What is the NIST Privacy Framework?
Why is the Privacy Framework needed?
How is the Privacy Framework structured?
How can I learn more about how the Privacy Framework was developed?
For whom is the NIST Privacy Framework intended?
Will anyone be required to use the Privacy Framework?
How can organizations engage with or use the Privacy Framework?
Is there an Executive Order or other authoritative driver for the Privacy Framework effort?
What are next steps for the Privacy Framework?
Who can answer additional questions regarding the Privacy Framework?
Can my organization become an early adopter of the Privacy Framework?
Does the Privacy Framework have Informative References?
What are Implementation Tiers and how do I use them?
Does the Privacy Framework address the privacy of business information?
Can the Privacy Framework be used to address privacy risks with emerging technologies such as the Internet of Things (IoT) and Artificial Intelligence (AI)?
What is the relationship between the Cybersecurity Framework and the Privacy Framework?
How does the Privacy Framework relate to other NIST cybersecurity and privacy efforts and guidance, including those for federal agencies?
How does the Privacy Framework relate to other international frameworks promoted by the Department of Commerce?
Is the Privacy Framework interoperable with global privacy standards?
Does use of the Privacy Framework ensure or guarantee that an organization is compliant with laws and regulations?
Will NIST provide crosswalks between the Privacy Framework and laws and regulations?
I don’t see a Subcategory specific to a legal obligation I have. How do I use the Core to address this?
What is the relationship between privacy risk assessments, Privacy Impact Assessments, and Data Protection Impact Assessments?
Why doesn’t the Privacy Framework use terms like “personal data” or other defined terms from laws and regulations?
The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework or Framework) is a voluntary tool intended to help organizations identify and manage privacy risk so that they can build innovative products and services while protecting individuals’ privacy. The Framework enables organizations to communicate and prioritize their privacy protection activities and outcomes to address diverse privacy needs, develop more effective solutions that can lead to better outcomes for individuals and organizations, and stay current with technology trends, such as artificial intelligence and the Internet of Things. The Privacy Framework is designed to be compatible with existing domestic and international legal and regulatory regimes and usable by any type of organization to enable widespread adoption.
It is a challenge to design, operate, or use technologies in ways that are mindful of diverse privacy needs in an increasingly connected and complex environment. Cutting-edge technologies such as the Internet of Things and artificial intelligence are raising further concerns about their impacts on individuals’ privacy. Inside and outside the U.S., there are multiplying visions for how to address these challenges. Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well-suited to one-size-fits-all solutions. Accordingly, the National Institute of Standards and Technology (NIST) is developing a voluntary privacy framework, in collaboration with private and public sector stakeholders, to help organizations with:
The Privacy Framework follows the structure of the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework) to facilitate their joint use. As with the Cybersecurity Framework, the Privacy Framework is composed of three parts: the Core, Profiles, and Implementation Tiers. Each component reinforces privacy risk management through the connection between business and mission drivers, organizational roles and responsibilities, and privacy protection activities.
The Privacy Framework is the result of robust, transparent, consensus-based collaboration with private and public sector stakeholders that began in September 2018. To develop this tool, NIST released iterative drafts of the Framework and collected feedback through three public workshops, a request for information, a request for comment, five webinars, and many direct interactions with stakeholders. NIST published Version 1.0 of the Privacy Framework on January 16, 2020. Visit the Development Archive to access various resources, including workshop videos, summaries, Framework drafts, and other supporting materials from the development process.
The Privacy Framework is intended to be widely usable by organizations of all sizes, regardless of their role(s) in the data processing ecosystem. It also is designed to be agnostic to any particular technology, sector, law, or jurisdiction, and to encourage cross-organization collaboration between different parts of an organization’s workforce, including executives, legal, and cybersecurity.
The Privacy Framework is a voluntary tool. It provides a flexible way to help organizations identify and manage privacy risks within diverse environments. It is not a set of prescriptive, one-size-fits-all requirements. The Framework is designed to be law- and regulation-agnostic to facilitate organizations’ ability to operate under different domestic and international legal or regulatory regimes. Each user organization can determine the most appropriate use of the Privacy Framework for its needs.
