SOC 2 Recording the Disclosure of Personal Information (P6.2)

Overview:
The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity’s objectives related to privacy.

Action Items:
1) Create a privacy notice (externally facing) and privacy policy (internally facing) and publish on the company intranet for employees to access and review.
2) Inspect the privacy notice to determine that the privacy notice includes the purpose for disclosing personal information to third parties, as applicable to the entity.
3) Inquire of the senior compliance manager, or equivalent, regarding a disclosure log to determine that the company maintains a disclosure log to record all requests of disclosure of personal information.

Related Documents:
1) Privacy notice
2) Privacy policy
3) Documented disclosure log for all requests of disclosure of personal information.

Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:

1 )Creates and Retains Record of Authorized Disclosures—The entity creates and maintains a record of authorized disclosures of personal information that is complete, accurate, and timely.