Support Centre

USA - NIST Privacy Framework

September 2019

1. OVERVIEW

The National Institute of Standards of Technology's ('NIST') Privacy Framework ('the Privacy Framework') will be a voluntary tool for organisations to better identify, assess, manage, and communicate about privacy risks. It will help to ensure that individuals can enjoy the benefits of innovative technologies with greater confidence and trust. Currently, the Privacy Framework is still under development. NIST published, on 6 September 2019, the preliminary draft of the NIST Privacy Framework: a Tool for Improving Privacy through Enterprise Risk Management ('the Draft Privacy Framework'), which is the current complete working draft of the Privacy Framework. The Draft Privacy Framework describes the Privacy Framework’s attributes, provides a high-level alignment with the NIST Framework for Improving Critical Infrastructure Cybersecurity ('the Cybersecurity Framework'), addresses the main three components of the Privacy Framework, and proposes a more in-depth treatment of privacy risk management. 

It is worth noting that the Department of Commerce's National Telecommunications and Information Administration ('NTIA') is developing a set of privacy principles intended to support a US approach that advances consumer privacy protections while protecting prosperity and innovation. The NTIA is coordinating with the department’s International Trade Administration to ensure consistency with international policy objectives. Compared with NTIA's privacy principles, which focus on developing US domestic policy, NIST's Draft Privacy Framework aims to be an enterprise-level privacy risk management tool that can be compatible with and support organisations’ ability to operate under applicable domestic and international legal or regulatory regimes.

2. THE DRAFT PRIVACY FRAMEWORK

2.1. Overview

NIST has developed the Draft Privacy Framework in consideration of the diverse privacy needs that result from fast-growing, cutting-edge technologies such as the Internet of Things and artificial intelligence. NIST has been working with private and public sector stakeholders in developing the Draft Privacy Framework. As a leader in its field, NIST has a long track record of successfully and collaboratively working with the private sector and federal agencies to establish guidelines and standards. There is no executive order or other authoritative drivers for NIST to develop the Draft Privacy Framework.

The Draft Privacy Framework is intended to provide a catalogue of privacy outcomes and approaches for organisations of all kinds to better identify, assess, manage, and communicate about privacy risks. In particular, the Draft Privacy Framework is designed to help organisations manage privacy risks by:

  • taking privacy into account as they design and deploy systems, products, and services that affect individuals;
  • integrating privacy practices into their business processes that result in effective solutions to mitigate any adverse impacts;
  • communicating about these practices.

In addition, rather than offering a one-size-fits-all approach for risk management, the Draft Privacy Framework, through a risk-based and outcome-based approach, is flexible enough to address diverse privacy needs to better manage privacy risks within their diverse environments. It is intended to be widely usable by any organisation or entity regardless of its role in the data processing ecosystem and is agnostic to any particular technology, sector, law, or jurisdiction.

The Draft Privacy Framework is broadly divided into three main sections:

  • an introduction to the Privacy Framework which includes overviews of the relationship between cybersecurity and privacy risk management, and between privacy risk management and risk assessment in general;
  • an overview of the Privacy Framework and its three essential parts: the Core; Profiles; and Implementation Tiers; and
  • a practical guide on how to use the Privacy Framework.

2.2. Defining privacy risk management

Based on feedback indicating a lack of consistent or widespread understanding of privacy risks and privacy risk management, and in order to promote a broader understanding of the ways organisations may develop, improve or communicate about privacy risk management, the Draft Privacy Framework attempts to define these concepts. Privacy risk management is defined in reference to risk management (in general) and cybersecurity risk management. Privacy risks are distinguished from cybersecurity risks as risks which are specifically associated with the unintended consequences of data processing, as opposed to risks associated with the loss of integrity, confidentiality or availability.

Privacy risk management is defined as a cross-organisational set of processes that helps organisations to understand how their systems, products, and services may create problems for individuals and how to develop solutions to such risks.

2.3. The three key components

Through its three key components, which mirror the structure of NIST's Cybersecurity Framework, the Draft Privacy Framework offers a common language for understanding, managing, and communicating privacy risks with internal and external stakeholders. Each component reinforces privacy risk management through the connection between business drivers and privacy protection activities. The three components, which mirror the structure of the Cybersecurity framework, are detailed below.

The Core
The Core provides a set of activities to achieve specific privacy outcomes, and reference examples of guidance to achieve those outcomes. It is intended to enable a dialogue, from executive level to implementation level, about important privacy protection activities and desired outcomes. The Core describes five functions ('the Functions') to be used in privacy risk management. The first four (Identify, Govern, Control and Communicate) can be used to manage privacy risks arising from data processing, while the fifth (Protect) can help organisations manage privacy risks associated with privacy breaches. The Draft Privacy Framework stresses that the Functions should be performed concurrently and continuously to form or enhance an operational culture that addresses the dynamic nature of privacy risk.

The Core is further divided into Categories and Subcategories (discrete outcomes) for each Function. In addition, the Draft Privacy Framework defines informative references as specific sections of standards, guidelines, and practices that can be mapped to the Core subcategories and support achievement of the subcategory outcomes.

Profiles
Profiles provide the alignment of the Core outcomes or activities with the business requirements, risk tolerance, privacy objectives, and resources of the organisation. An organisation does not need to meet every outcome or activity set in the Core. Each organisation may develop its Profile based on the organisational or industry sector goals, legal or regulatory requirements and industry best practices, the privacy needs of the individuals involved, and the organisation’s risk management priorities.

Implementation Tiers
Implementation Tiers ('the Tiers') provide the context of an organisation's risk management scheme and help to optimise the resources dedicated to managing privacy risk. There are four Tiers: Partial (Tier 1); Risk Informed (Tier 2); Repeatable (Tier 3); and Adaptive (Tier 4). The Draft Privacy Framework encourages organisations identified as Tier 1 to consider moving to Tier 2. However, Tier 3 and Tier 4 are not recommended for all organisations. The Tiers provide organisations with choices of risk management based on their specific situations.

2.4. Overlap with the NIST Cybersecurity Framework

Based on stakeholder feedback, the Draft Privacy Framework is strongly aligned with the NIST Cybersecurity Framework to enable greater compatibility between the two frameworks. However, good cybersecurity practices don't mean full compliance under the Privacy Framework. The Privacy Framework addresses the full scope of privacy risks arising from data processing, as well as from how individuals interact with products, services, or systems of an organisation.

NIST has provided guidance on the alignment of the structure of the Privacy Framework and the Cybersecurity Framework to facilitate an understanding of the overlap and differences between the two frameworks.

3. SUPPLEMENTARY RESOURCES AND FEEDBACK

Following the release of the Draft Privacy Framework, NIST published, on 9 September 2019, a notice requesting comments on the same. The NIST authors intend to use the feedback to update the Draft Privacy Framework before issuing a version 1.0, expected by the end of 2019.

Comments may be submitted by 24 October 2019 to [email protected].

In addition, NIST has published, throughout the ongoing development of the Privacy Framework, a series of supplementary resources, which are available here.