NIST Draft Privacy Framework

On the 6th September 2019, the USA’s National Institute of Standards and Technology (NIST) published a preliminary draft of its new privacy framework entitled ‘Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management’. This framework focuses upon how organisations process data for business purposes, acknowledging that whilst privacy risks can be managed by implementing good cybersecurity, they can still arise from data processing in the course of business practices. The drafting process began in October 2018 and the comment period closed on the 24th October 2019. During this time, NIST collaborated with public and private stakeholders in a variety of sectors including healthcare, education, finance, civil society and telecommunications. 

 

The new voluntary framework proposed by NIST seeks to help any type of organisation to implement practices which will aid them in complying with current data protection obligations, as well as future obligations in a constantly changing technological and policy environment. It takes a risk- and outcome-based approach which allows for flexibility in addressing diverse privacy needs across sectors and staying up to date with new technology trends such as artificial intelligence.  

 

What does the Framework include? 

The Privacy Framework is structured in a similar way to NIST’s well-established 2014 Cybersecurity Framework in the hope that they will be used in conjunction with one another. It is split into three sections: the Core; Profiles; and Implementation Tiers. 

 

The Core: The Core is essentially a document providing organisations with a set of activities and outcomes which if implemented help to manage privacy risk. The Core is split into five different functions or areas where risk can be managed: Identify; Govern; Control; Communicate; and Protect. These functions cover the various stages of data processing where privacy risks may arise. Within each function, there are several subcategories of specific desired privacy outcomes which can be achieved by management or technical action. Privacy outcomes with similar programmatic needs or concerned with similar activities are grouped into categories. 

  

Function	Category	Subcategory
IDENTIFY	Inventory and Mapping	Systems/products/services that process data are inventoried
		Data actions of systems/products/services are inventoried
	Business Environment	The organisation’s role in the data processing ecosystem is identified
		Organisational priorities are established and communicated
	Risk Assessment	Data analytic inputs and outputs are identified and evaluated for bias

Fig. 1 Examples taken from the Privacy Framework Core 

 

Organisations do not need to try to fulfill all outcomes but can pick and choose which they want to prioritise within their organisation, depending on which are most appropriate for them.  

 

Profiles: When choosing which outcomes an organisation wants to prioritise, each Function, Category and Subcategory can be tailored to the organisation’s specific needs and they can also develop new ones if they feel that would be beneficial. Needs can be determined by considering their business goals, legal and regulatory requirements, industry best practice and the privacy needs of individuals. Once these factors have been considered, a Target Profile can be created listing all the privacy outcomes that the organisation wants to achieve. A Current Profile which shows the privacy outcomes already being achieved can also be created; comparison between the Current and Target Profiles then provides a roadmap for improving privacy risk management.  

 

Personal Profiles allow for an organisation’s efforts to be focused, resulting in more cost-effective and successful outcomes. The flexibility of this approach also ensures that it can apply to a wide range of sectors with varying needs, considerations, purposes etc.  

 

Implementation Tiers: Implementation Tiers are a way of communicating to stakeholders how an organisation views privacy risk and whether it has the processes and resources in place to manage that risk. There are four tiers: Partial; Risk Informed; Repeatable; and Adaptive. These progress from informal, reactive approaches to privacy risks to proactive and risk informed responses. Each tier is defined through four areas: Privacy Risk Management Process; Integrated Privacy Risk Management Program; Data Processing Ecosystem Relationships; and Workforce.  

 

Tier	Area: Workforce
Partial	Staff have a limited understanding of privacy risk or privacy management. Training is either non-existent or on an ad hoc basis
Risk Informed	Staff have specific privacy responsibilities but may have non-privacy responsibilities as well. Regular training for privacy personnel but no consistent process for updates or best practice
Repeatable	Staff with only privacy responsibilities who have the knowledge and skills to perform their roles. Regular, up-to-date training for all staff.
Adaptive	Staff with specialised privacy skillsets throughout the organisation. Regular, up-to-date and specialised privacy training for all staff. All staff realise the organisational privacy values and their role in maintaining them.

Fig. 2 Example of how each Implementation Tier is defined  

 

When deciding which tier an organisation fits within, its Current Profile and Target Profile should be considered along with any legal/regulatory obligations, business objectives, individuals’ privacy needs and organisational constraints. 

 

Tiers help organisational decision-making as it determines whether an organisation has sufficient processes and resources to achieve its Target Profile. Where processes and resources are insufficient, they should aim to progress to a higher implementation tier. This self-reflection should influence prioritisation decisions within the Target Profile to enable better progress in managing privacy risk. 

 

How will the Framework impact privacy? 

The draft states that the Privacy Framework can be used in risk management to help answer the question: “How are we considering the impacts to individuals as we develop our systems, products and services?” Having answered this question, organisations can then use the Framework to create a new privacy program or improve an existing one by creating Target Profiles and positioning themselves within the Implementation Tiers. The Framework can also aid accountability as it provides a way of demonstrating and communicating organisations’ privacy risk management programs to staff at all levels and key stakeholders.  

 

When completed, the Framework will apply at a National level. This is opposed to previous policies in the USA which have been enacted at State-level (for instance California’s CCPA and New York’s Privacy Act). This represents a huge step forward as it indicates that privacy is being taken seriously at a Federal level and promotes consistency in privacy standards across the USA.  

 

Whilst all sounding very promising, there is one caveat – the Framework is voluntary! With no way to ensure that organisations use the Framework, the impact it will have on privacy practices within the USA is hard to say. However, it must be noted that the earlier Cybersecurity Framework that this draft is based upon is also voluntary, yet it has now become a de facto standard in many areas due to demand from both public and private clients. In the current climate where people are becoming increasingly aware of privacy and their rights surrounding their data, there seems to be no reason why the same won’t be said of the Privacy Framework in years to come. 

 

About the DPO Centre

The DPO Centre is the UK’s data protection officer resource centre. We provide ‘fractional’ outsourced Data Protection Officer resources to over 250 organisations across the UK, ranging from 1 to 8 days per month. We also provide EU Representation services to a range of Asian and US based medical and technology organisations.