Privacy in Cyberspace: the NIST Privacy Framework
Chief Creative Officer, Privacy Horizon Inc.
Written for the HIM&CC
When the National Institute of Standards and Technology (NIST) published its Cyber Security Framework in 2014, it consolidated and summarized international best practices for managing security on the Internet. The Cybersecurity Framework focused on the management of risk associated with critical infrastructure.
In January of 2020, NIST published a companion standard, the NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management. Together, the Cybersecurity and Privacy Frameworks provide a comprehensive approach to risk management in cyberspace.
NIST is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurements science, standards, and technology in ways that enhance economic security and improve the quality of life. 1
The NIST Privacy Framework is intended to be widely usable by organizations of all sizes and is agnostic to any particular technology, sector, law, or jurisdiction. It gives us a roadmap to address the privacy implications of emerging technologies such as artificial intelligence, the Internet of Things, cloud computing and blockchain.
NIST recognizes you can’t cookie-cutter your privacy and security programs. The needs of the small rural medical clinic are different than the needs of a major metropolitan teaching hospital. The NIST frameworks are scalable to address the needs of all organizations. The frameworks enable better privacy engineering practices that support privacy by design and helps organizations to protect individual privacy.
The Privacy Framework supports organizations in building customer trust by supporting ethical decision-making in product and service design or deployment. It optimizes the beneficial uses of data while minimizing adverse consequences for individuals and society. It helps to fulfill current compliance obligations, and future-proofs products and services to meet these obligations in a rapidly changing technical and policy environment. The Privacy Framework facilitates communications about privacy practices with individuals, business partners, assessors, and regulators. 2
The Privacy Framework provides a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. It adapts to any role the organization may play in the data processing ecosystem. It can be used to help identify and prioritize actions for reducing privacy risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. 3
When used as a risk management tool, the Privacy Framework can assist organizations in their efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals. Privacy risk management is a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals and how to develop effective solutions to manage such risks. Privacy risk assessments produce the information that can help organizations to weigh the benefits of the data processing against the risks and to determine the appropriate response—sometimes referred to as proportionality. 4
The Privacy Framework is composed of three parts: Core, Profiles, and Implementation Tiers. Each component reinforces how organizations manage privacy risk through the connection between business or mission drivers, organizational roles and responsibilities, and privacy protection activities.
The Core is a set of privacy protection activities and outcomes (a.k.a. privacy and security controls) that allow for communicating prioritized privacy protection activities and outcomes across an organization from the executive level to the implementation/operations level.
A Profile represents an organization’s current privacy activities or desired outcomes. To develop a Profile, an organization can review all of the outcomes and activities in the Core to determine which are most important to focus on based on business or mission drivers, data processing ecosystem role(s), types of data processing, and individuals’ privacy needs.
Implementation Tiers (“Tiers”) provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage NIST recognizes you can’t cookie-cutter your privacy and security programs. The needs of the small rural medical clinic are different than the needs of a major metropolitan teaching hospital. 19 March 2020 • HIM&CC that risk. Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed. 5
The Privacy Framework uses a simple model of “ready”, “set”, and “go” phases to support the creation of a new privacy program or improvement of an existing program. In the “ready” phase, the organization seeks to understand its legal and business environment, risk tolerance and its role in the data processing ecosystem. In the “set” phase, the organization determines its current and target privacy profiles to identify strengths or gaps. In the “go” phase, the organization prioritizes which actions to take to address any gaps, and then adjusts its current privacy practices in order to achieve the target profile.
Use of the Privacy Framework will support numerous objectives, including:
• Strengthening accountability for the protection of personal information
• Integrating privacy by design concepts into the system development lifecycle.
• Defining privacy requirements to support procurement and buying decisions.
• Establishing or improving privacy programs.
• Optimizing the beneficial uses of data.
• Development of innovative systems, products and services
The NIST Privacy Framework is an important advancement in the state- of-the-art concerning privacy and data protection. Its generic approach to privacy and privacy controls enables us to appropriately address the implications of innovation and technological change, and respond to the emergence of new individual privacy rights established by changes to privacy and data protection laws around the world.
1 Source: https://www.nist.gov/about-nist/our-organization/mission-vision-values
2 NIST Privacy Framework, p. i.
3 Ibid. p. 6
4 Ibid. p. 4
5 Ibid. p. 2