Developing a Privacy Framework, 56824-56827 [2018-24714]
Download as PDF
<![CDATA[
56824
Federal Register / Vol. 83, No. 220 / Wednesday, November 14, 2018 / Notices
assessed at rates equal to the cash
deposit of estimated countervailing
duties required at the time of entry, or
withdrawal from warehouse, for
consumption, in accordance with 19
CFR 351.212(c)(1)(i). Commerce intends
to issue appropriate assessment
instructions directly to CBP 15 days
after the date of publication of this
notice in the Federal Register.
Notification Regarding Administrative
Protective Orders
This notice serves as the only
reminder to parties subject to
administrative protective order (APO) of
their responsibility concerning the
return or destruction of proprietary
information disclosed under APO in
accordance with 19 CFR 351.305(a)(3).
Timely written notification of the
return/destruction of APO materials or
conversion to judicial protective order is
hereby requested. Failure to comply
with the regulations and terms of an
APO is a sanctionable violation.
This notice is issued and published in
accordance with section 777(i)(1) of the
Act and 19 CFR 351.213(d)(4).
Dated: November 7, 2018.
James Maeder,
Associate Deputy Assistant Secretary for
Antidumping and Countervailing Duty
Operations performing the duties of Deputy
Assistant Secretary for Antidumping and
Countervailing Duty Operations.
[FR Doc. 2018–24791 Filed 11–13–18; 8:45 am]
BILLING CODE 3510–DS–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
[Docket Number 181101997–8997–01]
Developing a Privacy Framework
National Institute of Standards
and Technology, U.S. Department of
Commerce.
ACTION: Notice; request for information
(RFI).
AGENCY:
The National Institute of
Standards and Technology (NIST) is
developing a framework that can be
used to improve organizations’
management of privacy risk for
individuals arising from the collection,
storage, use, and sharing of their
information.1 The NIST Privacy
SUMMARY:
1 While NIST requests information about how
organizations define privacy risk in topic #3 below,
for the purposes of this RFI, NIST references the
privacy risk model set forth in NISTIR 8062, An
Introduction to Privacy Engineering and Risk
Management in Federal Systems at https://
csrc.nist.gov/publications/detail/nistir/8062/final,
VerDate Sep<11>2014
18:29 Nov 13, 2018
Jkt 247001
Framework: An Enterprise Risk
Management Tool (‘‘Privacy
Framework’’), is intended for voluntary
use and is envisioned to consist of
outcomes and approaches that align
policy, business, technological, and
legal approaches to improve
organizations’ management of processes
for incorporating privacy protections
into products and services. This notice
requests information to help identify,
understand, refine, and guide
development of the Privacy Framework.
The Privacy Framework will be
developed through a consensus-driven,
open, and collaborative process that will
include workshops and other
opportunities to provide input.
DATES: Comments in response to this
notice must be received by 5:00 p.m.
Eastern time on December 31, 2018.
ADDRESSES: Written comments may be
submitted by mail to Katie MacFarland,
National Institute of Standards and
Technology, 100 Bureau Drive, Stop
2000, Gaithersburg, MD 20899.
Electronic submissions may be sent to
privacyframework@nist.gov, and may be
in any of the following formats: HTML,
ASCII, Word, RTF, or PDF. Please cite
‘‘Developing a Privacy Framework’’ in
all correspondence. Comments received
by the deadline will be posted at https://
www.nist.gov/privacyframework
without change or redaction, so
commenters should not include
information they do not wish to be
posted (e.g., personal or confidential
business information). Comments that
contain profanity, vulgarity, threats, or
other inappropriate language or content
will not be posted or considered.
FOR FURTHER INFORMATION CONTACT: For
questions about this RFI contact: Naomi
Lefkovitz, U.S. Department of
Commerce, NIST, MS 2000, 100 Bureau
Drive, Gaithersburg, MD 20899,
telephone (301) 975–2924, email
privacyframework@nist.gov. Please
direct media inquiries to NIST’s Public
Affairs Office at (301) 975–NIST.
SUPPLEMENTARY INFORMATION:
Genesis for the Privacy Framework’s
Development
It is a challenge to design, operate, or
use technologies in ways that are
mindful of diverse privacy needs in an
increasingly connected and complex
environment. Current and cutting-edge
technologies such as mobile devices,
social media, the Internet of Things and
artificial intelligence are giving rise to
increased concerns about their impacts
which analyzes the problems that individuals might
experience as a result of the processing of their
information, and the impact if they were to occur.
PO 00000
Frm 00027
Fmt 4703
Sfmt 4703
on individuals’ privacy. Inside and
outside the U.S., there are multiple
visions for how to address these
concerns. Accordingly, the U.S.
