NIST Releases Final Privacy Framework
On January 16, 2020, the National Institute of Standards and Technology (NIST) published its much-anticipated final Privacy Framework, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management. The Privacy Framework will provide a useful, non-binding tool for organizations seeking to improve their privacy practices, and—just as important—it will help frame policy discussions throughout 2020 as both state legislatures and Congress consider comprehensive privacy legislation.
The final Privacy Framework is the product of a 15-month-long process that included three public workshops, a request for information (RFI), a request for comment (RFC), five webinars, and, according to NIST, “hundreds of direct interactions with stakeholders.” This collaborative process resulted in a risk-and outcome-based framework that will aid organizations in identifying, prioritizing, communicating, and managing privacy risks. The Privacy Framework is also designed to complement NIST’s Cybersecurity Framework, which was published in April 2018.
The final Privacy Framework is a revised version of the Preliminary Draft, which was released in September 2019. There were two notable changes between the final Privacy Framework and the Draft. First, NIST added two Subcategories to the Control Function under the Data Processing Management Category:
-
CT.DM-P9: Technical measures implemented to manage data processing are tested and assessed.
-
CT.DM-P10: Stakeholder privacy preferences are included in algorithmic design objectives and outputs are evaluated against these preferences.
Second, NIST removed the data minimization subcategory—CT.DP-P6—from the Disassociated Processing Category.[1] Finally, further minor changes were made primarily to “clarify with examples and language adjustments to help facilitate better understanding.”
Otherwise, the final version of the Framework was substantively similar to the Preliminary Draft. As Wiley explained in our summary of the Draft, the Privacy Framework is organized into three sections—(1) the Core, made up of Functions, Categories, Subcategories, and informative references that present key privacy outcomes that are helpful in managing privacy risk; (2) the Profiles, which help organizations determine which Functions, Categories, and Subcategories to use to reach the organization’s goals; and (3) the Implementation Tiers, which describe the degree to which an organization’s cybersecurity risk management practices exhibit characteristics defined in the Framework. This structure facilitates the flexible implementation of the Framework based on an organization’s unique needs and circumstances.
NIST recognizes the need for continued collaboration. Along with the final Privacy Framework, NIST published a companion Roadmap identifying the following “evolving areas [that] require continued focus or further research and development.”
-
Privacy Risk Assessment. Unlike in the cybersecurity domain, where risk assessment is relatively well established, NIST recognizes that more work is needed to reach a common privacy risk model and more effective privacy risk assessment practices.
-
Mechanisms to Provide Confidence. NIST recognizes that the privacy domain generally lacks confidence mechanisms (i.e., audits, assessments, testing, certification) and notes that more research is needed to understand organizations’ challenges and needs with respect to such mechanisms.
-
Emerging Technologies. NIST also identifies key challenges for the privacy field in managing privacy risks arising from emerging technologies such as the Internet of Things (IoT) and artificial intelligence (AI), highlighting the need for research to underpin guidance and standards for managing an increasingly complex data processing ecosystem.
-
De-Identification Techniques and Re-identification Risks. NIST notes that while guidance, standards, practices and tools are beginning to be developed for de-identification, more work is needed to increase their market readiness and assist organizations with implementation.
-
Inventory and Mapping. NIST underscores that more guidance, best practices, and automation in tools for cost-effective data inventorying and mapping is needed to better support organizations’ privacy risk management practices.
-
Technical Standards. While there has been an increased focus on management system standards focused on processes, NIST notes that there are fewer privacy-related technical and testing methodology standards under development.
-
Privacy Workforce. NIST notes that further development of a knowledgeable and skilled privacy workforce is necessary to support organizations in better protecting individuals’ privacy while optimizing beneficial uses of data. NIST also highlights its National Initiative for Cybersecurity Education (NICE) Program to address cybersecurity workforce needs, which could be leveraged to manage the overlap between privacy risks and cybersecurity risks.
-
International and Regulatory Aspects, Impacts and Alignment. NIST notes that the Privacy Framework is consistent with globally accepted standards, guidelines and practices, and should “serve as a model approach to strengthening privacy risk management, while discouraging a balkanization caused from unique requirements that hamper interoperability and innovation, and limit the efficient and effective use of resources.”
On January 29, 2020, NIST hosted a webinar (now available on-demand) that provided an in-depth review of the Privacy Framework and the resources available to support the implementation of the Framework. NIST has also posted several tools to help organizations understand and adopt the final Privacy Framework, including repository crosswalks intended to help organizations understand which Privacy Framework Functions, Categories, and Subcategories may be most relevant to them; common profiles to help guide organizations in determining which activities or outcomes to prioritize based on shared privacy risks; and other guidance, tools, and best practices that provide implementation support for the Privacy Framework and/or specific Subcategories.
The privacy and security team at Wiley has been actively involved in NIST’s efforts to develop the Privacy Framework, as well as other privacy efforts ongoing at the federal level. If you would like to engage or learn more about these efforts, please contact our team.
[1] However, the impact of this change appears to be limited, as NIST added the data minimization principle to the Category description of Disassociated Processing.