NIST: Privacy Framework v1.0 Overview
Why Privacy is Important
From NIST: Privacy Framework - Privacy is challenging because not only is it an all-encompassing concept that helps to safeguard important values such as human autonomy and dignity, but also the means for achieving it can vary. For example, privacy can be achieved through seclusion, limiting observation, or individuals’ control of facets of their identities (e.g., body, data, reputation). Moreover, human autonomy and dignity are not fixed, quantifiable constructs; they are filtered through cultural diversity and individual differences. This broad and shifting nature of privacy makes it difficult to communicate clearly about privacy risks within and between organizations and with individuals. What has been missing is a common language and practical tool that is flexible enough to address diverse privacy needs.
What is the NIST Privacy framework?
Following a transparent, consensus-based process including both private and public stakeholders to produce this voluntary tool, the National Institute of Standards and Technology (NIST) is publishing this Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework), to enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy.
How to use the Privacy Framework
NIST’s Privacy Framework is a tool for improving privacy and is intended to be widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction.
The Privacy Framework’s purpose is to help organizations manage privacy risks by:
• Taking privacy into account as they design and deploy systems, products, and services that affect individuals
• Communicating about their privacy practices
• Encouraging cross-organizational workforce collaboration—for example, among executives, legal, and information technology (IT)—through the development of Profiles, selection of Tiers, and achievement of outcomes
The Privacy Framework can support organizations in:
- Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole
- Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.
Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well-suited to one-size-fits-all solutions. Like building a house, where homeowners make layout and design choices while relying on a well-engineered foundation, privacy protection should allow for individual choices, as long as effective privacy risk mitigations are already engineered into products and services. The Privacy Framework—through a risk- and outcome-based approach—is flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and organizations, and stay current with technology trends, such as artificial intelligence and the Internet of Things.
What changed from the draft?
- Minor wording and some category identifier name changes
- CT.DM-P9 - new subcategory
- CT.DM-P10 - new subcategory
- CT.DP-P6 was removed and data minimization was added to the category statement
How does this help my organization?
The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers, organizational roles and responsibilities, and privacy protection activities.
CORE
The Core enables a dialogue—from the executive level to the implementation/operations level—about important privacy protection activities and desired outcomes.
PROFILES
Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks.
IMPLEMENTATION
Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk. In summary, the Privacy Framework is intended to help organizations build better privacy foundations by bringing privacy risk into parity with their broader enterprise risk portfolio.