Department of Commerce (DOC) is
developing a forward-thinking approach
that supports both business innovation
and strong privacy protections. As part
of this effort, NIST is developing a
voluntary Privacy Framework to help
organizations: better identify, assess,
manage, and communicate privacy
risks; foster the development of
innovative approaches to protecting
individuals’ privacy; and increase trust
in products and services.2 The Privacy
Framework is intended to be a tool that
would assist with enterprise risk
management.
Privacy Framework Development and
Attributes
While good cybersecurity practices
help manage privacy risk through the
protection of personally identifiable
information (PII),3 privacy risks also can
arise from how organizations collect,
store, use, and share PII to meet their
mission or business objective, as well as
how individuals interact with products
and services. NIST seeks to understand
whether organizations that design,
operate, or use these products and
services would be better able to address
the full scope of privacy risk with more
tools to support better implementation
of privacy protections.
NIST will develop the Privacy
Framework in a manner consistent with
its mission to promote U.S. innovation
and industrial competitiveness, and is
seeking input from all interested
stakeholders. NIST intends for the
Framework to provide a prioritized,
flexible, risk-based, outcome-based, and
cost-effective approach that can be
compatible with existing legal and
regulatory regimes in order to be the
most useful to organizations and enable
widespread adoption. NIST expects that
the Privacy Framework development
process will involve several iterations to
2 In parallel with this effort, the DOC’s National
Telecommunications and Information
Administration is developing a set of privacy
principles in support of a domestic policy approach
that advances consumer privacy protections while
protecting prosperity and innovation, in
coordination with DOC’s International Trade
Administration to ensure consistency with
international policy objectives: https://
www.ntia.doc.gov/federal-register-notice/2018/
request-comments-developing-administration-sapproach-consumer-privacy.
3 For the purposes of this RFI, NIST is using the
definition from the Office of Management and
Budget Circular A–130. PII is defined as
‘‘information that can be used to distinguish or
trace an individual’s identity, either alone or when
combined with other information that is linked or
linkable to a specific individual.’’
E:\FR\FM\14NON1.SGM
14NON1
Federal Register / Vol. 83, No. 220 / Wednesday, November 14, 2018 / Notices
allow for continuing engagement with
interested stakeholders. This will
include interactive workshops, along
with other forms of outreach.
On October 16, 2018, NIST held its
first workshop in Austin, Texas to
launch the framework development
process.4 NIST heard from panelists
from industry, civil society and
academia, as well as audience
participants about the needs the Privacy
Framework should address and some
key desired characteristics. As a
consequence, NIST believes that in
order to be effective, the Privacy
Framework should have the following
minimum attributes:
1. Consensus-driven and developed
and updated through an open,
transparent process. All stakeholders
should have the opportunity to
contribute to the Privacy Framework’s
development. NIST has a long track
record of successfully and
collaboratively working with
stakeholders to develop guidelines and
standards. NIST will model the
approach for the Privacy Framework on
the successful, open, transparent, and
collaborative approach used to develop
the Framework for Improving Critical
Infrastructure Cybersecurity
(‘‘Cybersecurity Framework’’).5
2. Common and accessible language.
The Privacy Framework should be
understandable by a broad audience,
including senior executives and those
who are not privacy professionals. The
Privacy Framework can then facilitate
communications among various
stakeholders by promoting use of this
common language.
3. Adaptable to many different
organizations, technologies, lifecycle
phases, sectors, and uses. The Privacy
Framework should be scalable to
organizations of all sizes, public or
private, in any sector, and operating
within or across domestic borders. It
should be platform- and technologyagnostic and customizable.
4. Risk-based, outcome-based,
voluntary, and non-prescriptive. The
Privacy Framework should provide a
catalog of privacy outcomes and
approaches to be used voluntarily,
rather than a set of one-size-fits-all
requirements, in order to: Foster
innovation in products and services;
inform education and workforce
development; and promote research on
and adoption of effective privacy
solutions. The Privacy Framework
should assist organizations to better
4 https://www.nist.gov/news-events/events/2018/
10/kicking-nist-privacy-framework-workshop-1.
5 https://www.nist.gov/cyberframework/
framework.
VerDate Sep<11>2014
18:29 Nov 13, 2018
Jkt 247001
manage privacy risks within their
diverse environments without
prescribing the methods for managing
privacy risk.
5. Readily usable as part of any
enterprise’s broader risk management
strategy and processes. The Privacy
Framework should be consistent with,
or reinforce, other risk management
efforts within the enterprise,
recognizing that privacy is one of
several major areas of risk that an
organization needs to manage.
6. Compatible with or may be paired
with other privacy approaches. The
Privacy Framework should take
advantage of existing privacy standards,
methodologies, and guidance. It should
be compatible with and support
organizations’ ability to operate under
applicable domestic and international
legal or regulatory regimes.
