What is the Purpose of the SOC 2 Privacy Principle?
Learn more at https://kirkpatrickprice.com/video/what-is-the-purpose-of-the-soc-2-privacy-principle/ Once you’ve determined you are ready to pursue a SOC 2 audit report, the first thing you have to decide is which of the five Trust Services Criteria you want to include in your SOC 2 audit report. Typically, service organizations that are concerned about the Privacy Principle are collecting, using, retaining, disclosing, and/or disposing of personal information to deliver their services. A classic example is a doctor’s office. What’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, list of medications that you’re on. So, what if the office shares that personal information with some type of a marketing company to help market services or prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with. The Privacy Principle ensures that your organization is handling client data in accordance with any commitments in the entity’s privacy notice as committed or agreed, and with criteria defined in generally accepted privacy principles issued by the AICPA, which include: 11. Management: Service organizations must define, document, and implement privacy policies and procedures, which govern how personal information is used. 12. Notice: Service organizations must provide notice to consumers about its privacy policies and procedures, fully informing them of how their personal information will be used. 13. Choice and Consent: Individuals must have the ability to choose how their personal information is used and give consent for the use their personal information. 14. Collection: Service organizations only collect personal information for the purposes described in the notice; services organizations will not use it for any another reason. 15. Use, Retention, and Disposal: Service organizations will have policies and procedures that define how they will use, retain, and securely dispose of personal information. 16. Access: Service organizations provide individuals with the ability to access their information for review and updating. 17. Disclosure to Third Parties: Service organizations will only disclose personal information to third parties identified in the notice. 18. Security: Service organizations protect personal information through physical and logical access controls. 19. Quality: Service organizations need to have quality management procedures in order to not only protect personal information, but make sure it’s complete and accurate in the way it’s used. 20. Monitoring and Enforcement: Service organizations must monitor their compliance with privacy practices. If you’re ready to begin your SOC 2 audit report and need some help determining which of the Trust Services Principles you should include, contact us today. Stay Connected Twitter: https://twitter.com/KPAudit LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc Facebook: https://www.facebook.com/kirkpatrickprice/ More Free Resources Blog: https://kirkpatrickprice.com/blog/ Webinars: https://kirkpatrickprice.com/webinars/ Videos: https://kirkpatrickprice.com/video/ White Papers: https://kirkpatrickprice.com/white-papers/ About Us KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more about KirkpatrickPrice: https://kirkpatrickprice.com/ Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/