NIST drafts framework for privacy risk
From the smart grid to electronic health records to red light cameras, the latest technologies are implicitly or explicitly surfacing citizens’ personal information -- and posing a potential risk to individual privacy in the process.
To better anticipate and address the impact of personal data that’s used and stored in federal information systems, the National Institute of Standards and Technology drafted a document that lays out a framework for privacy risk management.
Privacy Risk Management for Federal Information Systems features system objectives for privacy engineering, as well as an equation and worksheets to help agencies calculate the privacy risk for a given system. This information aims to improve communication about privacy risks and better integrate privacy principles in federal information systems.
The privacy engineering objectives -- predictability, manageability and disassociability (the idea that the system actively protects or “blinds” an individual’s identity from unnecessary exposure) -- will help ensure that information systems support an agency’s privacy goals and management of privacy risk.
To help agencies use the framework and apply the privacy risk model, NIST developed an initial set of worksheets that provides a step-by-step analysis of the likelihood of an “adverse data action” causing problems. The worksheets will help agencies not only assess whether their IT systems are prone to a problematic data action, but also determine the impact of an adverse data event. That information will then help agency managers prioritize privacy decisions based on risk and impact.
Read the full draft document on the NIST website and submit comments to firstname.lastname@example.org using the format provided. Collected input will be used to refine the framework. The public comment closes July 13, 2015, at 5 p.m. Eastern time.
Editor's note: This article was changed June 4. Comments will not be made public, as previously reported.
Connect with the GCN staff on Twitter @GCNtech.