Protecting our privacy while keeping the digital wheels of society turning may feel mutually exclusive at times, but a new tool from the National Institute of Standards and Technology (NIST) may help all of us — individuals and organizations alike — breathe a bit easier.
The agency has just released the preliminary draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management. The document aims to help organizations with a tricky task: maximizing beneficial uses of data while minimizing privacy problems for individuals. While data can enhance airport security, develop social connections, or serve myriad other positive purposes, inadequate data management can result in a range of problems for individuals. In turn, these problems can affect an organization’s reputation and bottom line.
Based on nearly a year of extensive public conversations, the NIST Privacy Framework provides guidance for organizations that need to develop strategies to minimize privacy risks while still accomplishing their missions. It also provides a way for organizations to have productive dialogues about privacy risks arising from their products or services.
“We see privacy as something that safeguards human values, like dignity and autonomy,” said Naomi Lefkovitz, a senior privacy policy adviser at NIST and leader of the framework effort. “It’s a challenging topic, though, because we have so many individual and societal conceptions of what privacy means.”
Privacy as a fundamental American value reaches back to the U.S. Constitution’s Fourth Amendment, Lefkovitz said, but when it comes to digital information, protecting it can mean controlling personal information or hiding it from easy view. An organization might use cryptography, for example, or de-identification techniques to limit the inferences that can be made about people from their online behavior or digital transactions.
Because there are many valid methods of achieving privacy, the framework offers organizations the option of choosing different types of protection outcomes, ones that suit their business environments and allow them to meet the privacy needs of individuals who use their services.
Privacy is a concept distinct from security, but the two are intimately connected in our digital world. A security breach that cracks a company’s database might reveal private information about thousands of individuals. For that reason, many industry stakeholders over the past year requested that NIST align the Privacy Framework with the Cybersecurity Framework, one of NIST’s flagship publications.
The Privacy Framework is therefore aligned with the Cybersecurity Framework both structurally and conceptually, and they are designed to be used together.
Both documents help organizations assess their own risks and achieve their particular goals. Similar to the Cybersecurity Framework structure, the Privacy Framework centers on three parts:
- The Core offers a set of privacy protection activities and enables a dialogue within an organization about the outcomes it desires.
- Profiles help determine which of the activities in the Core an organization should pursue to reach its goals most effectively.
- Implementation Tiers help optimize the resources dedicated to managing privacy risk. One company might have more risks, for example, and might need to have a chief privacy officer, while another might not.
Lefkovitz emphasized that the framework is not a simple one-size-fits-all checklist of action items.
“A checklist-based approach might make you overinvest in less effective privacy solutions for your situation or underinvest in the ones that would give you the most privacy benefit,” Lefkovitz said. “The framework is designed to help your organization recognize and then address its own potentially unique situation.”
NIST has posted a notice in today’s Federal Register and will accept public comments on the draft Privacy Framework until 5 p.m. EDT on Oct. 24, 2019. The NIST authors plan to update the draft framework based on public feedback before issuing a version 1.0, expected by the end of 2019.
“Privacy risk management practices are not yet well understood,” Lefkovitz said. “This document is just a beginning. In collaboration with our stakeholders, we will build more guidance around it.”