NIST Shows Progress in Developing Privacy Risk Management Framework

Against the backdrop of a parade of high-profile Congressional hearings and legislative proposals involving consumer privacy, the National Institute of Standards and Technology (NIST) has quietly made significant progress towards producing a voluntary framework for organizations seeking to manage privacy risk. On April 30, 2019, NIST released a Discussion Draft of its Privacy Framework: An Enterprise Risk Management Tool, which was followed in mid-May with a two-day drafting workshop in Atlanta. The workshop attracted attorneys, policymakers, and industry experts who provided substantive feedback on the draft Framework’s goals, structure, and utility through facilitated discussions aimed at guiding NIST’s next steps in developing the Framework.

Background

NIST launched the Privacy Framework project in September 2018, with the goal of creating a “voluntary, enterprise-level tool… to help organizations prioritize strategies that create flexible and effective privacy protection solutions, and enable individuals to enjoy the benefits of innovative technologies with greater confidence and trust.” The development of the Privacy Framework is intended to follow the same collaborative and transparent multi-stakeholder model that drove the creation of the highly influential NIST Cybersecurity Framework in 2014. To date, NIST has published over 80 comments from stakeholders that have informed the development of the Privacy Framework. As part of the Administration’s approach to consumer privacy, NIST is producing the Privacy Framework in a parallel effort with the National Telecommunications and Information Administration’s (NTIA) development of consumer data privacy principles.

Draft Framework

1. Goals and Underlying Values

In an era of rapid technological advancements, prescriptive privacy requirements focused on specific technologies and processes risk becoming obsolete on arrival and impeding the development of innovative new technologies and business practices. NIST seeks to avoid this danger by explicitly incorporating foundational values into the Privacy Framework to allow it to serve as an enduring resource. Most importantly, the Framework is designed to be risk-based: it is not intended to be a compliance checklist, but instead recognizes that organizations may seek different privacy postures and outcomes based on their unique circumstances. The Privacy Framework is also designed to be voluntary, non-prescriptive, interoperable with multiple legal regimes, and written in accessible language for engineers, attorneys, and executives. Furthermore, NIST will develop a process to enable the Framework to incorporate emerging privacy best practices.  

NIST intends for the Privacy Framework to be compatible with the 2014 Cybersecurity Framework, yet also able to be used independently. Practitioners broadly recognize that data privacy and security are related, but not identical concepts. The Draft Privacy Framework draws this distinction by recognizing that cybersecurity risks “arise from unauthorized activity” while privacy risks “arise as a byproduct of authorized data processing.” Furthermore, the Draft Framework focuses on managing privacy risk to individuals and treats organizational risk such as regulatory scrutiny and loss of consumer trust as secondary.

2. Key Features

The Privacy Framework is built upon three primary concepts designed to enable organizations to better understand, manage, and communicate privacy risk with internal and external stakeholders.

1. The Core: a series of privacy protecting activities and their desired outcomes.
2. The Profile: a description of the current or desired privacy outcomes an organization aims to achieve based on the alignment of the organization’s core activities with its business requirements, risk tolerance, privacy values, and resources.
3. Implementation Tiers: four levels (partial, risk informed, repeatable, and adaptive) that describe an organization’s processes and resources in place to manage privacy risk.

The flexibility of these concepts is intended to allow the Framework to serve multiple organizational purposes such as strengthening accountability, establishing or improving a privacy program, communicating privacy requirements with stakeholders, and informing purchasing decisions.

Specific privacy protection activities are set out in the Framework Core. The Core is divided into five high-level functions that are intended to cover the full life cycle of an organization’s privacy risk management:

1. Identify: Understand the privacy risks that arise from an organization’s data processing given its business context, privacy interests, and legal/regulatory requirements.
2. Protect: Data processing safeguards that maintain data security and enable authorized data processing to be conducted in a protected state.
3. Control: Activities that enable organizations to manage data with sufficient granularity to manage privacy risks.
4. Inform: Activities that enable organizations and individuals to have a reliable understanding of how data are processed.
5. Respond: The ability to take action in response to a privacy breach or event.

These functions are described as “key privacy outcomes that are helpful in managing privacy risk.” They are subdivided into 23 categories (such as “Risk Assessment,” “Data Management,” and “Data Processes and Procedures”) and 111 subcategories that include specific technical and management activities (such as “Privacy roles and responsibilities for the entire workforce are established” and “Individuals’ authorization for the data action is obtained”).

