NIST drafts framework for privacy risk

From the smart grid to electronic health records to red light cameras, the latest technologies are implicitly or explicitly surfacing citizens’ personal information -- and posing a potential risk to individual privacy in the process.

To better anticipate and address the impact of personal data that’s used and stored in federal information systems, the National Institute of Standards and Technology drafted a document that lays out a framework for privacy risk management.

Privacy Risk Management for Federal Information Systems features system objectives for privacy engineering, as well as an equation and worksheets to help agencies calculate the privacy risk for a given system. This information aims to improve communication about privacy risks and better integrate privacy principles in federal information systems.

The privacy engineering objectives -- predictability, manageability and disassociability (the idea that the system actively protects or “blinds” an individual’s identity from unnecessary exposure) -- will help ensure that information systems support an agency’s privacy goals and management of privacy risk.

To help  agencies use the framework and  apply the privacy risk model, NIST developed an initial set of  worksheets that provides a step-by-step analysis of the likelihood of an “adverse data action” causing problems. The worksheets will help agencies not only assess whether their IT systems are prone to a problematic data action, but also determine the impact of an adverse data event. That information will then help agency managers prioritize privacy decisions based on risk and impact.

"Risk management methods provide systematic ways to identify and address risk and have proven effective in areas such as cybersecurity, safety and finance," said Naomi Lefkovitz, senior privacy policy advisor at NIST. "We see a great deal of potential for these methods to help agencies design and manage federal information systems that minimize risks to privacy."

Read the full draft document on the NIST website and submit comments to privacyeng@nist.gov using the format provided. Collected input will be used to refine the framework. The public comment closes July 13, 2015, at 5 p.m. Eastern time.

Editor's note: This article was changed June 4. Comments will not be made public, as previously reported.

About the Author

Connect with the GCN staff on Twitter @GCNtech.

inside gcn

  • cloud (Singkham/Shutterstock.com)

    TIC alternative gets FedRAMP approval

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group