The National Institute of Standards and Technology (NIST) published its request for information (RFI) covering a series of questions designed to assist in the development of a voluntary framework meant to improve the management of the privacy risk that could arise from the collection, storage and use of individuals’ information in the Federal Register on November 14, 2018.

NIST embarked on this Privacy Framework project recognizing that mobile devices, social media, the Internet of Things (IoT), artificial intelligence (AI) as well as machine learning, are combining in a manner that creates new concerns about individual privacy. NIST suggests that a scalable Privacy Framework could provide some assistance to organizations of all types in dealing with personally identifiable information.  Importantly, NIST envisions that any Privacy Framework that emerges from this process would be a tool to assist with enterprise risk management.  Specifically, the goal is for a Privacy Framework to provide a prioritized, flexible, risk-based, outcome based and cost effective approach to individuals’ data compatible with existing legal and regulatory regimes.

In October 2018, NIST held a first workshop on these issues in Austin, Texas.  From that event, NIST took away the following as minimum attributes of any Privacy Framework:

1. Consensus driven, developed and updated through a transparent process. The RFI suggests an open collaborative and transparent approach such as that used by NIST to develop its Cybersecurity Framework.

2. Use accessible language. The Framework should be understandable by those who are not privacy professionals, thus allowing communications among broader groups of stakeholders.

3. Adaptable to different organizations, technologies, lifecycle phases, sectors and uses. This attribute would require that any Privacy Framework be scalable to organizations of all sizes, both public and private, in any sector and that operate within or across borders. It would also be platform and technology agnostic, as well as customizable.

4. Risk-based, outcome based, voluntary and not prescriptive. It is envisioned that the Framework would focus on privacy outcomes and approaches and be a voluntary Framework for reference. This would assist organizations with managing privacy risk within their diverse environments without prescribing any specific management methods.

5. Readily usable as part of any enterprises’ broader risk management strategy and process. NIST envisions that the Framework would be consistent with or work to reinforce other risk management efforts already ongoing within an enterprise.

6. Compatible with or paired with other privacy approaches. Another critical attribute of any Framework is the ability for stakeholders to take advantage of existing privacy standards methodologies and guidance. It should also be compatible with and support any organization’s ability to operate under applicable domestic and international legal or regulatory regimes.

7. A living document. NIST envisions that the Framework would be revised and updated as technology and approaches to privacy protection change.

NIST’s RFI invites stakeholders to submit ideas to assist in prioritizing elements of this proposed Privacy Framework.  This RFI process is meant to better identify and understand the common privacy challenges and to gain a greater awareness about the extent to which organizations are already identifying and communicating privacy risk or have already incorporated privacy risk management standards, guidelines or best practices into their operations.  NIST also hopes to specify high-priority gaps for which privacy guidelines, best practices or new standards might be most useful as part of a Framework.

Key to risk management elements is understanding  how organizations assess risk and how privacy considerations already factor into enterprise risk assessment.  NIST seeks to understand current use of existing privacy standards, guidelines or principles.  NIST is also interested in whether any of these existing frameworks or best practices mandated by legal or regulatory requirements create challenges for organizations.  NIST also seeks input regarding options for structuring a privacy framework.

NIST also seeks comment on core privacy practices that are broadly applicable across sectors and organizations.  The RFI seeks comment on the degree of whether adoption of practices, products and services–such as de-identification of users, enablement of user preferences, use of cryptography or other forms of data management, including tracking permissions–are already widespread.

NIST has  announced a public webinar on November 29, 2018 to explain further its stakeholder engagement process and to expound upon issues of particular interest to NIST in its Framework development. The deadline for comments is December 31, 2018.

This Privacy Framework represents a standalone effort from the National Telecommunications and Information Administration’s (NTIA) own recent request for public comment on the Administration’s proposed approach to consumer privacy matters.