Understanding the Nuances: Privacy and Confidentiality

Shonda Knowles Elliott, CPA

October 26, 2023
The Compass:

Understanding the Nuances: Privacy and Confidentiality 

In the digital age, where data is the new currency, businesses must prioritize the security and integrity of their clients' information. To demonstrate this, many organizations adhere to frameworks like SOC 2 (System and Organization Controls), developed by the American Institute of CPAs (AICPA). SOC 2 reports provide an independent auditor’s opinion on the design and operating effectiveness of a company’s information security policies and practices. Within this framework, two crucial categories—privacy and confidentiality—play distinct roles in safeguarding sensitive data.


Privacy, within the SOC 2 framework, refers to the protection of personal information. This includes any data that can identify an individual, such as names, addresses, social security numbers, or email addresses. Privacy controls ensure that businesses collect, use, retain, disclose, and dispose of this information in a manner consistent with the commitments they make to their customers.

Under the privacy trust service category, companies implement measures such as data encryption, access controls, and regular security assessments. They must be transparent about their data collection practices, inform customers about how their data will be used, and provide mechanisms for individuals to opt-out if they wish to withhold their information. Privacy controls, thus, focus on respecting individual rights and preventing unauthorized access to personal data.


Confidentiality, on the other hand, encompasses a broader spectrum of data. It includes not only personal information but also business-sensitive data, trade secrets, financial records, and intellectual property. The confidentiality trust service category aims to ensure that organizations protect all types of sensitive information from unauthorized access, disclosure, alteration, destruction, and disruption.

To maintain confidentiality, companies establish stringent access controls, conduct regular employee training, and employ encryption techniques. They implement policies that restrict access to sensitive data only to authorized personnel and monitor user activities to detect and prevent any suspicious behavior. By doing so, organizations safeguard their intellectual assets and maintain the trust of their clients and partners.

Key Differences

The primary distinction between the privacy and confidentiality trust service categories lies in the type of data they protect. Privacy is specifically concerned with personal information, and may, in part, focus on compliance with legal regulations like GDPR or CCPA. Confidentiality, on the other hand, encompasses a broader range of data beyond personal identifiers.

Additionally, the methods employed to secure these categories differ. Privacy controls emphasize transparent data practices and individual consent, ensuring that personal information is handled ethically and legally. Confidentiality controls, on the other hand, focus on protecting sensitive business data from both external and internal threats, preserving the integrity and competitive advantage of the organization.

In summary, while privacy and confidentiality are intertwined, they represent distinct facets of data security within the SOC 2 framework. Privacy safeguards individuals' personal information and embodies the unique considerations in handling information related to people, while confidentiality encompasses a wider array of sensitive data, safeguarding a company's core assets and trade secrets. By understanding these differences, businesses can tailor their security measures to comprehensively protect both their clients and their organizational integrity.


Which to Choose?

When scoping a SOC 2 report, choosing between privacy and confidentiality hinges on the nature of the data your organization handles. If your system creates, collects, transmits, uses, or stores personal information, or if your organization makes commitments to its system users regarding notice of privacy practices, data subjects’ rights and choices regarding access to and use and disclosure of their personal information, and inquiry, complaint, and dispute processes, you should include the privacy trust services criteria. For broader data protection, including trade secrets and financial records, include the confidentiality trust services criteria. Generally, privacy is most relevant for data controllers (organizations that handle data subjects’ personal information directly) whereas confidentiality is sufficient to meet the service commitments of data processors (organizations that process personal information provided by data controllers rather than the data subjects themselves). Evaluate the scope of your data processing activities and select the appropriate category to align with your organization's specific security needs, thereby ensuring a comprehensive and tailored SOC 2 report.

More posts

SOC 2® Reports and Penetration Tests

We get asked a lot about whether penetration testing is required to complete a SOC 2 report. Our latest article explores this question and more.

GRC Superheroes

Putting the right team together can be exciting and challenging. It's something we think about a lot, so we decided to share the superheroes that make up our GRC dream team.

Penetration Testing: Why It’s Important + Common Types

Penetration testing simulates an outside attack on your applications and network. Drata shares the types of pen tests and how to conduct one to prevent risk.