On the 6th September 2019, the USA’s National Institute of Standards and Technology (NIST) published a preliminary draft of its new privacy framework entitled ‘Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management’. This framework focuses upon how organisations processA series of actions or steps taken in order to achieve a particular end. data for business purposes, acknowledging that whilst privacy risks can be managed by implementing good cybersecurity, they can still arise from data processing in the course of business practices. The drafting process began in October 2018 and the comment period closed on the 24th October 2019. During this time, NIST collaborated with public and private stakeholders in a variety of sectors including healthcare, education, finance, civil society and telecommunications.
The new voluntary framework proposed by NIST seeks to help any type of organisation to implement practices which will aid them in complying with current data protection obligations, as well as future obligations in a constantly changing technological and policy environment. It takes a risk- and outcome-based approach which allows for flexibility in addressing diverse privacy needs across sectors and staying up to date with new technology trends such as artificial intelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc..
What does the Framework include?
The Privacy Framework is structured in a similar way to NIST’s well-established 2014 Cybersecurity Framework in the hope that they will be used in conjunction with one another. It is split into three sections: the Core; Profiles; and Implementation Tiers.
The Core: The Core is essentially a document providing organisations with a set of activities and outcomes which if implemented help to manage privacy risk. The Core is split into five different functions or areas where risk can be managed: Identify; Govern; Control; Communicate; and Protect. These functions cover the various stages of data processing where privacy risks may arise. Within each function, there are several subcategories of specific desired privacy outcomes which can be achieved by management or technical action. Privacy outcomes with similar programmatic needs or concerned with similar activities are grouped into categories.
Function | Category | Subcategory |
IDENTIFY | Inventory and Mapping | Systems/products/services that process data are inventoried |
Data actions of systems/products/services are inventoried | ||
Business Environment | The organisation’s role in the data processing ecosystem is identified | |
Organisational priorities are established and communicated | ||
Risk Assessment | Data analytic inputs and outputs are identified and evaluated for bias |
Fig. 1 Examples taken from the Privacy Framework Core
Organisations do not need to try to fulfil all outcomes but can pick and choose which they want to prioritise within their organisation, depending on which are most appropriate for them.
Profiles: When choosing which outcomes an organisation wants to prioritise, each Function, Category and Subcategory can be tailored to the organisation’s specific needs and they can also develop new ones if they feel that would be beneficial. Needs can be determined by considering their business goals, legal and regulatory requirements, industry best practice and the privacy needs of individuals. Once these factors have been considered, a Target Profile can be created listing all the privacy outcomes that the organisation wants to achieve. A Current Profile which shows the privacy outcomes already being achieved can also be created; comparison between the Current and Target Profiles then provides a road map for improving privacy risk management.
Personal Profiles allow for an organisation’s efforts to be focused, resulting in more cost-effective and successful outcomes. The flexibility of this approach also ensures that it can apply to a wide range of sectors with varying needs, considerations, purposes etc.
Implementation Tiers: Implementation Tiers are a way of communicating to stakeholders how an organisation views privacy risk and whether it has the processes and resources in place to manage that risk. There are four tiers: Partial; Risk Informed; Repeatable; and Adaptive. These progress from informal, reactive approaches to privacy risks to proactive and risk informed responses. Each tier is defined through four areas: Privacy Risk Management Process; Integrated Privacy Risk Management Program; Data Processing Ecosystem Relationships; and Workforce.
Tier | Area: Workforce |
Partial | Staff have a limited understanding of privacy risk or privacy management. Training is either non-existent or on an ad hoc basis |
Risk Informed |
Staff have specific privacy responsibilities but may have non-privacy responsibilities as well. Regular training for privacy personnel but no consistent process for updates or best practice |
Repeatable |
Staff with only privacy responsibilities who have the knowledge and skills to perform their roles. Regular, up-to-date training for all staff. |
Adaptive | Staff with specialised privacy skill-sets throughout the organisation. Regular, up-to-date and specialised privacy training for all staff. All staff realise the organisational privacy values and their role in maintaining them. |
Fig. 2 Example of how each Implementation Tier is defined
When deciding which tier an organisation fits within, its Current Profile and Target Profile should be considered along with any legal/regulatory obligations, business objectives, individuals’ privacy needs and organisational constraints.
Tiers help organisational decision-making as it determines whether an organisation has sufficient processes and resources to achieve its Target Profile. Where processes and resources are insufficient, they should aim to progress to a higher implementation tier. This self-reflection should influence prioritisation decisions within the Target Profile to enable better progress in managing privacy risk.
How will the Framework impact privacy?
The draft states that the Privacy Framework can be used in risk management to help answer the question: “How are we considering the impacts to individuals as we develop our systems, products and services?” Having answered this question, organisations can then use the Framework to create a new privacy program or improve an existing one by creating Target Profiles and positioning themselves within the Implementation Tiers. The Framework can also aid accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. as it provides a way of demonstrating and communicating organisations’ privacy risk management programs to staff at all levels and key stakeholders.
When completed, the Framework will apply at a National level. This is opposed to previous policies in the USA which have been enacted at State-level (for instance California’s CCPA and New York’s Privacy Act). This represents a huge step forward as it indicates that privacy is being taken seriously at a Federal level and promotes consistency in privacy standards across the USA.
Whilst all sounding very promising, there is one caveat – the Framework is voluntary! With no way to ensure that organisations use the Framework, the impact it will have on privacy practices within the USA is hard to say. However, it must be noted that the earlier Cybersecurity Framework that this draft is based upon is also voluntary, yet it has now become a de facto standard in many areas due to demand from both public and private clients. In the current climate where people are becoming increasingly aware of privacy and their rights surrounding their data, there seems to be no reason why the same won’t be said of the Privacy Framework in years to come.
About the DPO Centre
The DPO Centre is the UK’s data protection officer resource centre. We provide ‘fractional’ outsourced Data Protection Officer resources to over 250 organisations across the UK, ranging from 1 to 8 days per month. We also provide EU Representative services to a range of Asian and US based medical and technology organisations.