1. Why is a privacy framework needed?
It is a challenge to design, operate, or use technologies in ways that are mindful of diverse privacy needs in an increasingly connected and complex environment. Cutting-edge technologies such as the Internet of Things and artificial intelligence are raising further concerns about their impacts on individuals’ privacy. Inside and outside the U.S., there are multiplying visions for how to address these challenges. Accordingly, the National Institute of Standards and Technology (NIST) is developing a voluntary privacy framework, in collaboration with private and public sector stakeholders, to help organizations: better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services.
2. What will the NIST Privacy Framework look like?
While good cybersecurity practices help manage privacy risk by protecting people’s information, privacy risks also can arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services. NIST believes that organizations that design, operate, or use these products and services would be better able to address the full scope of privacy risk with more tools to support better implementation of privacy protections.
The voluntary framework is envisioned to provide a catalog of privacy outcomes and approaches for organizations of all kinds to better identify, assess, manage, and communicate about privacy risks so that individuals can enjoy the benefits of innovative technologies with greater confidence and trust. It should be compatible with existing domestic and international legal and regulatory regimes in order to be the most useful to organizations and enable widespread adoption.
3. Will anyone be required to use the NIST Privacy Framework?
The NIST Privacy Framework will be a voluntary tool. To foster innovation in products and services and to promote research for and adoption of effective privacy solutions, the framework should provide a catalog of privacy outcomes and approaches to be used voluntarily versus a set of one-size-fits-all requirements. It should assist organizations to better manage privacy risks within their diverse environments, rather than prescribing the methods for managing privacy risk. The framework should also be compatible with and support organizations’ ability to operate under applicable domestic and international legal or regulatory regimes.
4. What is NIST’s process for developing the Privacy Framework, and how can organizations engage?
NIST will model the approach for this framework based on the successful, open, transparent, and collaborative approach used to develop the Framework for Improving Critical Infrastructure Cybersecurity. NIST will convene and work with industry, civil society groups, academic institutions, Federal agencies, state, local, territorial, tribal, and foreign governments, standard-setting organizations, and others, conducting extensive outreach through a series of workshops and requests for public comment. Throughout the next year, these engagement opportunities will offer stakeholders the ability to participate and play a formative role in developing a tool that is useful and effective for a wide range of organizations. For more information, see the development schedule. To receive periodic updates about the process and opportunities to engage, subscribe to the Privacy Framework mailing list.
5. For whom is the NIST Privacy Framework intended?
The NIST Privacy Framework is intended to be adaptable to many different organizations, technologies, lifecycle phases, sectors, and uses. It should be scalable to organizations of all sizes, public or private, in any sector, and operating within or across domestic borders. It should also be platform- and technology- agnostic and customizable.
6. What is the relationship between the NIST Privacy Framework and the privacy approach the U.S. Department of Commerce is developing?
The U.S. Department of Commerce is developing a forward-thinking approach that supports innovation and strong consumer privacy protections. NIST is collaborating with the private and public sectors to develop a voluntary privacy framework to help organizations: better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services. In parallel with this effort, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) is developing a set of privacy principles in support of a U.S. approach that advances consumer privacy protections while protecting prosperity and innovation, and coordinating with the department’s International Trade Administration to ensure consistency with international policy objectives. While the NTIA is seeking public input focused on further developing U.S. domestic policy, the NIST framework is envisioned as an enterprise-level privacy risk management tool that can be compatible with and support organizations’ ability to operate under applicable domestic and international legal or regulatory regimes.
7. What is the relationship between the Cybersecurity Framework and the NIST Privacy Framework currently under development?
NIST is modeling the development of the Privacy Framework on the successful, open, transparent, and collaborative approach used to develop the Cybersecurity Framework. While good cybersecurity practices help manage privacy risk by protecting information, those cybersecurity measures alone are not sufficient to address the full scope of privacy risks that also can arise from how organizations collect, store, use, and share this information to meet their mission or business objective, as well as how individuals interact with products and services.
In response to initial public input, NIST has released for discussion an outline of the Privacy Framework that provides a high-level, structural alignment to the Cybersecurity Framework—proposing inclusion of a Core (consisting of functions, categories, subcategories, and informative references), Profile, and Implementation Tiers. This structure would enable a risk- and outcome-based approach and has contributed to the success of the Cybersecurity Framework as an accessible communication tool. In addition, the alignment aims to reduce complexity for organizations that already use the Cybersecurity Framework.
8. How does the NIST Privacy Framework relate to other NIST cybersecurity and privacy guidance and work?
NIST consistently coordinates across program and research areas to leverage the appropriate expertise from various domains and to promote alignment and improvement of NIST guidance. Although some NIST guidance is primarily directed towards Federal agencies to help them comply with statutory or Federal policy requirements, this framework - as a voluntary tool - is envisioned to help organizations of all kinds better manage privacy risks within their diverse environments. NIST will coordinate accordingly and draw upon its current work in security and privacy risk management in the process of developing the framework while recognizing that different uses may necessitate different types of tools.
9. Is there an Executive Order or other authoritative driver for NIST to do this work?
No. In keeping with its mission, NIST is developing a voluntary privacy framework as an enterprise-level tool to assist organizations with better management of privacy risks within their diverse environments and increase trust in products and services. NIST has a long track record of successfully and collaboratively working with the private sector and federal agencies to develop guidelines and standards. With experience in developing the Framework for Improving Critical Infrastructure Cybersecurity, and extensive privacy expertise in its Privacy Engineering Program, NIST is well positioned to lead the development of the Privacy Framework.