NIST Privacy Framework Version 1.0 Now Released

Share this article on:

On January 16, 2020, the National Institute of Standards and Technology (NIST) issued version 1.0 of its Privacy Framework. The purpose of the Privacy Framework is to help organizations of all sizes use personal data such as protected health information while effectively managing privacy risks.

The Privacy Framework is a voluntary tool that not only helps with privacy risk management, it is also useful for achieving and demonstrating compliance with privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA), New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, and the EU’s General Data Protection Regulation (GDPR).

The Privacy Framework helps organizations identify the privacy outcomes they want to achieve, provides strategies to adopt to improve privacy protections and achieve those privacy goals, clarifies privacy management concepts, and explains how it can be used in conjunction with the NIST Cybersecurity Framework and how both work together. NIST explains that organizations that have adopted the NIST Cybersecurity Framework and have a good security posture but may not have addressed all of their privacy risks.

Version 1.0 retains the structure of the September 2019 draft version but includes several updates in response to public feedback. As with the draft version, the Privacy Framework consists of three sections: Core is a set of privacy activities, Profiles helps organizations determine which activities are required to achieve their privacy goals, and the Implementation Tiers section guides organizations through the process of optimizing their resources to address privacy risks.

“What you’ll find in the framework are building blocks that can help you achieve your privacy goals, which may include laws your organization needs to follow,” explained Naomi Lefkovitz, senior privacy policy adviser at NIST. “If you want to consider how to increase customer trust through more privacy-protective products or services, the framework can help you do that. But we designed it to be agnostic to any law, so it can assist you no matter what your goals are.”

The Privacy Framework is not only concerned with protecting sensitive data such as Social Security numbers, it will help to ensure that lower value data is also protected; such as data types that could be combined with others and become sensitive as a unit. New uses for data are regularly being discovered, such as for artificial intelligence. It is therefore important to adopt a framework for managing privacy risks that rather than having a checklist of tasks to perform. Adoption of the Privacy Framework will allow organizations to develop policies, procedures, and strategies to protect data, manage privacy risks effectively, and ensure those risks continue to be managed over time.

The framework will help organizations future-proof their products and services with privacy practices that will adapt to changing technologies, policies, and new legislation. The framework also addresses some privacy aspects that are missing from HIPAA but are particularly relevant today due to advances in technology.

“People continue to yearn for more guidance on how to do privacy risk management,” said Naomi Lefkovitz. “We have released a companion roadmap for the framework to point the way toward more research to address current privacy challenges, and we are building a repository of guidance resources to support implementation of the framework. We hope the community of users will contribute to it to advance privacy for the good of all.”

The NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management is available for download on NIST’s website (PDF).

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On