How to Use the NIST Privacy Framework

After defining the NIST Privacy Framework in another piece, we now turn our focus to the specific use cases. In this piece we outline three common ways the NIST Privacy Framework can be used by organizations across industries along with some addition ways in which security teams can leverage the NIST Privacy Framework.

NIST Privacy Framework Use Cases

Organizations across all industries can leverage the NIST Privacy Framework in the following ways:

1. To build a new privacy program
2. Improve an existing one
3. Meet specific compliance requirements

Building a New Privacy Program

It’s important to remember, the Privacy Framework is a set of voluntary tools, these are not legal requirements, although they support legal requirements. The NIST Privacy Framework can be used to build a privacy program from scratch,  from the smallest of organizations to the largest, in any sector and in any location.

The NIST Privacy Framework provides the building blocks to support this effort using terminology that is not specific to certain laws and regulations or sectors, which means any organization can truly use the framework without having to use terminology that seems to imply concepts only applicable in certain industries.

Improving an Existing Privacy Program

Many organizations have already established a privacy program. However, they may still struggle with addressing all their applicable privacy requirements and may be missing insights into all their privacy risks. The NIST Privacy Framework can be used to compare the components of these organizations’ privacy management programs with the components of the Privacy Framework to identify where gaps may exist and where improvements may be made.

Meeting Legal Compliance

Even though the Privacy Framework does not name specific laws or regulations, it is still a great tool for organizations to use to determine the kinds of policies, procedures, training, actions, and other capabilities they need to meet a specific legal obligation or to meet the requirements of different laws and regulations. Organizations can either use specific Subcategories, or depending on their legal requirements, they may need to combine several Subcategories together.

For example, multiple regulations require organizations to respond to individuals’ requests for access to their associated data. Using the Privacy Framework, an organization may decide to start addressing those requirements by using the following Subcategories (shown as labeled within the Privacy Framework):

CT.PO-P2 (in the Control Function): Policies, processes and procedures for enabling data review, transfer, sharing or disclosure, alteration and deletion are established and in place (e.g., to maintain data quality, manage data retention).

CT.DM-P1 (in the Control Function): Data elements can be accessed for review.

PR.AC-P1 (in the Protect Function): Identities and credentials are issued, managed, verified, revoked and audited for authorized individuals, processes and devices.

These can serve as a starting point for creating the associated policies for data access, as well as the necessary technical capabilities for data review and identity management to support the necessary identity verification.

For further examples of how the Privacy Framework can support legal compliance, see the NIST Hypothetical Use Cases. They demonstrate how Subcategories can be combined to manage privacy risk or address legal obligations.

Additional Uses for NIST Privacy Framework

We’ve detailed just a few of the many ways in which organizations can use the NIST Privacy Framework to support privacy program management. Some examples of additional ways might include, but are not limited to:

• Creating supporting procedures and practices that enable individuals’ privacy rights.
• More effectively collaborating with the cybersecurity program.
• Supporting vendor privacy management oversight.
• Helping organizational executives better understand the need for privacy actions.
• Performing privacy impact assessments and privacy risk assessments.
• Complementing the use of the NIST Privacy Engineering Program.
• Providing a framework within which an organization’s chosen privacy principles can be implemented, whether those be the Fair Information Practice Principles (FIPPs), OECD Privacy Guidelines, ISACA Privacy Principles, Queensland National Privacy Principles, New Zealand’s Privacy Principles, APEC Information Privacy Principles or some of the many other principles.

NIST Privacy Framework Considerations

As with any guidance, the new framework will need to be updated over time to reflect changes in laws, society, technology, business practices and other considerations. However, this first version provides a wide array of tools that will be beneficial for organizations to use now as they create or update their privacy management program.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.