July 14, 2020

Volume X, Number 196

July 13, 2020

Subscribe to Latest Legal News and Analysis

National Institute of Standards and Technology (NIST) Works on Building Privacy Engineering Guidelines

The National Institute of Standards and Technology publishes security risk management standards and guidance that apply to public entities but have been influential throughout the private sector.  Now, NIST is looking to provide similar guidance on privacy risk management, holding its Second Privacy Engineering Workshop earlier this week to consider draft privacy engineering definitions and concepts. 

NIST has said that its work is “focused on providing guidance to developers and designers of information systems that handle personal information,” with the expectation that such guidance “may be used to decrease risks related to privacy harms, and to make purposeful decisions about resource allocation and the effective implementation of controls.”   According to the IAPP’s Privacy Advisor, this week’s workshop focused on defining terms, including “privacy engineering” and “problematic data actions,” and a theme that emerged was the difficulty in creating a “black-and-white standards framework” for privacy. 

NIST’s security standards focus on the objectives of Confidentiality, Integrity and Availability, and NIST has proposed that its privacy engineering standards similarly build on design objectives, proposing the following three:

  • Predictability or enabling reliable assumptions about the rationale for collecting personal information and the data actions to be taken with personal information.

  • Manageability or providing the capability for authorized modification of personal information, including alteration, deletion, or selective disclosure of personal information.

  • Confidentiality or preserving authorized restrictions on information access and disclosure.  (NIST has said it would use the same definition as Confidentiality is afforded in NIST Special Publication 800-53 Revision 4).

The public comment period for the NIST Privacy Engineering Objectives and Risk Model Discussion Draft has been extended until October 10.

© 2020 Covington & Burling LLPNational Law Review, Volume IV, Number 261


About this Author

Elizabeth H. Canter, Data Security Attorney, Covington Law Firm

Libbie Canter has experience representing a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, with special expertise in advising those in highly-regulated sectors, including financial services companies and pharmaceutical and medical device manufacturers.

She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. As part of her practice, she regularly...