Citation[]
NIST, (Draft) NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (Sept. 6, 2019) (full-text).
Overview[]
The National Institute of Standards and Technology (NIST), working in collaboration with private and public stakeholders, has developed this voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework). The Privacy Framework can drive better privacy engineering and help organizations protect individuals' privacy by:
- Building customer trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals' privacy and society as a whole;
- Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment; and
- Facilitating communication about privacy practices with customers, assessors, and regulators.
Deriving benefits from data while simultaneously managing risks to individuals' privacy is not well-suited to one-size-fits-all solutions. Like building a house, where homeowners get to choose room layouts but need to trust that the foundation is well-engineered, privacy protection should allow for individual choices, as long as effective privacy risk mitigations are already engineered into products and services.
The Privacy Framework — through a risk- and outcome-based approach — is flexible enough to address diverse privacy needs, enable more innovative and effective solutions that can lead to better outcomes for individuals and enterprises, and stay current with technology trends, including artificial intelligence and the Internet of Things.
The Privacy Framework follows the structure of the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) to facilitate the use of both frameworks together. Like the Cybersecurity Framework, the Privacy Framework is composed of three parts: the Core, Profiles, and Implementation Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers and privacy protection activities.