The National Institute of Standards and Technology publishes security risk management standards and guidance that apply to public entities but have been influential throughout the private sector.  Now, NIST is looking to provide similar guidance on privacy risk management, holding its Second Privacy Engineering Workshop earlier this week to consider draft privacy engineering definitions and concepts. 

NIST has said that its work is “focused on providing guidance to developers and designers of information systems that handle personal information,” with the expectation that such guidance “may be used to decrease risks related to privacy harms, and to make purposeful decisions about resource allocation and the effective implementation of controls.”   According to the IAPP’s Privacy Advisor, this week’s workshop focused on defining terms, including “privacy engineering” and “problematic data actions,” and a theme that emerged was the difficulty in creating a “black-and-white standards framework” for privacy. 

NIST’s security standards focus on the objectives of Confidentiality, Integrity and Availability, and NIST has proposed that its privacy engineering standards similarly build on design objectives, proposing the following three:

  • Predictability or enabling reliable assumptions about the rationale for collecting personal information and the data actions to be taken with personal information.
  • Manageability or providing the capability for authorized modification of personal information, including alteration, deletion, or selective disclosure of personal information.
  • Confidentiality or preserving authorized restrictions on information access and disclosure.  (NIST has said it would use the same definition as Confidentiality is afforded in NIST Special Publication 800-53 Revision 4).

The public comment period for the NIST Privacy Engineering Objectives and Risk Model Discussion Draft has been extended until October 10.