While eyes focus on the privacy legislative debate now underway in the United States, the development of a new Privacy Framework by the influential National Institute for Standards and Technology (“NIST”) is also worthy of attention. On May 13-14, 2019, NIST hosted its second workshop on the recently released discussion draft of its “Privacy Framework: An Enterprise Risk Management Tool” (“Privacy Framework”). The workshop brought together stakeholders to provide feedback on the draft and suggest areas for revision. NIST had previously hosted a workshop in October 2018 to kick off the development of the Privacy Framework and had presented its thinking at other fora such as the Brookings Institution.
Emerging technologies, such as cloud computing and the “smart city,” have the potential to greatly advance our quality of life. The use, retention, and storage of data that go along with them, however, have raised citizen concerns about privacy risks. The National Institute of Standards and Technology addresses these concerns in a new draft report titled Privacy Risk Management for Federal Information Systems, which was released on May 29, 2015. The report introduces NIST’s Privacy Risk Management Framework, which anticipates and addresses privacy risk resulting from the processing of personal information. NIST intends that the framework will lay the foundation for establishing a common vocabulary that facilitates better understanding of (and communication about) privacy risks and how to effectively implement privacy principles. Although the report is directed at federal systems, the principles outlined may be useful for any business that processes personal information. The NIST report focuses on the development of two key pillars of the PRMF: privacy engineering objectives and a Privacy Risk Model.