As more and more Americans conduct the business of their lives and social connections, online, protecting privacy data increasingly emerges as a top concern. However, a new tool from the National Institute of Standards and Technology may help individuals and organizations alike — breathe a bit easier, NIST announced.
The agency just released the preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The document aims to help organizations with a tricky task: maximizing beneficial uses of data while minimizing privacy problems for individuals, NIST reported. Poor data management can result in a range of problems for individuals and organizations and can adversely impact an organization’s reputation and financial liability.
The NIST Privacy Framework provides guidance for organizations that need to develop strategies to minimize privacy risks while still accomplishing their missions. It also provides a way for organizations to have productive dialogues about privacy risks arising from their products or services, according to NIST.
“We see privacy as something that safeguards human values, like dignity and autonomy,” said Naomi Lefkovitz, a senior privacy policy adviser at NIST and leader of the framework effort. “It’s a challenging topic, though, because we have so many individual and societal conceptions of what privacy means.”
Privacy as a fundamental American value reaches back to the U.S. Constitution’s Fourth Amendment, Lefkovitz said, but when it comes to digital information, protecting it can mean controlling personal information or hiding it from easy view. An organization might use cryptography, for example, or de-identification techniques to limit the inferences that can be made about people from their online behavior or digital transactions.
Because there are many valid methods of protecting privacy data, the framework offers organizations the option of choosing different types of protection outcomes, ones that suit their business environments and allow them to meet the privacy needs of individuals who use their services.
Privacy is a concept distinct from security, but the two are intimately connected in the digital world. A security breach that hacks a company’s database might reveal private information about thousands of individuals. For that reason, many industry stakeholders over the past year requested that NIST align the Privacy Framework with the Cybersecurity Framework, one of NIST’s flagship publications.
Thus, the Privacy Framework is aligned with the Cybersecurity Framework, and they are designed to be used together, NIST said.
Both documents help organizations assess their own risks and achieve their particular goals. Similar to the Cybersecurity Framework structure, the Privacy Framework centers on three parts:
- The Core offers a set of privacy protection activities and enables a dialogue within an organization about the outcomes it desires.
- Profiles help determine which of the activities in the Core an organization should pursue to reach its goals most effectively.
- Implementation Tiers help optimize the resources dedicated to managing privacy risk. One company might have more risks, for example, and might need to have a chief privacy officer, while another might not.
Lefkovitz emphasized that the framework is not a simple one-size-fits-all checklist of action items.
“A checklist-based approach might make you overinvest in less effective privacy solutions for your situation or underinvest in the ones that would give you the most privacy benefit,” Lefkovitz said. “The framework is designed to help your organization recognize and then address its own potentially unique situation.”
NIST has posted a notice in the Federal Register and will accept public comments on the draft Privacy Framework until 5 p.m. EDT on Oct. 24, 2019. The NIST authors plan to update the draft framework based on public feedback before issuing a version 1.0, expected by the end of 2019.
“Privacy risk management practices are not yet well understood,” Lefkovitz said. “This document is just a beginning. In collaboration with our stakeholders, we will build more guidance around it.”