NIST drafts framework for privacy risk

From the smart grid to electronic health records to red light cameras, the latest technologies are implicitly or explicitly surfacing citizens’ personal information -- and posing a potential risk to individual privacy in the process.

To better anticipate and address the impact of personal data that’s used and stored in federal information systems, the National Institute of Standards and Technology drafted a document that lays out a framework for privacy risk management.

Privacy Risk Management for Federal Information Systems features system objectives for privacy engineering, as well as an equation and worksheets to help agencies calculate the privacy risk for a given system. This information aims to improve communication about privacy risks and better integrate privacy principles in federal information systems.

The privacy engineering objectives -- predictability, manageability and disassociability (the idea that the system actively protects or “blinds” an individual’s identity from unnecessary exposure) -- will help ensure that information systems support an agency’s privacy goals and management of privacy risk.

To help  agencies use the framework and  apply the privacy risk model, NIST developed an initial set of  worksheets that provides a step-by-step analysis of the likelihood of an “adverse data action” causing problems. The worksheets will help agencies not only assess whether their IT systems are prone to a problematic data action, but also determine the impact of an adverse data event. That information will then help agency managers prioritize privacy decisions based on risk and impact.

"Risk management methods provide systematic ways to identify and address risk and have proven effective in areas such as cybersecurity, safety and finance," said Naomi Lefkovitz, senior privacy policy advisor at NIST. "We see a great deal of potential for these methods to help agencies design and manage federal information systems that minimize risks to privacy."

Read the full draft document on the NIST website and submit comments to [email protected] using the format provided. Collected input will be used to refine the framework. The public comment closes July 13, 2015, at 5 p.m. Eastern time.

Editor's note: This article was changed June 4. Comments will not be made public, as previously reported.

About the Author

Connect with the GCN staff on Twitter @GCNtech.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.