There are many ways for organizations to use the Privacy Framework as it is designed to complement existing business and system development operations. For example, an organization may already have robust privacy risk management processes, but may use the Core’s five Functions as a streamlined way to analyze and articulate any gaps. Alternatively, an organization seeking to establish a privacy program can use the Core’s Categories and Subcategories as a reference. The Privacy Framework Resource Repository provides resources such as crosswalks to laws and regulations, standards, and frameworks; common Profiles; and guidance and tools for implementation support. For more information about adoption, visit the Adoption page. Organizations can also email email@example.com with questions.
Stakeholders are invited to subscribe to the Privacy Framework mailing list to receive periodic updates about events and opportunities to engage.
No. However, there has been strong interest in the private and public sectors for this type of resource. NIST has a long track record of successfully and collaboratively working with stakeholders to develop guidelines and standards. In keeping with its mission and in response to stakeholder needs, NIST worked with stakeholders to develop this voluntary Privacy Framework as an enterprise-level tool to assist organizations with their ability to manage privacy risk and increase trust in their products and services.
With the release of Version 1.0, NIST will focus on use of the Framework, including promoting contributions of crosswalks, common profiles, tools, and guidance to the online Resource Repository to support organizations’ implementation efforts. NIST has also released a roadmap that outlines challenges and areas for further research to enable better privacy risk management. NIST encourages stakeholders to engage and work together to address these challenges. The Framework is a living document, and NIST will continue to serve in the capacity of convener and coordinator to gather lessons learned and ensure that the Framework continues to evolve to meet the needs of stakeholders. NIST will receive and consider comments informally until such time as it announces a new public process for revising Version 1.0.
Of course! Any organization may use the Privacy Framework. Being an early adopter means showing leadership in privacy. Organizations are encouraged to adopt the Framework and share insights as feedback to NIST. Visit the Adoption page to learn more. Organizations can also email firstname.lastname@example.org with questions.
Although the Cybersecurity Framework currently includes informative references, for the Privacy Framework, NIST has created a Resource Repository on the Privacy Framework website. This repository contains resources to support organizations’ use of the Privacy Framework, including crosswalks, common Profiles, guidance, and tools. NIST has provided mappings of NIST guidance to the Privacy Framework in the repository, and encourages contributions from the public, as well as feedback on these resources, as part of the ongoing collaborative effort to improve implementation of the Privacy Framework.
Implementation Tiers provide a point of reference on how an organization views privacy risk and whether it has sufficient processes and resources in place to manage that risk. Tiers reflect an organization’s progression from informal, reactive responses to approaches that are agile and risk-informed, and can help an organization gauge its placement in a range from Tier 1 (Partial), Tier 2 (Risk Informed), Tier 3 (Repeatable), and Tier 4 (Adaptive). Within each Tier, there are four elements: Privacy Risk Management Process, Integrated Privacy Risk Management Program, Data Processing Ecosystem Relationships, and Workforce which can be assessed independently from each other. See Appendix E of the Framework for definitions.
Organizations may use the Implementation Tiers in whatever way works best for them. Some organizations score them against the Subcategories in the Core. For example, they assign a 1-4 number for each of the four elements for each Subcategory in their Current and Target Profiles. This can help them determine whether there are any additional efforts or resources needed to achieve the Subcategory. Other organizations just assign a 1-4 number for each of the elements as a holistic benchmark of where the organization is currently and where they want to be. For example, perhaps an organization considers its workforce currently at a 2 with respect to privacy, but believes that it needs to be at a 4. This could help drive budget discussions as well as hiring plans and a training curriculum. Organizations may create additional Tiers or elements as needed.
Although organizations at Tier 1 will likely benefit from moving to Tier 2, not all organizations need to achieve Tiers 3 or 4. It depends on whether an organization’s processes or resources at its current Tier are sufficient to help it manage its privacy risks. Successful implementation of the Privacy Framework is based upon achieving the outcomes described in an organization’s Target Profile(s) – and does not depend upon its determination about Tiers.
The Privacy Framework is centered on protecting individuals’ privacy (whether singly or at the group or societal level) as a means of safeguarding important values around human autonomy and dignity. Protecting business information can be addressed through cybersecurity safeguards.
Yes. Although emerging technologies such as IoT and AI can provide many significant benefits, they also can raise privacy risks. The Privacy Framework provides a foundation for organizations to consider the policies, processes, and capabilities they may need to manage these risks.
NIST modeled the development of the Privacy Framework on the successful, open, transparent, and collaborative approach used to develop the Cybersecurity Framework. During this process, numerous stakeholders requested alignment with the structure of the Cybersecurity Framework so the two frameworks could more easily be used together. In response to this feedback, the Privacy Framework follows the structure of the Cybersecurity Framework, composed of three parts: the Core, Profiles, and Implementation Tiers.
