P6.2 SOC 2

SOC 2 P6.2: Privacy - Authorized Disclosures Only

What This Control Requires

The entity creates and retains a complete, accurate, and timely record of authorized disclosures of personal information to meet the entity's objectives related to privacy.

In Plain Language

When a data subject asks "who has my data?", you need to be able to answer that question accurately and completely. That is the core of this control - maintaining a clear record trail of every time personal information leaves your organisation. This covers both automated transfers (API integrations, batch exports, database syncs) and manual ones (emailing a spreadsheet to a partner, exporting data for a support ticket). Each record should capture who received the data, what was shared, when, why, and how. Auditors will sample your known third-party sharing arrangements and check whether corresponding disclosure records exist. They will also test whether you can produce a disclosure history for any given individual on request. Gaps between your actual sharing and your records are a clear finding.

How to Implement

Set up automated logging for all system-to-system data transfers involving personal information. Capture the sender, recipient, data categories transferred, date and time, purpose, and transfer method. Configure your application and integration logging to record this automatically for API-based sharing, batch file transfers, and database exports. Create a straightforward process for logging manual disclosures. When someone shares personal data by email, through support tickets, or via one-time exports, they need to document it with the same detail as automated transfers. Give them a simple template or form so the records stay consistent. Bring all disclosure records into a single repository - whether that is a GRC platform, a database, or a structured log system. Having one place to search makes it far easier to respond to data subject requests and satisfy auditors. Protect your disclosure records with proper access controls. Nobody should be able to modify or delete records without authorisation. Keep records for at least as long as applicable regulations require, plus a reasonable buffer. Build and test the ability to generate a disclosure history for any individual data subject. When someone exercises their right to know who has received their data, you should be able to pull a comprehensive report across all disclosure channels. Test this before an auditor asks for it. Review your disclosure records periodically. Confirm that all known sharing arrangements are generating logs, that no unauthorised disclosures are slipping through, and that records are accurate and complete. Fix any gaps immediately.

Evidence Your Auditor Will Request

Automated disclosure logging configurations for system-to-system data transfers
Manual disclosure logging procedures and templates with sample completed records
Centralized disclosure record repository with access controls
Sample disclosure history reports for individual data subjects
Periodic review records verifying completeness and accuracy of disclosure logs

Common Mistakes

Automated data transfers to third parties are not logged, creating gaps in disclosure records
Manual disclosures (email, ad hoc exports) are not documented consistently
Disclosure records lack sufficient detail to identify what data was shared and why
No centralized repository for disclosure records, making reporting and auditing difficult
Inability to produce a disclosure history for an individual data subject upon request

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Partial overlap
ISO 27001	A.8.15	Related

Frequently Asked Questions

How detailed do disclosure records need to be?

Detailed enough to answer five questions: who disclosed it, what data was shared, to whom, when, and why. At minimum you need the date, the third-party recipient, the categories of personal data, the purpose, and the authorisation basis. For automated transfers, also record which system or integration facilitated the transfer. Think of it as building an audit trail that tells the full story.

How long should disclosure records be retained?

Keep them at least as long as your retention policy requires for the personal information itself, plus a buffer for disputes or regulatory inquiries. Under GDPR, you need to demonstrate compliance on an ongoing basis, so records should last the duration of the processing activity. Most organisations settle on 3-5 years or whatever their regulatory requirements dictate, whichever is longer.

Do we need to log disclosures to our own sub-processors?

Yes. Cloud providers, SaaS tools, outsourced service providers - if personal data flows to them, log it. This shows accountability and means you can report the full chain of data sharing when a data subject asks or a regulator comes knocking. It is also one of the things auditors specifically look for when testing this control.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment