SOC 2 Confidentiality Policy

The difference between confidentiality and privacy is often confusing, but the concepts are not interchangeable.

Confidentiality is about limiting access to information that should only be seen by certain people. Access policies ensure that the right people have access to data and then monitor compliance with those policies. Monitoring who has access to specific data and then tracking whether or not that access is warranted by business needs and employee job responsibilities ensures that confidentiality is intact.

Privacy is not about limiting access to information but instead ensuring that personal information is used in accordance with your organization’s stated privacy policies and the law. While you may limit who has access to specific pieces of data, you cannot control how they use it after they have viewed it.

Your organization mustn’t disclose personal information about any individual. That is why organizations must ensure that their privacy policies are followed. Privacy means following applicable laws and government regulations like HIPAA and internal policies prohibiting unnecessary disclosure of personal data.

In both cases, compliance with the stated policy is crucial for protecting confidentiality and privacy.

What is a Confidentiality Policy, and Why is it Important?

The confidentiality policy is a crucial element for protecting sensitive information from unauthorized access. It regulates the types of data collected, how organizations should use them, and who can access the data. It should be written in a way that helps your organization understand how information is collected and shared by employees, prevent disclosure of sensitive data, and respond to security incidents.

A confidentiality policy defines what constitutes confidential information and how companies should handle it. This type of policy is specific to the company, as each industry has its own data types that must be protected. These policies can vary significantly from business to business, but there are some commonalities, such as defined levels of protection for specific types of information.

A confidentiality policy can help organizations identify and protect sensitive information, both inside the organization and beyond. This policy should also recognize that non-sensitive information may nonetheless be treated as confidential by external parties. For example, a software application license key (a piece of information that does not itself require confidentiality protection) will often be treated as confidential by the software vendor.

A confidentiality policy applies to:

  • All employees of the organization, whether full-time or part-time, temporary, permanent, or contracted;
  • Employees of any business partners with access to sensitive information (regardless of title or job description);

The policy outlines the minimum requirements for ensuring confidentiality. Employees should use good judgment when making decisions about disclosure and discuss issues with their manager if they are unsure.

Confidentiality Policy Scope and Details

The confidentiality policy should be owned by the board of directors or equivalent governing body responsible for information protection. It must be communicated as a vital element of the organization’s commitment to protecting customer information.

What information will this policy cover? 

The confidentiality policy is designed to protect all types of sensitive data identified in the scope section. This policy applies to everyone in the organization, including employees, agents, contractors, consultants, and business partners. Here are some examples of data that is usually covered by this policy:

  • Personal customer information such as Social Security number, bank account numbers, and all personally identifiable information;
  • Customer payment information, including credit card numbers and other financial data;
  • Confidential business information such as trade secrets or private business transaction details.

How is this policy enforced? 

Sensitive information must be protected by both physical and technical security safeguards, as well as appropriate management policies. All employees are responsible for knowing what types of data require protection, how they should protect it, and where it is stored within the organization. Employees are expected to maintain confidentiality for all customer information, including internal or external communications regarding such information.

If the organization plans to disclose client data to third parties, confidentiality agreements should be required. The agreement must include appropriate safeguards to protect the confidentiality of sensitive customer information. Organizations should require that these agreements contain contractual language stating that this policy binds all employees throughout their time with the organization and after the termination of employment.

The policy can include a section that describes how employees should handle situations in which they suspect unnecessary disclosure of confidential client data. That includes guidance on when and with whom to report concerns.

Termination – This policy remains in effect even after an employee has been terminated from employment for any reason. Employees must continue to maintain the confidentiality of client information even after termination and may not use or disclose any client data.

What training should be given to employees?

Information security awareness and training are essential for adequate information protection. All employees should be trained on the importance of confidentiality and maintain a high level of understanding regarding their responsibilities concerning confidential data. Regular refresher training must also be provided as a reminder of all policies related to confidentiality, including this policy. Training topics may include:

  • Promoting confidentiality as an organizational value;
  • Proper handling of sensitive information;
  • Prohibiting the discussion or distribution of confidential client data outside the company, including by email or other electronic means;
  • Understanding the importance of protecting trade secrets and intellectual property.

Confidentiality policy should be included in the employee handbook and training materials so that employees understand their responsibilities for protecting client data. Employees should be aware of all procedures related to confidentiality and follow them at all times.

Potential consequences for employees not following the confidentiality policy

Employees should understand the risks associated with revealing client data to unauthorized third parties, even accidentally. Employees who violate this policy may be subject to disciplinary actions, including termination. Furthermore, they may also be liable for civil or criminal penalties under applicable law. Employees should understand that this policy will be enforced and that violation can lead to severe consequences, including possible termination.

Some examples of Confidentiality controls:

  • Securely store confidential information on servers, encrypt data when it’s in transit (i.e., over the network, sent to a printer), and require system users to log in with credentials that periodically expire.
  • Limit access based on roles and job functions of each employee or contractor depending on their need-to-know.
  • Use anti-virus software to protect desktops and laptops from malware.
  • Configure firewalls to prevent unauthorized network access.
  • Monitor for unusual activity, including ports being left open, system logs of failed login attempts, and suspicious traffic that appears to be coming from a system that shouldn’t have the access required for that type of data.
  • Limit the sharing of data with third-party service providers.
  • Monitor system logs to detect suspicious activity, including failed login attempts and unusual traffic patterns.

The type and amount of confidentiality control required from organizations depend on the industry that is being served. For example, a financial services organization will have more stringent requirements than an online retailer or game-streaming service.


Organizations should establish a corporate culture where confidentiality is valued, and employees are encouraged to report suspected violations. It is vital that all staff members are aware of the consequences if they violate this policy. 

In addition, organizations should monitor and audit compliance with this policy to ensure that all employees understand their responsibility for maintaining confidentiality. If you are looking for help with writing your confidentiality policy or any cybersecurity and compliance services, contact us today!

Recommended Posts