Throughout the development process, there was significant discussion about the degree to which the Privacy Framework should reproduce content from the Cybersecurity Framework. NIST recognizes the importance of collaboration between privacy and cybersecurity teams. At the same time, organizations approach this collaboration in different ways. The Privacy Framework addresses the overlap by providing flexibility while encouraging collaboration.
Organizations can use the five Privacy Framework Functions (Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P) to manage privacy risks arising from data processing. Protect-P is specifically focused on managing risks associated with security-related privacy events (e.g., privacy breaches). To further support the management of such risks, organizations may choose to use Detect, Respond, and Recover Functions from the Cybersecurity Framework. Alternatively, organizations may use all five of the Cybersecurity Framework Functions in conjunction with Identify-P, Govern-P, Control-P, and Communicate-P to collectively address privacy and security risks. NIST will continue to work to simplify the approach to its various frameworks.
NIST coordinates across program and research areas to leverage expertise from various domains, promote alignment, and improve NIST guidance. Although some NIST guidance is primarily directed towards federal agencies to help them comply with statutory or federal policy requirements, this Framework–as a voluntary tool–is envisioned to help organizations of all kinds better manage privacy risks within their diverse environments. NIST has drawn upon its body of work in security and privacy risk management in the process of developing this Framework. Mappings of NIST guidance to the Privacy Framework may be found in the Resource Repository.
While use of the Privacy Framework does not mean that organizations are automatically in compliance with Privacy Shield or APEC CBPR, organizations can use their achievement of privacy protection activities and outcomes outlined in the Framework to better demonstrate how they may be meeting specific requirements under Privacy Shield or APEC CBPR.
The Privacy Framework is intended to be agnostic to any particular technology, sector, standard, law, or jurisdiction. It provides a foundation for organizations to consider the types of privacy protection activities and outcomes that they may need to demonstrate conformance with global privacy standards. Visit the Privacy Framework Resource Repository to browse or contribute crosswalks between the Framework and global standards.
No. Although organizations can use the Privacy Framework to communicate about and prioritize the types of privacy protection activities and outcomes that may be needed for compliance, simply using the Framework does not ensure compliance. Crosswalks between the Privacy Framework and different laws and regulations may be found in the Resource Repository to help organizations with prioritizing activities or outcomes that can enable them to better demonstrate how they may be achieving various legal obligations.
Have a crosswalk to share in the Resource Repository? NIST encourages contributions.
Although NIST is not an authoritative source for crosswalks between the Privacy Framework and laws and regulations, NIST has developed a process for external organizations to contribute their own crosswalks. Visit the Resource Repository to view available crosswalks and learn how to contribute.
The Privacy Framework provides the building blocks for executing on legal obligations without using terms or requirements specific to a given law or jurisdiction. It is designed to be jurisdiction- and sector-agnostic so that a wide variety of organizations can use it. Organizations can use the Framework to consider the kinds of policies and capabilities they need to meet a specific legal obligation. Organizations may need to combine several Subcategories together. For example, consider an organization that is legally required to respond to individuals’ data access requests. The organization might use the three Subcategories noted below as a starting point for addressing policies for data access, technical capabilities for data review, and identity management to facilitate this process.
See the NIST Hypothetical Use Cases for more examples of how Subcategories might be combined to manage privacy risk or address legal obligations.
Data Protection Impact Assessments (DPIAs) and Privacy Impact Assessments (PIAs) are terms derived from policy and regulation, however, the Privacy Framework is designed to be jurisdiction- and sector-agnostic. The Framework provides the building blocks for executing on these legal obligations without using terms specific to a given law or jurisdiction. For example, privacy risk assessment is an important activity that supports conducting DPIAs and PIAs. DPIAs and PIAs also may require a public reporting component. Thus, organizations that need to conduct DPIAs and PIAs may use the Framework to help prioritize activities under Category ID.RA-P and Subcategory CM.AW-P1, described below, which collectively could help them to meet their legal obligations.
Numerous privacy laws and regulations have been established throughout the world with terms and definitions that can vary. The Privacy Framework is intended to be usable by a wide range of organizations and agnostic to any particular law or jurisdiction. As a result, terms used in the Framework are defined as broadly as possible to enable a risk-based and flexible approach that allows organizations to use the Framework within their unique contexts.