Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

NIST Seeks Public Comment on Developing a Privacy Framework

Share

The National Institute of Standards and Technology (NIST) published its request for information (RFI) covering a series of questions designed to assist in the development of a voluntary framework meant to improve the management of the privacy risk that could arise from the collection, storage and use of individuals’ information in the Federal Register on November 14, 2018.

NIST embarked on this Privacy Framework project recognizing that mobile devices, social media, the Internet of Things (IoT), artificial intelligence (AI) as well as machine learning, are combining in a manner that creates new concerns about individual privacy.  NIST suggests that a scalable Privacy Framework could provide some assistance to organizations of all types in dealing with personally identifiable information.  Importantly, NIST envisions that any Privacy Framework that emerges from this process would be a tool to assist with enterprise risk management.  Specifically, the goal is for a Privacy Framework to provide a prioritized, flexible, risk-based, outcome based and cost effective approach to individuals’ data compatible with existing legal and regulatory regimes.

In October 2018, NIST held a first workshop on these issues in Austin, Texas.  From that event, NIST took away the following as minimum attributes of any Privacy Framework:

  1. Consensus driven, developed and updated through a transparent process. The RFI suggests an open collaborative and transparent approach such as that used by NIST to develop its Cybersecurity Framework.
  2. Use accessible language. The Framework should be understandable by those who are not privacy professionals, thus allowing communications among broader groups of stakeholders.
  3. Adaptable to different organizations, technologies, lifecycle phases, sectors and uses. This attribute would require that any Privacy Framework be scalable to organizations of all sizes, both public and private, in any sector and that operate within or across borders. It would also be platform and technology agnostic, as well as customizable.
  4. Risk-based, outcome based, voluntary and not prescriptive. It is envisioned that the Framework would focus on privacy outcomes and approaches and be a voluntary Framework for reference. This would assist organizations with managing privacy risk within their diverse environments without prescribing any specific management methods.
  5. Readily usable as part of any enterprises’ broader risk management strategy and process. NIST envisions that the Framework would be consistent with or work to reinforce other risk management efforts already ongoing within an enterprise.
  6. Compatible with or paired with other privacy approaches. Another critical attribute of any Framework is the ability for stakeholders to take advantage of existing privacy standards methodologies and guidance. It should also be compatible with and support any organization’s ability to operate under applicable domestic and international legal or regulatory regimes.
  7. A living document. NIST envisions that the Framework would be revised and updated as technology and approaches to privacy protection change.

NIST’s RFI invites stakeholders to submit ideas to assist in prioritizing elements of this proposed Privacy Framework.  This RFI process is meant to better identify and understand the common privacy challenges and to gain a greater awareness about the extent to which organizations are already identifying and communicating privacy risk or have already incorporated privacy risk management standards, guidelines or best practices into their operations.  NIST also hopes to specify high-priority gaps for which privacy guidelines, best practices or new standards might be most useful as part of a Framework.

Key to risk management elements is understanding  how organizations assess risk and how privacy considerations already factor into enterprise risk assessment.  NIST seeks to understand current use of existing privacy standards, guidelines or principles.  NIST is also interested in whether any of these existing frameworks or best practices mandated by legal or regulatory requirements create challenges for organizations.  NIST also seeks input regarding options for structuring a privacy framework.

NIST also seeks comment on core privacy practices that are broadly applicable across sectors and organizations.  The RFI seeks comment on the degree of whether adoption of practices, products and services–such as de-identification of users, enablement of user preferences, use of cryptography or other forms of data management, including tracking permissions–are already widespread.

NIST has  announced a public webinar on November 29, 2018 to explain further its stakeholder engagement process and to expound upon issues of particular interest to NIST in its Framework development. The deadline for comments is December 31, 2018.

This Privacy Framework represents a standalone effort from the National Telecommunications and Information Administration’s (NTIA) own recent request for public comment on the Administration’s proposed approach to consumer privacy matters.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Laura Phillips

Laura Phillips leads the firm’s telecommunications & mass media team. She counsels technology entrepreneurs and represents these clients on issues related to the development of new technologies. View Laura's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

November 16, 2018
Written by: Laura Phillips
Category: NIST, Privacy
Tags: NIST, NTIA, privacy, privacy framework, risk management

Post navigation

Previous Previous post: The FCC Wades into the Artificial Intelligence (AI), Machine Learning Pool
Next Next post: FCC Announces its Agenda and Speakers for its AI and Machine Learning Forum

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT