The National Institute of Standards and Technology (NIST) released its first privacy framework tool  (the Privacy Framework) on January 16, 2020. In the Executive Summary, NIST states that with the unprecedented flow of data of individuals through a complex digital ecosystem, individuals may not be able to understand the potential consequences for their privacy as they interact with system and services, while at the same time, organizations “may not realize the full extent of these consequences for individuals, for society or for their enterprises…” For more on the background of the draft Privacy Framework, see our previous post.

NIST states in the Executive Summary that the tool will “enable better privacy engineering practices that support privacy by design concepts and help organizations protect individuals’ privacy. The Privacy Framework can support organizations in:

  • Building customers’ trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
  • Facilitating communication about privacy practices with individuals, business partners, assessors, and regulators.”

NIST considers the Privacy Framework to be “widely usable by organizations of all sizes and agnostic to any particular technology, sector, law, or jurisdiction” and able to provide flexibility to organizations by using a risk-and-outcome-based approach. The Privacy Framework’s “purpose is to help organizations manage privacy risks by:

  • “Taking privacy into account as they design and deply systems, products, and services that affect individuals;
  • Communicating about their privacy practices; and
  • Encouraging cross-organizational workforce collaboration—for example, among executives, legal and information technology *IT)—through the development of Profiles, selection of Tiers, and achievement of outcomes.”

The Privacy Framework is comprised of three parts: 1) The Core (a set of privacy protection activities and outcomes that can be communicated and developed throughout the organization); 2) A Profile (the organization’s current privacy activities or desired outcomes to focus on, which can change or be added depending on the organization’s needs; the Profiles can be used to conduct self-assessments and used for communication purposes within the organization); and 3) Implementation Tiers (Tiers reflect the current and changing posture of the organization to determine whether there is progress or whether processes and resources are in place to manage the risk.).

The Privacy Framework is designed to work with the NIST Cybersecurity Framework, recognizing the cybersecurity and privacy risk relationship and overlap.

As with the NIST Cybersecurity Framework, the Privacy Framework is easy to understand and user-friendly. It provides a roadmap for organizations to tackle privacy risk management, and it urges organizations to understand that privacy must be considered when developing new products and services, just as security must be considered. Further, with rapidly changing laws, privacy risk management is important to an organization’s overall risk management and compliance. But most of all, the Privacy Framework challenges organizations to consider the ethics of the collection, maintenance, use, disclosure and monetization of data, and to think about the consequences that the proliferation of data and the collection and use of data might have on individuals.

As stated in the Privacy Framework, “Privacy is challenging because not only is it an all-encompassing concept that helps to safeguard important values such as human autonomy and dignity, but also the means for achieving it can vary…human autonomy and dignity are not fixed, quantifiable constructs; they are filtered through cultural diversity and individual differences. This broad and shifting nature of privacy makes it difficult to communicate clearly about privacy risks within and between organizations and individuals.” The Privacy Framework is designed to provide a common language so that diverse privacy needs can be met and communication around those needs and expectations is clear. We applaud NIST on this needed assistance for organizations to tackle the ever-changing landscape of data privacy.