Finally, NIST has released two companion documents to the Draft Framework. First, a comparison document mapping the Draft Privacy Framework and Cybersecurity Framework Core functions onto each other. The Privacy Framework’s ‘Identify,’ ‘Protect, and ‘Respond’ functions closely align with the Cybersecurity Framework, whereas as the ‘Control’ and ‘Inform’ functions have no direct counterparts. Second, NIST released an “Informative References” guide that connects prior NIST publications and guidance to elements of the Draft Privacy Framework Core. NIST intends to develop a process for mapping external privacy guidance and best practices onto the Privacy Framework as new privacy management frameworks are developed.

Atlanta Drafting Workshop

On May 13 and 14, 2019, NIST held a public workshop at the Georgia Tech Scheller College of Business to gather feedback on the Discussion Draft. Panelists and participants were largely supportive of NIST’s process, the Framework’s risk-focused approach, and the overall goal of promoting a common language of privacy between different organizational roles and across borders. However, several areas of debate emerged that may set up potential revisions to future iterations of the Privacy Framework:

1. Definitions

The Privacy Framework establishes general definitions of “data” and “privacy risk” that focus on potential “adverse consequences” of data processing to individuals. For example, ‘data’ is defined as: “a representation of information with the potential for adverse consequences for individuals when processed.” NIST officials shared that these general definitions reflect a conscious decision to avoid tying the Framework to any specific legal regime or regulatory requirements.

Some participants questioned the choice to abandon the traditional privacy concepts of personally identifiable information and recognized privacy harms in the Draft Framework. In contrast, Amie Stepanovich, the U.S. Policy manager of Access Now, praised the Framework’s focus on adverse consequences to individuals for moving the Framework beyond a tool of minimum compliance and suggested that societal risks should also receive greater exploration in the Framework going forward. Some participants also expressed concern that crucial terminology in the Framework Core is not always defined or given appropriate context. For example, the concept of “authorization” for data processing lacks clarity on whether such authorization comes from the organization or consent of the data subject.

2. Core Functions

The Draft Privacy Framework’s five Core functions were developed to align with the Cybersecurity Framework and as a result present a novel framing of privacy issues. While the Core categories and subcategories lay out many familiar and important privacy practices, debate emerged over how these privacy activities and controls should be organized and emphasized. For example, conference host Prof. Peter Swire of Georgia Tech argued that the subcategory on meeting regulatory obligations should be removed from the ‘Identify’ function and instead be made a significant part of ‘Respond’ function, noting organizations’ ongoing efforts to manage compliance with the GDPR and California Consumer Privacy Act.

3. Compatibility with Different Legal Regimes

NIST is explicit that it does not want the Privacy Framework to become a ‘compliance checklist’ or to closely correspond to any particular privacy law. However, some participants expressed hope that conformity with the Privacy Framework could provide a basis for demonstrating compliance with international or state privacy laws or serve as a regulatory safe harbor as the Cybersecurity Framework does in certain jurisdictions. Some panelists were optimistic about this potential function. An industry panelist noted that in many countries companies are “expected to have a robust privacy management program in place and that is what this is.” A U.S. government representative also added that usage of the Framework could be a mitigating factor where regulators exercise discretion in enforcement. Other panelists were more skeptical, noting that unlike data security, privacy is a subjective concept that varies across different cultural values, which will raise difficulties in translating and applying the Framework to non-U.S. contexts.

4. Accessibility and Scalability

Finally, participants discussed ways to make the Privacy Framework scalable and accessible to a wide variety of organizations. Overall, participants were optimistic about the Framework’s utility in promoting clear communication between an organization’s executives, lawyers, and engineers. However, one panelist noted that the Framework’s language is most accessible to privacy engineers and suggested that the communications professionals responsible for internal privacy messaging should be recognized as another key stakeholder. Framework clarity and complexity also frequently emerged as potential barriers, sparking suggestions for an additional simplified outline of key baseline privacy measures that could be used by small organizations. Other participants argued that the Framework would benefit from additional guidance to help organizations assess the “Implementation Tier” of their privacy management practices.

Next Steps

NIST will release additional supplementary material based on feedback received at the Atlanta workshop. The agency is also soliciting private feedback on the Discussion Draft with a particular interest in the ability of the Framework to bridge the gap between lawyers and engineers; the appropriateness of the Core functions, categories, and subcategories; and the alignment between the Privacy and Cybersecurity Frameworks.

Going forward, NIST will host a final public workshop in Boise, Idaho this July. NIST intends to produce a preliminary draft of the Privacy Framework by July or August 2019, which will be followed by an additional public comment period. Finally, NIST anticipates publishing version 1.0 of the Privacy Framework in October 2019.