NIST's Privacy Risk Management Framework Released in Draft Report
On May 29, 2015, the National Institute of Standards and Technology ("NIST") released Privacy Risk Management for Federal Information Systems (NISTIR 8062) as a draft report, introducing its newly developed Privacy Risk Management Framework ("Privacy Framework"). The stated purpose of the Privacy Framework is to anticipate and address the privacy risks inherent to the processing of personal information in federal systems. With the creation of the Privacy Framework, NIST hopes to establish a common vocabulary that will aid understanding of and communication about privacy risks and principles. To this end, the Privacy Framework focuses on three privacy engineering objectives and a privacy risk model.
Privacy Engineering Objectives
The Privacy Framework sets forth three privacy engineering objectives—predictability, manageability, and disassociabiltiy—to provide guidance to engineers and system designers as they move from high-level principles to implementation of data collection systems. The objectives are meant to manage privacy risks by promoting consistent, actionable and measurable design decisions.
Predictability focuses on designing data collection systems that handle personal information in a manner in which stakeholders expect. Predictable designs allow for individuals, owners, and operators to make reliable assumptions about how a system processes personal information. Once established, these reliable assumptions contribute to increased transparency, trust, and self-determination.
Manageability focuses on ensuring that an information system is capable of granular administration of personal data, particularly alteration, deletion, and selective disclosure of discrete units of data. Systems with such granular capabilities can correct inaccurate information, delete obsolete data, and retain necessary data. As a result, manageability preserves the quality and integrity of data systems.
Disassociability focuses on enabling a data system to process personal information or events without association to individuals or devices beyond the system's operational requirements. This decoupling "blinds" an individual's identity or activities from undue exposure, thus actively protecting that individual from privacy risk.
From the language of the report, it is clear that NIST hopes these three objectives will provide guidance for engineers and system designers as they seek to build data systems that achieve agency business goals while effectively managing personal data risk.
The Privacy Risk Model
The Privacy Framework sets forth a privacy risk model that enables agencies to calculate the amount of risk posed by their collection systems. Notably, the Privacy Framework's privacy risk model distinguishes security risk, wherein a damaging external event creates the risk, from privacy risk, which arises from the normal operations of the data system itself. By accounting for this distinction, the privacy risk model helps organizations hone in on the specific types of risk that are most threatening to their particular systems.
The privacy risk model is based upon a quantitative risk analysis that defines "privacy risk" as a function of the likelihood that a data action (a system operation processing personal information) causes problems for individuals, and the impact of the problematic data action should it occur. In simple terms, privacy risk can be expressed as:
|Privacy Risk||=||Likelihood of a problematic data action||X||the impact of that problematic data action should it occur|
The report encourages agencies to evaluate both likelihood and impact, as both factors are necessary to guide control prioritization and resource allocation. The report gives detailed instructions to agencies regarding how to calculate likelihood and impact for each data action used by the agency.
To help agencies apply the privacy risk model, NIST has developed a set of worksheets collectively called the Privacy Risk Assessment Methodology ("PRAM"). The Privacy Framework describes the variables that the PRAM accounts for in calculating risk and gives examples to aid agencies in applying PRAM to their own systems. The privacy risk model aims to provide a repeatable and measurable metric for evaluating privacy risk in federal information systems.
Big data, cloud computing, and embedded sensors are creating valuable opportunities and bringing dramatic changes to how we use information technology. While these technologies strengthen our country's national and economic security and improve our quality of life, they also pose risks to individuals' privacy. While still in development, the creation of the Privacy Framework signals a recognition by the government that safeguarding individual privacy deserves attention in addition to the need to safeguard security. For companies developing technology for and providing services to the federal government, there will need to be additional consideration given to the engineering objectives and the privacy risk model. In facilitating a greater understanding of risk management, the Privacy Framework may also influence the way in which regulatory authorities consider the privacy posture of companies operating outside of the federal information processing networks. Privacy standards take a variety of different approaches and must always be viewed in the context of the plain meaning, purpose, and circumstance in which they are applied.
NIST invites the public to comment on its draft report through July 13, 2015.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Michael G. Morgan
Gregory P. Silberman
Todd S. McClelland
Daniel J. McLoon
Mauricio F. Paez
Jane Reilley, a summer associate in the Silicon Valley Office, assisted in the preparation of this Alert.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.