As previously reported, the National Institute of Standards and Technology (NIST) is developing a voluntary Privacy Framework in collaboration with private- and public-sector stakeholders. The goal is to help organizations better identify, assess, manage, and communicate their privacy risks. Other benefits anticipated from this project are fostering the growth of innovative approaches to protecting individual privacy and creating greater trust in products and services that may use the Framework once it is established.

To better understand privacy risk management from the perspective of stakeholders and to determine how it might best structure its Framework, NIST issued a Request for Information (RFI) last year for stakeholder comments. . NIST received approximately 80 responses from a range of stakeholders, primarily those in the information technology space and in the health care industry and beyond. Responses were generally supportive of NIST’s effort. In late February, NIST issued a summary analysis of the responses.

Several high-level themes emerged from the responses that were highlighted in NIST’s summary analysis:

• Regulatory compatibility. Many respondents expressed the view that any NIST Privacy Framework should support the user’s ability to comply with a range of legal responsibilities, including U.S. state and federal sector-specific laws and regulations in addition to international regimes such as APEC cross-border privacy rules, the European Union GDPR and others.
• Interoperability with global standards. A number of respondents stated their support for interim prop interoperability of any NIST Framework with relevant global standards.
• Framework attributes. RFI commenters generally supported having Framework attributes similar to those suggested by NIST at the outset, such as use of a common and accessible language, Framework adaptability, and that the Framework be risk- and outcome-based, technology agnostic, and not prescriptive. Commenters also noted that such Framework attributes would provide benefits, such as addressing challenges to small and medium-size businesses with limited resources for privacy risk management.
• Privacy risk management. NIST did not receive many responses on particular privacy risk management processes. Some commenters focused on achieving data security objectives or referenced the use of privacy impact assessments or privacy by design principles as ways to address risk. NIST’s summary analysis speculated that this lack of response could be due to the absence of a widely accepted definition of “privacy risk.”
• Transparency and accountability. A number of respondents emphasized the relationship between transparency and accountability, emphasizing robust organizational privacy policies and company-specific practices in improving consumer trust.
• Cybersecurity. A number of RFI respondents expressed a preference that any NIST Framework align with or follow the structure of the NIST Cybersecurity Framework so as to make the Privacy Framework easier to adopt.
• Information lifecycle. A number of respondents expressed an interest in seeing existing principles, including fair information practice principles and objectives, reflected in the Framework.
• The need for guidance. Some commenting on the RFI requested that NIST provide various forms of guidance, including informative reference guidance on specific privacy practices and illustrative use cases, and map these to existing laws and standards.
• Specific privacy practices. Respondents identified de-identification as an important privacy practice to include within the Framework, and endorsed the adoption of practices that effectively inform individuals about data processing practices, enable individuals to make choices, and convey preferences about data processing, even while recognizing the shortcomings related to notice and consent regimes.
• Data control management. Respondents had various views over control of access to data by individuals and organizations. They commented on data deletion, data segmentation, and metadata and data portability. Respondents also expressed support for encryption as a privacy practice within the Framework as appropriate to the particular context of data use, including in health care settings. Respondents also generally advocated that the Framework should be inclusive of evolving or emerging technologies such as the Internet of Things (IoT) and artificial intelligence (AI).

NIST will continue its stakeholder outreach as it fleshes out its Privacy Framework outline, which was released by NIST along with the summary analysis of RFI comments. A webinar covering the annotated outline of the Framework is scheduled on March 14, 2019, and a second stakeholder workshop on the Privacy Framework will take place in Atlanta on May 13 and 14, 2019.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.