Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

NIST Privacy Framework Takes Shape

Share

As previously reported, the National Institute of Standards and Technology (NIST) is developing a voluntary Privacy Framework in collaboration with private- and public-sector stakeholders. The goal is to help organizations better identify, assess, manage, and communicate their privacy risks. Other benefits anticipated from this project are fostering the growth of innovative approaches to protecting individual privacy and creating greater trust in products and services that may use the Framework once it is established.

To better understand privacy risk management from the perspective of stakeholders and to determine how it might best structure its Framework, NIST issued a Request for Information (RFI) last year for stakeholder comments. . NIST received approximately 80 responses from a range of stakeholders, primarily those in the information technology space and in the health care industry and beyond. Responses were generally supportive of NIST’s effort. In late February, NIST issued a summary analysis of the responses.

Several high-level themes emerged from the responses that were highlighted in NIST’s summary analysis:

  • Regulatory compatibility. Many respondents expressed the view that any NIST Privacy Framework should support the user’s ability to comply with a range of legal responsibilities, including U.S. state and federal sector-specific laws and regulations in addition to international regimes such as APEC cross-border privacy rules, the European Union GDPR and others.
  • Interoperability with global standards. A number of respondents stated their support for interim prop interoperability of any NIST Framework with relevant global standards.
  • Framework attributes. RFI commenters generally supported having Framework attributes similar to those suggested by NIST at the outset, such as use of a common and accessible language, Framework adaptability, and that the Framework be risk- and outcome-based, technology agnostic, and not prescriptive. Commenters also noted that such Framework attributes would provide benefits, such as addressing challenges to small and medium-size businesses with limited resources for privacy risk management.
  • Privacy risk management. NIST did not receive many responses on particular privacy risk management processes. Some commenters focused on achieving data security objectives or referenced the use of privacy impact assessments or privacy by design principles as ways to address risk. NIST’s summary analysis speculated that this lack of response could be due to the absence of a widely accepted definition of “privacy risk.”
  • Transparency and accountability. A number of respondents emphasized the relationship between transparency and accountability, emphasizing robust organizational privacy policies and company-specific practices in improving consumer trust.
  • Cybersecurity. A number of RFI respondents expressed a preference that any NIST Framework align with or follow the structure of the NIST Cybersecurity Framework so as to make the Privacy Framework easier to adopt.
  • Information lifecycle. A number of respondents expressed an interest in seeing existing principles, including fair information practice principles and objectives, reflected in the Framework.
  • The need for guidance. Some commenting on the RFI requested that NIST provide various forms of guidance, including informative reference guidance on specific privacy practices and illustrative use cases, and map these to existing laws and standards.
  • Specific privacy practices. Respondents identified de-identification as an important privacy practice to include within the Framework, and endorsed the adoption of practices that effectively inform individuals about data processing practices, enable individuals to make choices, and convey preferences about data processing, even while recognizing the shortcomings related to notice and consent regimes.
  • Data control management. Respondents had various views over control of access to data by individuals and organizations. They commented on data deletion, data segmentation, and metadata and data portability. Respondents also expressed support for encryption as a privacy practice within the Framework as appropriate to the particular context of data use, including in health care settings. Respondents also generally advocated that the Framework should be inclusive of evolving or emerging technologies such as the Internet of Things (IoT) and artificial intelligence (AI).

NIST will continue its stakeholder outreach as it fleshes out its Privacy Framework outline, which was released by NIST along with the summary analysis of RFI comments. A webinar covering the annotated outline of the Framework is scheduled on March 14, 2019, and a second stakeholder workshop on the Privacy Framework will take place in Atlanta on May 13 and 14, 2019.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Laura Phillips

Laura Phillips leads the firm’s telecommunications & mass media team. She counsels technology entrepreneurs and represents these clients on issues related to the development of new technologies. View Laura's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

March 5, 2019
Written by: Laura Phillips
Category: NIST, Privacy
Tags: cybersecurity, NIST

Post navigation

Previous Previous post: The Emerging Importance of Chief Data Officers: Recent Legislation & Other Initiatives
Next Next post: Thoughts on GLB Safeguards Rule and Privacy Rule? FTC Awaits Your Comments

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT