Earlier this month, the National Institute of Standards and Technology (NIST) issued a Preliminary Draft of the Privacy Framework, which aligns with the NIST Cybersecurity Framework and is intended to help organizations better access and manage privacy risks during product and system design and development. Like the Cybersecurity Framework, the Privacy Framework is a voluntary tool that agencies and organizations can use to drive better privacy engineering and help organizations better protect individuals’ privacy. In this post, we discuss the key components of the Privacy Framework and provide some thoughts and recommendations on how organizations might incorporate its principles into their operations.
The Privacy Framework follows the structure of the Cybersecurity Framework and is structured into the following five “Core” functions:
- Identify – Develop the organizational understanding to manage privacy risk for individuals arising from data processing;
- Govern – Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk;
- Control – Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks;
- Communicate – Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding about how data are processed and associated privacy risks; and
- Protect – Develop and implement appropriate data processing safeguards.
Like the Cybersecurity Framework, each Core function in the Privacy Framework includes various categories and subcategories. A table outlining the Core functions and corresponding categories is included below:
The Privacy Framework provides recommendations for implementation that depend upon the policies, procedures and practices that the organization has in place, including providing a process for using it as a foundation for establishing a new privacy program or one by which organizations can augment existing programs.
Specifically, the Privacy Framework recommends that organizations review the Core functions, categories and subcategories and then develop “Profiles” identifying their current and desired state with respect to each of the Cores. From there, organizations should identify the “Tier” that represents the nature of the privacy risks engendered by the organization’s systems, products or services and the sufficiency of the processes and resources the organization has in place to manage such risks. The Privacy Framework identifies four distinct tiers: Partial (Tier 1), Risk Informed (Tier 2), Repeatable (Tier 3) and Adaptive (Tier 4), and instructs that, when assigning Tiers, an organization should assess its:
- Current risk management practices;
- Data processing systems, products or services;
- Legal and regulatory requirements;
- Business/mission objectives;
- Organizational privacy values and individuals’ privacy needs; and
- Organizational constraints.
These Tiers provide not only a mechanism for assessing the organization’s current status, but also a framework for productive discussions with stakeholders about whether sufficient resources and processes exist to achieve the target profile by helping to identify and address gaps to help manage privacy risks.
Our take
The Privacy Framework is intended to be used by organizations to both manage privacy risks associated with data processing as well as those relating to privacy breaches. From a legal perspective, the Privacy Framework can be seen as a double-edged sword for organizations. On the one hand, the Privacy Framework provides organizations with a more formalized process for identifying, considering and managing risks. On the other hand, even though the Privacy Framework purports to be voluntary and states that the Core functions, categories and subcategories are not linear and not all organizations will necessarily address each item listed, regulators and plaintiffs lawyers may attempt to argue that the Privacy Framework represents an “industry standard” and creates a duty and a minimum threshold standard of care for negligence claims
At this point, given its young age and no indications of wide-spread adoption, it does not appear that the Privacy Framework would set any legal standard for privacy compliance. However, organizations should consider using the Privacy Framework as it could be helpful when building out their privacy programs (and perhaps mapping the Privacy Framework against their other compliance efforts and policies). If it is practical, by assessing and contemporaneously documenting privacy-related decisions and the processes against the Privacy Framework, organizations will be in a better position to assert that their selected approach is reasonable and defensible if challenged later by a regulatory agency or private litigant.