Exploring the Privacy TSC
The protection of personal information has become a critical concern for businesses and individuals alike in our increasingly digital world. The Trust Services Criteria (TSC) developed by the American Institute of Certified Public Accountants (AICPA) provide a valuable framework for service organizations to demonstrate their commitment to maintaining the security, reliability, and privacy of their systems. In this Peak Post, we will explore when the Privacy Trust Services category is applicable, offering a thorough understanding of its significance and relevance for your organization.
The Trust Services Criteria
The Trust Services Criteria consist of five categories, each addressing a specific aspect of a service organization’s system:
1. Security: Protecting the system from unauthorized access, both physical and logical.
2. Availability: Ensuring that the system is operational and accessible for use as committed or agreed upon.
3. Processing Integrity: Ensuring that the system processes data accurately, completely, and in a timely manner.
4. Confidentiality: Protecting the confidentiality of the information processed by the system.
5. Privacy: Protecting the personal information collected, used, retained, or disclosed by the system.
When the Privacy TSC Applies
The Privacy Trust Services category is applicable in situations where a service organization is responsible for collecting, using, retaining, or disclosing personal information within their system. This category provides assurance that the service organization has implemented the necessary controls and processes to protect the privacy of personal information, in compliance with applicable laws and regulations.
Questions to Determine if the SOC 2 Privacy TSC Applies
- Does your system interact directly with data subjects (the individuals whose personal information is collected, processed, or stored by the organization) or collect data directly from data subjects or does your system receive data from a third party?
- Is your organization responsible for handling data subject requests, such as access, rectification, or erasure of personal data?
- Does your system host the Personally Identifiable Information (PII) of data subjects?
- Is it your organization’s responsibility to notify data subjects and relevant authorities in the event of a personal data breach or privacy incident, or is this the responsibility of a third party?
- Do your client contracts or agreements include provisions regarding the privacy and protection of personal information?
- Do your customers express concerns or expectations related to the privacy and protection of personal information?
- Does your organization rely on third-party vendors for handling, processing, or storing personal information, and are their privacy controls relevant to your organization?
- Have you experienced past incidents involving unauthorized access, disclosure, or use of personal information that have affected your customers’ operations, your organization’s reputation, or resulted in regulatory penalties?
9. Are there any industry-specific regulations or legal requirements governing the privacy of personal information in your organization’s services, such as GDPR, HIPAA, or CCPA? - Answering these questions can help service organizations evaluate whether the SOC 2 Privacy Category is applicable to their operations and determine the appropriate controls to implement for compliance.
The difference between Confidentiality and Privacy
Determining if confidentiality or privacy is applicable in a SOC 2 scope is a crucial step in ensuring that your organization has the right controls in place to protect user data and maintain information security.
Confidentiality refers to the protection of sensitive information from unauthorized access, disclosure, or use. This TSC applies to any information designated as confidential by the organization, such as financial records, intellectual property, customer data, or other sensitive information. The organization must implement proper access controls, encryption, and other security measures to ensure that only authorized personnel can access confidential information, and that it is safeguarded during transmission, storage, and processing.
Privacy, deals specifically with the protection of personal information or Personally Identifiable Information (PII) of data subjects (individuals whose information is being collected, processed, or stored by the organization). Privacy encompasses a broader set of requirements that focus on how organizations collect, use, disclose, store, and dispose of personal information. Privacy principles include providing notice, obtaining consent, limiting data collection, and ensuring data accuracy, among others. Adherence to privacy requirements helps organizations comply with data protection regulations and maintain trust with data subjects.
It is worth noting that in many cases, both confidentiality and privacy controls may be applicable in a SOC 2 scope. For example, a service organization that provides a financial service may handle both sensitive financial information and personal information about its customers. In such cases, it is important to ensure that both sets of controls are in place to protect the confidentiality of sensitive information and respect the privacy of individual rights.
“The revised privacy points of focus from October 2022 assume that the service organization is a data processor or data controller, or both. In many cases, the service organization and its customers will need to work together to ensure that both privacy and confidentiality requirements are met in the context of a SOC 2 audit.”
Scenarios Where the Privacy TSC Applies
- Healthcare providers: Healthcare organizations collect, use, and store sensitive personal and medical information about their patients. Ensuring the privacy of this data is vital for maintaining patient trust and meeting regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), making the Privacy Trust Services category relevant for healthcare providers.
- Financial services: Banks, credit unions, and other financial institutions handle sensitive personal and financial information about their customers. Protecting the privacy of this information is crucial for maintaining customer trust and meeting regulatory requirements, such as the Gramm-Leach-Bliley Act (GLBA), making the Privacy Trust Services category applicable in this context.
- Human resources service providers: HR service providers manage personal information about employees, including contact details, employment history, and payroll information. Ensuring the privacy of this data is essential for maintaining employee trust and meeting regulatory requirements, making the Privacy Trust Services category relevant in this scenario.
- E-commerce platforms: Online retailers collect and process personal information about their customers, including contact details, payment information, and purchase history. Protecting the privacy of this information is crucial for maintaining customer trust and complying with data protection regulations, such as the General Data Protection Regulation (GDPR), making the Privacy Trust Services category applicable in this context.
