NIST Privacy Framework


NIST Privacy Framework is a Privacy Framework by NIST and is aligned with the structure of the NIST Cybersecurity Framework to assist Organizational Entity that want to use both frameworks.

Good cybersecurity practices alone are not sufficient to address the full scope of privacy risks that can arise from how organizations collect, store, use, and disclose data (collectively “data processing”) to meet their mission or business objectives, as well as from how individuals interact with products, services, or systems.

NIST Privacy Framework is subtitled as: "A Tool for Improving Privacy through Enterprise Risk Management" and further states: The Privacy Framework can drive better privacy engineering and help organizations protect individuals' privacy by:

  • Building customer trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals’ privacy and society as a whole;
  • Fulfilling current compliance obligations, as well as future-proofing products and services to meet these obligations in a changing technological and policy environment;
  • Facilitating communication about privacy practices with customers, assessors, and regulators.

NIST Privacy Framework Core#

The NIST Privacy Framework Core will provide a set of activities to achieve specific privacy outcomes, and reference examples of guidance to achieve those outcomes. The Core is not a checklist of actions to perform. It will present key privacy outcomes identified by stakeholders as helpful in managing privacy risk.

The functions will be divided into categories closely tied to programmatic needs and subcategories to support specific outcomes for organizations’ technical or management activities. Informative references will provide organizations with guidance in achieving the outcomes.

The functions are:

  • Identify - Develop the organizational understanding to manage privacy risk for individuals arising from data processing or their interactions with products, services, or systems.
  • Protect - Develop and implement appropriate data safeguards.
  • Control - Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to meet privacy objectives.
  • Inform - Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding about how data is processed.
  • Respond – Develop and implement appropriate activities to take action regarding a privacy breach

More Information#

There might be more information for this subject on one of the following: