For many years, the cybersecurity framework developed by the U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) has been relied upon by organizations around the world as a foundational framework document. Given its success in the cybersecurity space, NIST is developing a privacy framework with the goal of assisting organizations to better identify, assess, manage and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services.
The initiative is driven by a recognition that cutting-edge technologies such as the Internet of Things and artificial intelligence are raising concerns about their impact on individuals’ privacy. A final version of the privacy framework is unlikely to be released in the short term and will be entirely voluntary. Nevertheless, it is likely to become a reference framework for most organizations around the world.
Broadly speaking, the privacy framework recognizes that privacy risks arise from how organizations collect, store, use and share this information to meet their business objectives, as well as how individuals interact with products and services.
To this end, the privacy framework will provide a catalog of privacy outcomes and approaches for organizations to better identify, assess, manage and communicate about privacy risks so that individuals can enjoy the benefits of innovative technologies with greater confidence and trust. Given the global legal privacy landscape, the privacy network will be designed to be compatible with international legal and regulatory regimes so as to ensure widespread adoption.
The privacy framework will also be designed as a complement to NIST’s cybersecurity framework. Specifically, NIST’s cybersecurity framework is geared towards managing privacy risks by protecting individuals’ information, while the privacy framework is focused on privacy risks related to the collection, storage, use and sharing of personal information.
The privacy framework is still at its early stages and no working draft has thus far been released. NIST’s goal is to engage with industry, civil society, academic institutions and other stakeholders so as to ensure that different perspectives are considered and incorporated into the framework.
That said, it will likely incorporate some of the concepts developed by the U.S. Department of Commerce’s National Telecommunications and Information Administration’s (“NTIA”) recently published draft principles for consumer privacy. By way of background, the NTIA is developing a legal and policy approach for the U.S., as it relates to consumer privacy. The principles developed by the NTIA included key privacy outcomes such as:
- Transparency. Users should be able to easily understand how an organization collects, stores, uses and shares their personal information.
- Control. Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of the personal information they provide to organizations.
- Reasonable Minimization. Data collection, storage length, use, and sharing by organizations should be minimized in a manner and to an extent that is reasonable and appropriate to the context and risk of privacy harm.
- Security. Organizations that collect, store, use, or share personal information should employ security safeguards to secure these data.
- Access and Correction. Users should have qualified access to personal data that they have provided, and to rectify, complete, amend, or delete this data.
- Risk Management. Users should expect organizations to take steps to manage and/or mitigate the risk of harmful uses or exposure of personal data.
- Accountability. Organizations should be accountable externally and within their own processes for the use of personal information collected, maintained, and used in their systems.
These privacy outcomes track, in many ways, the key principles outlined in Schedule 1 of the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
While the NIST and NTIA efforts reflect the growing interest in the U.S. in developing nationally uniform principles addressing the privacy of personal information, they also fit into a broader global move towards proactive privacy risk management. For Canadian organizations, it is important to track these global trends (including the recent coming into force of the EU’s General Data Protection Regulation, the California Privacy Act, etc.) and ensure that existing privacy practices are current and flexible for future changes.