- Social media platforms: Social media platforms collect and process vast amounts of personal information about their users, including contact details, interests, and online activities. Ensuring the privacy of this data is essential for maintaining user trust and complying with data protection regulations, making the Privacy Trust Services category relevant for social media platforms.
- Educational institutions: Schools, colleges, and universities collect and manage personal information about students, including contact details, academic records, and financial information. Protecting the privacy of this information is crucial for maintaining student trust and meeting regulatory requirements, making the Privacy Trust Services category applicable in this scenario.
- Telecommunication providers: Telecommunication companies collect and process personal information about their customers, including contact details, billing information, and usage data. Ensuring the privacy of this data is important for maintaining customer trust and complying with data protection regulations, making the Privacy Trust Services category relevant for telecommunication providers.
- Marketing and advertising agencies: These agencies collect and process personal information about consumers to create targeted marketing campaigns. Protecting the privacy of this information is essential for maintaining consumer trust and complying with data protection regulations, making the Privacy Trust Services category applicable in this context.
- Cloud service providers: Cloud service providers store and manage personal information for various organizations and individuals. Ensuring the privacy of this data is crucial for maintaining customer trust and meeting regulatory requirements, making the Privacy Trust Services category relevant for cloud service providers.
- Travel and hospitality companies: Airlines, hotels, and other travel-related businesses collect and process personal information about their customers, including contact details, travel preferences, and payment information. Protecting the privacy of this information is essential for maintaining customer trust and complying with data protection regulations, making the Privacy Trust Services category applicable in this scenario.
Example: An organization provides an application to its customers who uses the application to collect personally identifiable information (PII).
For SOC 2, the organization providing the application is considered a service organization, while the customers using the application are considered user entities. The service organization’s responsibilities regarding confidentiality and privacy include:
- Ensuring that the application is designed and maintained in a manner that supports privacy compliance by implementing security measures to protect PII, providing tools or features that enable customers to manage PII in accordance with privacy regulations, and ensuring that any third-party service providers used in the application also adhere to privacy requirements.
- Implementing appropriate access controls, encryption, or other security measures to protect the confidentiality of the information processed, stored, or transmitted, including any PII collected by customers.
- Undergoing a SOC 2 audit conducted by an independent third-party auditor to demonstrate that the service organization has implemented effective controls for both confidentiality and privacy.
The customers using the application (user entities) are responsible for:
- Complying with privacy regulations in their specific jurisdiction or industry, which may include obtaining the necessary consents from data subjects, using the PII for specific purposes, and ensuring that appropriate measures are in place to safeguard the collected PII.
- Implementing access controls within their organization, ensuring that employees are trained in handling sensitive data, and monitoring for potential security threats or breaches to maintain the confidentiality of the information.
- Reviewing the service organization’s SOC 2 report to gain assurance that the service organization has effective controls in place for confidentiality and privacy. The user entities may also need to undergo their own SOC 2 audit if required by their customers, regulators, or industry standards.
Trust Services Criteria Updates (2022)
The Trust Services Criteria was updated in October 2022. The update revised and retitled TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (With Revised Points of Focus — 2022), to reflect new points of focus and edits to extant points of focus relevant to certain of the trust services criteria including the Privacy TSC. The updated points of focus help to differentiate which points of focus related to privacy may apply only to an organization that is a data controller or only to an organization that is a data processor.
Data Controller refers to an entity or organization that determines (alone or jointly with others) the purpose and means of the processing of personal data. Data Controllers are responsible for collecting, handling, and processing personal data in accordance with applicable data protection laws and regulations. For example, a company that collects personal data of its customers is considered a Data Controller.
Data Processor refers to an entity or organization that processes personal data on behalf of the Data Controller. The Data Processor acts according to the instructions provided by the Data Controller and does not own the personal data being processed. For example, a company that provides IT services or cloud storage services to a Data Controller is considered a Data Processor.
Both Data Controllers and Data Processors have specific responsibilities under privacy laws and regulations. The Data Controller is ultimately responsible for ensuring that personal data is collected and processed in accordance with privacy laws and regulations. The Data Processor is required to only act on the instructions provided by the Data Controller and must ensure that all personal data processing activities are carried out in accordance with applicable data protection laws and regulations.
The revised privacy points of focus from October 2022 assume that the service organization is a data processor or data controller, or both. In many cases, the service organization and its customers will need to work together to ensure that both privacy and confidentiality requirements are met in the context of a SOC 2 audit. This may involve drafting and executing data processing agreements (DPAs) or other contractual arrangements that outline the responsibilities of each party with regard to privacy and confidentiality compliance.
Conclusion
The Privacy Trust Services category is applicable in situations where a service organization is responsible for collecting, using, retaining, or disclosing personal information within their system. Adhering to this category demonstrates a commitment to maintaining the privacy of personal information, which is essential for building trust and confidence with customers, clients, and partners. By understanding when the Privacy Trust Services category is applicable and ensuring compliance, organizations can foster strong business relationships based on transparency and accountability while minimizing the risk of data breaches and privacy violations.