their environment, and for companies using one’s services. Such documentation that should include PII verbiage are the following: Statements of Work (SoW), Service Level Agreements (SLA), Master Service Agreements (MSA), just to name a select few. Specifically, there should be specific boundaries on the use of PII, along with clauses relating to uses outside of such parameters, along with penalties for breaches.
2. Notice. The entity provides notice about its privacy processes and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed.
Analysis: The “notice” principle within the AICPA Privacy framework is what’s often associated with an organization’s online privacy policy – the statement regarding the uses and disclosures of relevant information obtained, etc. What’s important to note about an organization’s online Privacy Policy statement is the following:
- If using a boiler plate, generic policy statement, take time to actually customize the content, making it a true fit for your organization.
- Ensure that appropriate legal personnel have thoroughly reviewed the content for completeness and appropriateness for your organization.
3. Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information.
Analysis: Many times Personally Identifiable Information (PII) is collected, and used by the service organization for any number of reasons. The point is clarifying and making sure such choices and consent are available to consumers of your services. This should be clearly illustrated within all legal, contractual, and other essential documents, when applicable, and also noted in the service organization’s online privacy policy.
4. Collection. The entity collects personal information only for the purposes identified in the notice.
Analysis: Again, the “notice” element is what’s important, as the AICPA mandates that service organizations clearly identify and discuss the merits for why such information is being collected. Simply stated, a notice without such provisions is not compliant with the AICPA guidelines for a comprehensive privacy policy framework.
5. Use, retention and disposal. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulation and thereafter appropriately disposes of such information.
Analysis: This requirement is much more than just a broad-based Privacy Policy, rather, it requires service organization’s to have actual procedures and best practices in place for ensuring such mandates are being met. After all, a policy document is nothing more than a passive edict with little merit if no procedures are undertaken. Bottom line, consistent with the first AICPA Privacy Policy – “Management” – the service organization needs to have comprehensive language within all contracts and other legal documents discussing the uses, retention – and disposal – of consumer information.
6. Access. The entity provides individuals with access to their personal information for review and update.
Analysis: Item #6 of the AICPA Privacy Policy, if applicable, should allow consumers to review and update such information, which could be anything from sensitive medical records to a change of address for e-commerce orders. Giving consumers access to their personal information for making changes is the real key to remember.
7. Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Analysis: It’s important to note in a privacy policy what type of information would ever be disclosed to third parties, and why. In today’s world of growing cyber security attacks – coupled with the need for ensuring the safety and security of consumer data – this is an important component of one’s privacy principle, so think long and hard when constructing a plausible answer within the “notice” provision of your privacy policy.
8. Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
Analysis: This essentially comes down to access rights best practices for ensuring the safety and security of PII. It means only authorized personnel can access PII, with the minimum rights necessary for performing one’s responsibilities. Furthermore, terminated users are to have such rights immediately revoked, along with periodic access rights audit being conducted.
9. Quality. The entity maintains accurate, complete and relevant personal information for the purposes identified in the notice. Analysis: The “quality” notion – as it accurately is stated – simply implies that the aforementioned privacy policy best practices are in place and being adhered to. Once again, having a current, well-defined, and comprehensive privacy policy is what’s needed.
10. Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. Analysis: A privacy policy is one thing, but for making it work as stated, it requires constant monitoring of various processes and procedures, ultimately helping ensure the confidentiality, integrity and availability (CIA) of one’s entire information systems and operational infrastructure.
Want to learn more about SOC 2 compliance, along with obtaining a competitively priced fixed fee for SOC 1 and SOC 2 Type 1 & Type 2 assessments, then contact Christopher Nickell today at 1-800-277-5415, ext. 706 or emailing him at This email address is being protected from spambots. You need JavaScript enabled to view it..