7. A living document. The Privacy
Framework should be updated as
technology and approaches to privacy
protection change and as stakeholders
learn from implementation.
Although the goal of the Privacy
Framework is to help organizations
better identify, assess, manage, and
communicate privacy risks, NIST
expects there may be aspects of privacy
practices that are not sufficiently
developed for inclusion in the Privacy
Framework. When developing the
Cybersecurity Framework, NIST
produced a related roadmap that
identified focus areas that still needed
more research and understanding before
they were mature enough for
widespread adoption, but that could
potentially inform future revisions of
the Cybersecurity Framework. With
respect to the Privacy Framework, NIST
anticipates that a roadmap may be
needed for similar reasons.
As noted below, NIST solicits
comments on the desired attributes of a
Privacy Framework, as well as highpriority gaps in organizations’ ability to
manage privacy risk, as part of this RFI.
Goals of This Request for Information
Based upon discussions that took
place during the October 16, 2018
workshop, this RFI seeks further
information about the topics discussed
by stakeholders, as elaborated in the
sections below. The RFI invites
stakeholders to submit ideas, based on
their experience as well as their mission
and business needs, to assist in
prioritizing elements and development
of the Privacy Framework. NIST invites
industry, civil society groups, academic
institutions, Federal agencies, state,
local, territorial, tribal, and foreign
governments, standard-setting
PO 00000
Frm 00028
Fmt 4703
Sfmt 4703
56825
organizations, and other interested
stakeholders to respond.
The goals of the Privacy Framework
development process, generally, and
this RFI, specifically, are:
(i) To better understand common
privacy challenges in the design,
operation, and use of products and
services that might be addressed
through a voluntary Privacy Framework,
(ii) to gain a greater awareness about
the extent to which organizations are
identifying and communicating privacy
risk or have incorporated privacy risk
management standards, guidelines, and
best practices, into their policies and
practices; and
(iii) to specify high-priority gaps for
which privacy guidelines, best
practices, and new or revised standards
are needed and that could be addressed
by the Privacy Framework or a related
roadmap.
Details About Responses to This
Request for Information
When addressing the topics below,
commenters may address the practices
of their organization or a group of
organizations with which they are
familiar. If desired, commenters may
provide information about the type,
size, and location of the organization(s).
Provision of such information is
optional and will not affect NIST’s full
consideration of the comment.
Comments containing references,
studies, research, and other empirical
data that are not widely published (e.g.,
available on the internet) should
include copies of or electronic links to
the referenced materials. Beyond that,
responses should not include additional
information. Do not include in
comments or otherwise submit
information deemed to be proprietary,
private, or in any way confidential, as
all comments relevant to this RFI topic
area that are received by the deadline
will be made available publicly at
https://www.nist.gov/privacyframework.
Request for Information
The following list of topics covers the
major areas about which NIST seeks
information. The listed areas are not
intended to limit the topics that may be
addressed by respondents so long as
they address privacy and how a useful
Privacy Framework might be developed.
Responses may include any topic
believed to have implications for the
development of the Privacy Framework,
regardless of whether the topic is
included in this document.
Risk Management
NIST solicits information about how
organizations assess risk; how privacy
E:\FR\FM\14NON1.SGM
14NON1
56826
Federal Register / Vol. 83, No. 220 / Wednesday, November 14, 2018 / Notices
considerations factor into that risk
assessment; the current usage of existing
privacy standards, frameworks, models,
methodologies, tools, guidelines, and
principles; and other risk management
practices related to privacy. In addition,
NIST is interested in understanding
whether particular frameworks,
standards, guidelines, and/or best
practices are mandated by legal or
regulatory requirements and the
challenges organizations perceive in
meeting such requirements. This will
assist in achieving NIST’s goal of
developing a framework that includes
and identifies common practices across
contexts and environments and is
structured to help organizations achieve
positive privacy outcomes. Accordingly,
NIST is requesting information related
to the following topics:
Organizational Considerations
1. The greatest challenges in
improving organizations’ privacy
protections for individuals;
2. The greatest challenges in
developing a cross-sector standardsbased framework for privacy;
3. How organizations define and
assess risk generally, and privacy risk
specifically;
4. The extent to which privacy risk is
incorporated into different
organizations’ overarching enterprise
risk management;
5. Current policies and procedures for
managing privacy risk;
6. How senior management
communicates and oversees policies
and procedures for managing privacy
risk;
7. Formal processes within
organizations to address privacy risks
that suddenly increase in severity;
8. The minimum set of attributes
desired for the Privacy Framework, as
described in the Privacy Framework
Development and Attributes section of
this RFI, and whether any attributes
should be added, removed or clarified;
9. What an outcome-based approach
to privacy would look like;
10. What standards, frameworks,
models, methodologies, tools,
guidelines and best practices, and
principles organizations are aware of or
using to identify, assess, manage, and
communicate privacy risk at the
management, operational, and technical
levels, and whether any of them
currently meet the minimum attributes
described above;
11. How current regulatory or
regulatory reporting requirements (e.g.,
local, state, national, international)
relate to the use of standards,
frameworks, models, methodologies,
VerDate Sep<11>2014
18:29 Nov 13, 2018
Jkt 247001
tools, guidelines and best practices, and
principles;
12. Any mandates to use specific
standards, frameworks, models,
methodologies, tools, guidelines and
best practices, and principles or
conflicts between requirements and
desired practices;
13. The role(s) national/international
standards and organizations that
develop national/international
standards play or should play in
providing confidence mechanisms for
privacy standards, frameworks, models,
methodologies, tools, guidelines, and
principles;
14. The international implications of
a Privacy Framework on global business
or in policymaking in other countries;
and
15. How the Privacy Framework could
be developed to advance the
recruitment, hiring, development, and
retention of a knowledgeable and skilled
workforce necessary to perform privacy
functions within organizations.
