Privacy Framework version 1.0 of the National Institute of Standards and Technology (NIST) was issued on January 16, 2020. The objective of the Privacy Framework is to assist institutions of different sizes in their use of personal data including protected health information (PHI) while properly handling privacy issues.
The Privacy Framework is a tool that helps with privacy risk management as well as in achieving and demonstrating compliance with privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA), New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the California Consumer Privacy Act (CCPA), and the EU’s General Data Protection Regulation (GDPR).
The Privacy Framework could help companies identify the privacy outcomes they want to attain, provide strategies to follow to enhance privacy protections and accomplish those privacy goals, clarify privacy management ideas, and demonstrate how it could be used along with the NIST Cybersecurity Framework and how both work together. NIST states that organizations that have adopted the NIST Cybersecurity Framework and an excellent security posture may not have addressed all of their privacy problems.
Version 1.0 maintains the structure of the September 2019 draft version but features a few updates as an answer to public opinions. Just as with the draft version, the Privacy Framework comprises of three segments:
- Core is a set of privacy activities
- Profiles assists organizations in determining which activities are needed to accomplish their privacy objectives
- Implementation Tiers section leads organizations in the optimization of resources to address privacy problems.
The framework has building blocks that can help you in achieving your privacy goals, such as the laws your organization must adhere to. If you want to increase customer trust by means of offering more privacy-protective products or services, the framework can also help.
The Privacy Framework does not only protect sensitive data such as Social Security numbers, but it also helps protect lower value data including data types that may be combined with others to become sensitive as a unit. New data uses are frequently being identified, like for artificial intelligence. It is thus necessary to use a framework for handling privacy risks instead of having a checklist of tasks to execute. Adopting the Privacy Framework will enable organizations to make policies, procedures, and strategies to protect data, handle privacy risks properly and make sure those risks are managed over time.
The framework will help organizations future-proof their products and services with privacy practices that will adjust to evolving technologies, policies, and new laws. The framework additionally deals with some aspects of privacy that are absent from HIPAA but are notably relevant nowadays due to advancements in technology.
The framework serves as a companion roadmap to point the way toward more research to deal with present privacy challenges. NIST is building a repository of guidance resources to help in the implementation of the framework.
Download the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management on NIST’s website (PDF).