NIST Proposes a Privacy Framework, Seeks Public Comment

The National Institute of Standards and Technology (NIST), whose Cybersecurity Framework has become a global best-practices benchmark for information security, has embarked on a similar privacy standards effort. On September 9, the U.S. Commerce Department agency released a preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.

Almost a year in the making and based on “extensive public conversations,” according to a NIST announcement, the new 42-page document positions privacy as distinct from but intimately connected with security, particularly in an increasingly data- and technology-dependent age. The privacy and cybersecurity frameworks are meant to be complementary and used together.

The proposed privacy framework is open for public comment until October 24, and a completed version 1.0 is expected by year-end. The cybersecurity framework's version 1.0 was published in February 2014; version 1.1 followed in April 2018.

“Privacy risk management practices are not yet well understood,” stated Naomi Lefkovitz, a senior NIST privacy policy adviser and the project leader. “This document is just a beginning. In collaboration with our stakeholders, we will build more guidance around it.”

Structural Components

In parallel with the cybersecurity framework, the privacy draft outlines three components and says that each “reinforces privacy risk management through the connection between business and mission drivers and privacy protection activities”:

- “The Core” relates to dialogue from the executive to the operational level about important privacy protection activities and desired outcomes.

- “Profiles” help determine which “core” activities should be prioritized in line with organizational privacy values, mission and business needs, and risks.

- “Implementation Tiers” support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk. For example, an organization's risk profile might call for appointment of a chief privacy officer, but, Lefkovitz pointed out, rules do not apply to all uniformly, nor would a rigid checklist be effective in each unique situation.

“In summary, the privacy framework is intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio,” says the draft's executive summary.

The framework's introduction notes how privacy and other performance factors are interconnected: “Failure to manage privacy risks can have direct adverse consequences for people at both the individual and societal level, with follow-on effects on organizations' reputation, bottom line, and future prospects for growth. Finding ways to continue to derive benefits from data while simultaneously protecting individuals' privacy is challenging, and not well-suited to one-size-fits-all solutions.”

Relationship Between Privacy Risk and Organizational Risk

Consensus and Debate

Although cybersecurity and privacy issues and approaches are inter-related and overlap, and cybersecurity risk management contributes to privacy risk management, “privacy risks can also arise outside the scope of cybersecurity risks,” NIST says.

The draft framework makes repeated mention of the complex and challenging nature of privacy, both conceptually and in how it is integrated into risk management.

Whereas there is broad consensus regarding the severity of data security threats and the need for defensive measures, privacy is definitionally more nuanced. The U.S. Constitution does not explicitly guarantee personal privacy, in contrast to the statutory protections of the European Union and other jurisdictions.

The Constitution's Fourth Amendment protection “against unreasonable searches and seizures” does establish privacy as a fundamental value, Lefkovitz said, but it is complicated in the context of digital information, for which protection might amount to controlling it or hiding it from easy view.

“We see privacy as something that safeguards human values, like dignity and autonomy,” said Lefkovitz. “It's a challenging topic, though, because we have so many individual and societal conceptions of what privacy means.”

“A Common Language”

As explained in the draft framework, “Privacy is challenging because not only is it an all-encompassing concept that helps to safeguard important values such as human autonomy and dignity, but also the means for achieving it can vary . . . Moreover, human autonomy and dignity are not fixed, quantifiable constructs; they are filtered through cultural diversity and individual differences.

“This broad and shifting nature of privacy makes it difficult to communicate clearly about privacy risks within and between organizations and with individuals. What has been missing is a common language and practical tool that is flexible enough to address diverse privacy needs.”

The privacy framework is said to provide “a common language to communicate requirements with parties within the data processing ecosystem . . . Organizational practices should address this management of privacy risk, including identifying, assessing, and mitigating privacy risks arising from the processing of data, as well as from systems, products, and services that inherently lack the capabilities to mitigate privacy risks.”

The draft says that the privacy framework “can assist an organization in its efforts to optimize beneficial uses of data and the development of innovative systems, products, and services, while minimizing adverse consequences for individuals.” It can help answer the fundamental question, “How are we considering the impacts to individuals as we develop our systems, products, and services?” and “serve as the foundation for a new privacy program or a mechanism for improving an existing program.

“In either case, it is designed to complement existing business and system development operations, to provide a means of expressing privacy requirements to business partners and customers, and to support the identification of gaps in an organization's privacy practices.”