Skip to content
AuditFront
P6.5 SOC 2

SOC 2 P6.5: Privacy - Accounting of Disclosures

What This Control Requires

The entity accounts for disclosures of personal information to meet the entity's objectives related to privacy. The entity maintains records that allow it to account for all disclosures of personal information to data subjects and regulatory authorities upon request.

In Plain Language

If a data subject or regulator asks "show me everywhere my data has gone," you need to produce a complete, accurate answer. This goes beyond the basic disclosure logging in P6.2 - it is about the ability to reconstruct the full disclosure history for any specific individual across every channel and system.

That means aggregating disclosure records from automated integrations, manual processes, law enforcement requests, and breach-related disclosures into a single, queryable view per person. The key word is "complete" - partial answers create more problems than they solve.

Auditors will test this by asking you to generate an accounting of disclosures for a sample individual. They want to see that it covers all disclosure channels, that the process is documented and repeatable, and that you have actually tested it before they showed up.

How to Implement

Start with the disclosure logging from P6.2 and add the ability to query and aggregate by individual data subject. Implement indexing or tagging that links every disclosure record to a specific person, so you can pull their complete history efficiently.

Define a standard report format for disclosure accountings. For each disclosure, include the date, the third-party recipient, categories of personal data disclosed, the purpose, and the legal basis. Organise chronologically so it tells a clear story.

Build the capability to generate these reports on demand. Document the procedure: what input you need (individual identifier), how the system queries all disclosure logs, and what the output looks like. Automate as much as possible - you do not want a manual process that takes days when a regulator is waiting.

Make sure every channel is covered. API-based sharing, batch transfers, email disclosures, support ticket data, law enforcement disclosures, breach notifications - if personal data left your organisation through it, the accounting system needs to capture it.

Test this regularly. Generate sample accountings and cross-check them against known disclosure records. Run the full end-to-end process from request receipt to report delivery. Find and fix gaps before an auditor or regulator does.

Document who can request a disclosure accounting and how. Data subjects have this right under various regulations. Define how requests come in, how you verify identity, how quickly you respond, and any applicable limitations or exceptions.

Evidence Your Auditor Will Request

  • Disclosure accounting capability documentation showing query and report generation process
  • Sample disclosure accounting reports for individual data subjects
  • Evidence that all disclosure channels are captured in the accounting system
  • Testing records verifying completeness and accuracy of disclosure accountings
  • Request handling procedures for disclosure accounting requests from data subjects and regulators

Common Mistakes

  • Disclosure records cannot be queried by individual, preventing generation of per-person accountings
  • Some disclosure channels are not captured in the accounting system, producing incomplete records
  • No standard format exists for disclosure accounting reports, leading to inconsistent responses
  • The accounting capability has not been tested, and completeness is unverified
  • No process exists for handling accounting of disclosure requests from data subjects

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Partial overlap
ISO 27001 A.8.15 Related

Frequently Asked Questions

How far back must the accounting of disclosures go?
It depends on which regulations apply to you. HIPAA requires six years of history. GDPR expects records for as long as you process the individual's data. If no specific regulation sets a timeframe, keep disclosure records for at least 3 years or the duration of your data retention policy, whichever is longer. Err on the side of keeping more history rather than less.
Do we need to include routine disclosures in the accounting?
Under HIPAA, certain routine disclosures (treatment, payment, healthcare operations) are explicitly excluded from the accounting requirement. Under GDPR, the focus is on providing information about recipients or categories of recipients. Check your specific regulatory obligations. The pragmatic approach is to capture all disclosures in your system and then filter the output based on the regulatory context of each request.
How do we handle accounting for shared or aggregated data?
If the data is truly anonymised so individuals cannot be re-identified, it generally falls outside the disclosure accounting requirement. But if it is pseudonymised - still linkable to individuals with additional information - it counts and should be included. Document your criteria for determining when shared data qualifies as a personal information disclosure. Auditors will want to see that you have thought this through rather than just assuming aggregation means anonymisation.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment