NIST takes on privacy in economy increasingly focused with monetizing all personal data
The federal agency in January issued what it said is the first version of a privacy framework in the hopes of generating a middle ground between rapacious commercialization and complete, inviolate personal privacy. Public and private stakeholders were invited to create a consensus position on balancing the ultimate costs and benefits of online privacy.
The NIST Privacy Framework has three components.
The first, or core, component, is “a set of privacy protection activities and outcomes” that enable people at many levels of an organization to communicate about how to manage privacy risk. Here, the goal is to make sure everyone who touches personal data knows both the overall privacy stance and what each person is obligated to do.
The second part is a profile — a description of an organization’s privacy activities or goals. The institute’s report suggests that profiles be created by reviewing the outcomes and activities identified in the core component in order to see “which are most critical based on business or mission drivers, data processing roles, types of data processing and individuals’ privacy needs.”
An effective profile can be used to find ways to improve the privacy posture as well as to communicate throughout an organization and between organizations (in the supply chain, for example) about how risks are being managed.
The third component is called implementation tiers.
“Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk informed,” according to the agency. They help leaders understand how their organization views privacy risk, and if its processes and resources are adequate to manage that risk.
A privacy framework for organizations to select measures from in line with their risk strategies is presented in an appendix. These measures include disassociated processing of data through de-identification techniques or tokens to minimize the identification of individuals.
The report’s authors note that most people online have yet to grasp that, to date, many of the internet’s benefits have been paid for with sales of personal data (often anonymized).
The writers point out as well that people might not understand the consequences of enjoying so much nominally free content and personalized products and services.
Businesses, for their part, “may not realize the full extent of these consequences for individuals, for society, or for their enterprises, which can affect their brands, their bottom lines, and their future prospects for growth,” the report states.