On January 16, 2020, the National Institute of Standards and Technology (NIST) issued its NIST Privacy Framework Version 1.0 (Privacy Framework). The Privacy Framework follows the same type of structure as the NIST Framework for Improving Critical Infrastructure Cybersecurity, which was first issued in February 2014 (NIST Cybersecurity Framework).
Specifically, NIST identifies the Privacy Framework as a flexible tool that entities may use to assess their privacy activities and requirements, and develop an implementation plan. NIST states that the Privacy Framework “is designed to be agnostic to any particular technology, sector, law, or jurisdiction, and to encourage cross-organization collaboration between different parts of an organization’s workforce, including executives, legal, and cybersecurity.”
The Privacy Framework includes three sections – The Core, Profiles, and Implementation Tiers. The Core facilitates consideration of the various privacy protection activities and outcomes of the entity. Profiles identifies the entity’s current privacy needs and activities. Implementation addresses the decision-making processes and resources needed to manage the privacy requirements and risks.
Like the NIST Cybersecurity Framework, the Privacy Framework calls for a risk-based approach to addressing the protection of privacy information. And, as in cybersecurity, achieving privacy protection is likely to require significant thought and care. The devil is in the details and we will need to see how useful the Privacy Framework is.
The Privacy Framework could be viewed as a detailed tool to implement a Privacy by Design framework. In the rush to comply with the General Data Protection Regulations (GDPR), many companies adopted fairly simple Privacy by Design policies. This was a welcome change as many companies had the practice of considering privacy at the later stages of a development causing compliance concerns and waste of resources. However the Privacy Framework represents a new level of Privacy by Design enabling companies to actively engage in a process for the identification, profiling and implementation of privacy requirements. While the new California Consumer Privacy Act (CCPA) does not mandate Privacy by Design, the approach is useful in achieving compliance and adopting FTC recommendations. Even a company not subject to the CCPA can benefit from the Privacy Framework as the inventory and mapping functions in the Core will provide a head start on compliance with new state privacy laws that will undoubtedly arise in the near future.
Indeed, privacy protection is important whether you are a strictly commercial business or engaged in government-funded activities, such as grants, agreements, or formal government contracts. There are a number of ways in which you may be required to address privacy protection matters when accepting government funding or engaging in government activities or contracts. For example, in the federal space, the government is required to comply with the Privacy Act of 1974, 5 U.S.C. §552a. This Act requires the protection of systems or records and information about individuals. Activities that you engage in, or funding that you receive, may trigger requirements such as these. Federal grant and agreement rules provide for protection of Personally Identifiable Information (PII), which includes “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” Public information (non-PII) may become PII subject to affirmative protection obligations where “additional information, in any medium and from any source” is combined with other information and can be used to identify an individual. 2 C.F.R. § 200.79. In the contracting space, FAR Part 24 governs requirements for privacy protections. Specific requirements may be included in a government grant, agreement, or government contract procurement where the agreement holder, recipient, contractor, or its subcontractors, may be afforded access to PII, or where they may develop, deliver, or connect to government systems that handle or have access to data that is PII or could become PII. These Federal PII requirements may be tricky to navigate. Compliance concerns may be compounded where there are other Federal or state laws and regulations, or where the activities go beyond United States borders, to other countries.
We would note that the NIST Cybersecurity Framework was the initial step in governmental efforts to address emerging cybersecurity threats and risks. As we have noted in our blogs on the topic, the DOD is engaged in establishing a Cybersecurity Maturity Model Certification (CMMC) standard and program to provide for neutral third party certification of contractors and their supply chains. So too the Privacy Framework may be an initial shot across the bow to prompt greater efforts to ensure the protection of private information through a flexible and voluntary process. Whether this initial shot will lead to legislation, regulation, and the kind of cybersecurity requirements we are seeing now at DOD, remains to be seen. However, there is no question that there is a need to protect privacy data and that increasing cybersecurity risks point out a need for greater efforts to be taken to protect this and other types of data. Indeed, not only federal actions, but state actions are being undertaken to improve the protection of this data.
NIST advises that the Privacy Framework will evolve over time and that NIST will retain oversight. It seeks comments on the Privacy Framework.
Stay tuned for developments in this space.