NIST Releases Privacy Framework

Author:Mr Jonathan Cedarbaum

On January 16, the Commerce Department's National Institute of Standards and Technology (NIST) released version 1.0 of its Privacy Framework: A Tool for Privacy Through Enterprise Risk Management. The product of a two-year consultation process with private-sector and public-sector stakeholders, the Privacy Framework sets out a group of voluntary standards and methods to help companies of all sizes in (i) “[t]aking privacy into account as they design and deploy systems, products, and services that affect individuals”; (ii) “[c]ommunicating about their privacy practices”; and (iii) “[e]ncouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (IT)” personnel in the “achievement of [privacy] outcomes.” The Framework is thus intended to assist companies in “[b]uilding customers' trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals' privacy and society as a whole”; “[f]ulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment”; and “[f]acilitating communication about privacy practices with individuals, business partners, assessors, and regulators.”

Like its predecessor, the NIST Cybersecurity Framework, the NIST Privacy Framework is likely to prove influential with regulators and policymakers around the globe. As the collection and processing of data about individuals becomes more central to the business models of companies across the economy—and as the varieties of personal data available continue to expand—the Privacy Framework offers companies an important resource to think more systematically about their privacy practices, the risks those practices may create, and the most sensible strategies for addressing those risks.

Core, Profiles, Implementation Tiers

Like the Cybersecurity Framework, the Privacy Framework consists of three components: a Core, Profiles, and Implementation Tiers.

The Core identifies “an increasingly granular set of activities and outcomes that enable a dialogue about managing privacy risk,” grouped into five broad functional categories: identify, govern, control, communicate, protect:

Identify: these activities address[i]nventorying the circumstances under which data are processed, understanding the privacy interests of...

To continue reading