What is the NIST Privacy Framework?

The NIST Privacy Framework Version 1.0 consists of three primary parts: The Core, Profiles and Tiers. Because it generally does not use industry-, regulatory- or technology-specific terminology (meaning the terms used are not unique to an industry, standard or law that only a specific audience would understand), any organization of any size and in any type of sector can use the NIST Privacy Framework to more effectively build or update their privacy management program.

NIST Privacy & Privacy Management

The document is designed to help organizations meet NIST’s goals for privacy management, including:

• Building customer trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
• Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment;
• Facilitating communication about privacy practices with customers, assessors and regulators.

 NIST Privacy Framework Structure

The Privacy Framework was structured similarly to the NIST Cybersecurity Framework to make it easier for organizations to use them both. Just like the Cybersecurity Framework, the Privacy Framework has three parts: 1) the Core, 2) Profiles and 3) Tiers. 

The Core

The Core is designed to enable a dialog – from the executive level to the implementation/operations level – about important privacy activities and desired outcomes. While the Core provides a wide range of activities and numerous privacy outcomes for organizations to identify as necessary for their organization to meet, it is not meant to be a comprehensive listing. Instead, it is meant to be a starting point from which more outcomes can be added over time.

Activities and outcomes are grouped within five Functions, described at a very high level as follows:

• Identify-P: This Function (abbreviated as ID-P) includes descriptions of many of the actions that may be necessary to develop organizational understanding for how to manage privacy risk when handling information and understanding individuals’ direct and indirect privacy interests.
• Govern-P: This Function (abbreviated as GV-P) includes descriptions of many of the actions that may be necessary to develop and implement an organizational privacy governance program to stay aware of risks and determine how to mitigate them.
• Control-P: This Function (abbreviated as CT-P) includes descriptions of many of the actions that may be necessary to enable organizations and individuals to handle data with enough granularity to effectively manage and control privacy risks throughout the full data lifecycle.
• Communicate-P: This Function (abbreviated as CM-P) includes descriptions of many of the actions that may be necessary to support organizations and individuals to enable a consistent and accurate understanding of privacy risks, to enable them to engage in communications about the ways in which data is processed that may involve privacy risks, and to clearly describe the mitigating actions taken to reduce the risks.
• Protect-P: This Function (abbreviated as PR-P) includes descriptions of many of the actions that may be necessary to effectively safeguard data and to prevent cybersecurity-related privacy events. This is the Function where the most overlaps between privacy and cybersecurity risk management are found.

Each Function represents a different kind of foundational privacy activity, at the highest level. Of course, organizations will need to do very specific types of activities to support each Function. Therefore, each of these Functions is further broken down into Categories, which cover the types of activities that are applicable for the Function. In turn, most of the Categories are then broken into Subcategories to provide a set of granular results that represent the desired types of privacy outcomes for each Category.

However, all the descriptions provided here are very high-level. Organizations should read the full NIST Privacy Framework V1.0 to get more details and a better understanding of the goals and uses for each of the Core Functions, Categories and Subcategories.

Profiles

Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks. Profiles comprise specifically chosen Functions, Categories and Subcategories. They will vary in scope, and from one organization to the next, because of the inherent differences in their processing environments.

Profiles can be very useful in describing the current state of an organization’s privacy practices, as well as the desired target state of specific privacy activities. Organizations can create a Current Profile to represent the privacy outcomes currently in place, and then a Target Profile can be used to indicate the results of organizational activities necessary to reach the organization’s privacy risk management goals.

Organizations can use the differences between the Current Profile and the Target Profile to determine the gaps in their processing environment that need to be addressed to meet privacy risk management goals. Actions to fill the gaps establish the privacy risk management improvement plan and can also be used to budget for necessary resources and funding to meet those goals.

NIST established a page to post example hypothetical and real-life Profiles, but they are at a very early stage and as of this writing, no examples were posted. Organizations should check the page regularly to see new Profiles as they are added and better understand the wide range of possible types of Profiles that can be used.

Tiers

Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk. There are four Tiers:

• Tier 1: Partial: No privacy management actions, or rules are formalized and privacy-related activities are performed in an ad hoc manner.
• Tier 2: Risk Informed: There is some privacy risk awareness in certain parts of the organization, and some activities have been established, but not in a consistent manner throughout the enterprise.
• Tier 3: Repeatable: Organizational privacy risk management practices are formally documented and kept updated, and there is an organization-wide approach and consistent actions to support privacy risk management.
• Tier 4: Adaptive: The formal risk-based privacy management program is updated based on lessons learned, privacy risks are monitored, and decisions involving personal data consider risks to the associated individuals.

Each tier has four elements: Privacy Risk Management Process, Integrated Privacy Risk Management Program, Data Processing Ecosystem Relationships, and Workforce. All can be assessed independently from one another. Full descriptions are found within Appendix E of the Privacy Framework.

It is important to understand that Tiers are not maturity levels. Tiers are used to support organizational decision-making about how to manage privacy risk by considering the nature of the privacy risks created by an organization’s systems, products and services, and the sufficiency of the processes and resources an organization has in place to manage such risks.

Organizations determine the Tiers they have as goals based on their Target Profiles, current risk management practices and how much privacy risk mitigation activities have been integrated within the enterprise risk management program, along with the data processing ecosystem relationships (vendors, contracted entities, and other types of third parties).

Tiers can be used to communicate how resources need to be allocated within the target Tiers, as well as show the resources necessary for higher Tiers, to support decision-making for moving up to the next-level Tier if management determines that is necessary to manage privacy risks and meet applicable data protection legal requirements more effectively.

Future of NIST Privacy Framework

NIST engaged with stakeholders from throughout the world to build the NIST Privacy Framework Version 1.0. It considers the Privacy Framework to be a living document and plans to continue updating it over time. It also plans to add more resources throughout the coming months and encourages organizations to monitor its site for new information.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.