NIST, data privacy, privacy framework, ImageQuest

As a patchwork of privacy regulations start to appear at the state level in the U.S., the National Institute of Standards and Technology (NIST) has released guidance on how to keep data private.

The new, “version 1.0” framework is designed to help enterprises manage privacy risks. It follows a similar framework tool developed to manage cybersecurity risk.

“Our data-driven society has a tricky balancing act to perform: building innovative products and services that use personal data while still protecting people’s privacy,” the federal agency said on its website. “To help organizations keep this balance, (NIST) is offering a new tool for managing privacy risk.”

What is privacy risk? NIST offered some examples.
NIST privacy framework, fig 3, ImageQuest

The agency describes risks as ranging from dignity-type effects such as embarrassment or stigmas to more tangible harms such as discrimination, economic loss, or physical harm.

For example, NIST cites how utilities are installing “smart meters” as part of the Smart Grid, a nationwide technology effort to increase energy efficiency. “The ability of these meters to collect, record, and distribute highly granular information about household electrical use could provide insight into people’s behavior inside their homes,” NIST wrote.

In other words, if your organization collects data about your users/customers/clients, there is a risk where “the data processing could lead to people feeling surveilled.”

Naomi Lefkovitz, senior privacy policy advisor for NIST, told SecurityBoulevard.com that the document is “a natural extension” of the agency’s development of a widely-adopted cybersecurity policy tool.

This new NIST tool was spurred by the increasing number of data privacy incidents, and by the increasing number of states working on data privacy regulations, she said. But those regulations are a patchwork of inconsistency so far.

As NIST is the government’s source of technical standards, NIST decided to help organizations figure out best practices with a tool helpful from a legal and technology perspective.

The goal of the new framework is to help organizations better align their engineering efforts and business processes around privacy goals and policies before an application is built and deployed, Lefkowitz said.

The new, version 1.0  framework also is available for download here.

The agency seeks feedback on the tool.