Browse Definitions :
Definition

NIST Privacy Framework

The NIST Privacy Framework is a voluntary tool created by the National Institute of Standards and Technology, which lays out strategies for private sector organizations to improve their data risk management practices.

The framework's purpose is to help organizations keep their data handling practices secure, private and legally compliant across all organizational levels and was intended for C-level decision-makers without technical backgrounds.

The NIST Privacy Framework, released in January 2020, follows the same structure as the NIST 2014 Cybersecurity Framework to encourage organizations to use them together. Like the Cybersecurity Framework, the Privacy Framework is made up of three main sections: Core, Profiles and Implementation Tiers.

  • The Core is the body of specific privacy protection activities recommended by NIST.
  • Profiles assess existing practices and resources, and compare them with the organization's data privacy
  • Implementation Tiers are a scale to measure the extent to which an organization exhibits characteristics of the framework.

The Privacy Framework is not a one-size-fits-all solution to privacy management. As it is a voluntary tool and not a regulation or law, organizations can choose to adopt or ignore any of its contents. Using the framework to some degree is recommended for all organizations that collect and process customer data -- especially those collecting sensitive data.

The collection and use of customer data are a key part of many beneficial consumer technologies.  However, the collection and storage of personal data, especially sensitive data, can have serious risks to both customers and organizations if not properly secured. Therefore, NIST drafted the Privacy Framework to help organizations protect both them and the consumer from the consequences of data mishandling, without discouraging innovation.

Framework structure

The structure of the NIST Privacy Framework can be broken down as follows.

Core. The body of individual privacy protection activities and outcomes. The Core is divided into three elements: functions, categories and subcategories. Functions are the largest unit and are broken down further into categories and subcategories.

  • Functions organize groups of privacy activities by broad purpose. The -P shows that these are functions in the Privacy Framework Core, not to be confused with those of the Cybersecurity Framework Core.
      • Identify-P. Develops the organization's understanding of potential privacy risks in their operations. Includes risk assessments and understanding the customers.
      • Govern-P. Develops an ongoing understanding of an organization's privacy risk priorities. Focuses on privacy policies, legal and regulatory considerations, and risk tolerance.
      • Control-P. Focuses on development and implementation of activities for the management of privacy risks, from the standpoints of both the organization and the individual.
      • Communicate-P. Focuses on continuous education within the organization about proper customer data processing practices and risks.
      • Protect-P. Develops and implements data processing protection measures.
  • Categories are subdivisions of a function into related groups.
  • Subcategories are further subdivisions of categories into specific outcomes of privacy management activities. 
NIST core structure
Structure of the core

Profiles. Prioritized selection of privacy risk management activities. Profiles use a custom selection of prioritized functions, categories and subcategories from the Core to define a current profile of privacy management activities and a Target Profile of privacy management preparedness. To identify gaps in their privacy management approach, develop a concrete plan to bridge them, and identify resources needed.

Implementation Tiers. A scale used to assess the extent to which an organization exhibits the Privacy Framework's characteristics. Implementation tiers can be used as benchmarks for progress and to understand the scale of resources and processes. Implementation tiers include four types:

  • Partial (Tier 1)
    • Risk management measures are nonformalized and only when needed.
    • Limited awareness of privacy risk.
    • Limited understanding of an organization's role in privacy risks.
    • Lacking specific privacy risk management responsibilities in personnel.
  • Risk Informed (Tier 2)
    • Risk management practices approved by management but not unequivocally accepted on an organizationwide level.
    • Organizational-level awareness of privacy risk but no formal approach in effect.
    • Understanding of an organization's risks in regard to its own products and services offered and used but no consistent action taken.
    • Limited understanding of an organization's role in the data processing ecosystem.
    • Personnel with some privacy responsibilities, regular privacy training in place -- however, no consistent processes to monitor for best practices.
  • Repeatable (Tier 3)
    • Privacy risk management practices implemented as formal policy.
    • Organizationwide privacy risk management practices in place.
    • Organization understands its role in the data processing ecosystem and may contribute to larger understanding of risks in the community.
    • Organization is aware of risks resulting from its own products and services offered and used and takes formal action to minimize them.
    • Dedicated privacy management personnel on staff.
  • Adaptive (Tier 4)
    • Organization adapts its policies and practices to new and existing privacy risks.
    • Approach to managing privacy risk is comprehensive and organizationwide.
    • Consistently acts upon privacy risks it's associated with.
    • Contributes to community understanding of privacy risks.

NIST Privacy Framework vs. NIST Cybersecurity Framework

The NIST Privacy Framework follows the same structure as the 2014 Cybersecurity Framework (Core, Profiles, Tiers) to encourage use of the two frameworks in tandem.

NIST core functions
Diagram showing overlapping Core functions between the Privacy Framework and the Cybersecurity Framework

Though the management of cybersecurity risks contributes to managing the overall information privacy risk of an organization, the NIST Cybersecurity Framework, by itself, is not enough to effectively manage it. This is because there are privacy risks unrelated to cybersecurity. NIST defines cybersecurity risks as associated with cybersecurity incidents arising from loss of confidentiality, integrity or availability. Privacy risks are defined as potential problems individuals could experience arising from system, product or service operations with data.

Cybersecurity-related privacy risks are an area of overlap between these two frameworks, however, and include events such as data breaches. According to NIST's website, Protect-P from the Privacy Framework, along with the Cybersecurity Framework's Detect, Respond and Recover, functions for the management of cybersecurity-related privacy risks.

Use cases

The NIST Privacy Framework is meant to open up dialogue about data security across all organizational levels and was drafted particularly with C-level decision-makers without technical backgrounds in mind.

The framework can help organizations:

  • optimize technological innovation and use of data, while minimizing associated risks for organizations;
  • support ethical decision-making in operations that affect privacy management;
  • stay in compliance with certain laws, such as the California Consumer Privacy Act (CCPA) and European Union's (EU) General Data Protection Regulation (GDPR);
  • plan, design and implement products and services that prioritize data privacy;
  • inform buying decisions about products and services related to data privacy; and
  • establish or improve an organization's privacy policies or program.
This was last updated in March 2020

Continue Reading About NIST Privacy Framework

SearchCompliance
  • OPSEC (operations security)

    OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines ...

  • smart contract

    A smart contract is a decentralized application that executes business logic in response to events.

  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

SearchSecurity
  • buffer overflow

    A buffer overflow occurs when a program or process attempts to write more data to a fixed-length block of memory, or buffer, than...

  • biometric verification

    Biometric verification is any means by which a person can be uniquely identified by evaluating one or more distinguishing ...

  • password

    A password is a string of characters used to verify the identity of a user during the authentication process.

SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • change control

    Change control is a systematic approach to managing all changes made to a product or system.

  • disaster recovery (DR)

    Disaster recovery (DR) is an organization's ability to respond to and recover from an event that affects business operations.

SearchStorage
  • What is RAID 6?

    RAID 6, also known as double-parity RAID, uses two parity stripes on each disk. It allows for two disk failures within the RAID ...

  • VRAM (video RAM)

    VRAM (video RAM) refers to any type of random access memory (RAM) specifically used to store image data for a computer display.

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

Close