d. Use cases or design patterns;
e. A construct similar to the
Cybersecurity Framework functions,
categories, and subcategories; or
f. Other organizing constructs?
Please elaborate on the benefits or
challenges of your preferred approach
with respect to integration with
organizational processes for managing
enterprise risk and developing products
or services. If you provided information
about topic 10 above, please identify
any supporting examples of standards,
frameworks, models, methodologies,
tools, guidelines and best practices, and
principles.
Structuring the Privacy Framework
NIST is interested in understanding
how to structure the Privacy Framework
to achieve the desired set of attributes
and improve integration of privacy risk
management processes with the
organizational processes for developing
products and services for better privacy
outcomes. NIST is seeking any input
from the public regarding options for
structuring the Privacy Framework, and
is particularly interested in receiving
comment on the following issues, if
applicable:
16. Please describe how your
organization currently manages privacy
risk. For example, do you structure your
program around the information life
cycle (i.e., the different stages—from
collection to disposal—through which
PII is processed), around principles
such as the fair information practice
principles (FIPPs), or by some other
construct?
17. Whether any aspects of the
Cybersecurity Framework could be a
model for this Privacy Framework, and
what is the relationship between the
two frameworks.
18. Please describe your preferred
organizational construct for the Privacy
Framework. For example, would you
like to see a Privacy Framework that is
structured around:
a. The information life cycle;
b. Principles such as FIPPs;
c. The NIST privacy engineering
objectives of predictability,
manageability, and disassociability 6 or
other objectives;
Specific Privacy Practices
In addition to the approaches above,
NIST is interested in identifying core
privacy practices that are broadly
applicable across sectors and
organizations. NIST is interested in
information on the degree of adoption of
the following practices regarding
products and services:
• De-identification;
• Enabling users to have a reliable
understanding about how information is
being collected, stored, used, and
shared;
• Enabling user preferences;
• Setting default privacy
configurations;
• Use of cryptographic technology to
achieve privacy outcomes—for example,
the disassociability privacy engineering
objective;
• Data management, including:
Æ Tracking permissions or other types
of data tracking tools,
Æ Metadata,
Æ Machine readability,
Æ Data correction and deletion; and
• Usable design or requirements.
19. Whether the practices listed above
are widely used by organizations;
20. Whether, in addition to the
practices noted above, there are other
practices that should be considered for
inclusion in the Privacy Framework;
21. How the practices listed above or
other proposed practices relate to
existing international standards and best
practices;
22. Which of these practices you see
as being the most critical for protecting
individuals’ privacy;
23. Whether some of these practices
are inapplicable for particular sectors or
environments;
24. Which of these practices pose the
most significant implementation
challenge, and whether the challenges
vary by technology or other factors such
as size or workforce capability of the
organization;
6 NISTIR 8062, An Introduction to Privacy
Engineering and Risk Management in Federal
Systems at https://csrc.nist.gov/publications/detail/
nistir/8062/final.
PO 00000
Frm 00029
Fmt 4703
Sfmt 4703
E:\FR\FM\14NON1.SGM
14NON1
Federal Register / Vol. 83, No. 220 / Wednesday, November 14, 2018 / Notices
25. Whether these practices are
relevant for new technologies like the
Internet of Things and artificial
intelligence; and
26. How standards or guidelines are
utilized by organizations in
implementing these practices.
Authority: 15 U.S.C. 272(b), (c), & (e); 15
U.S.C. 278g–3.
Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2018–24714 Filed 11–13–18; 8:45 am]
BILLING CODE 3510–13–P
DEPARTMENT OF COMMERCE
National Institute of Standards and
Technology
Proposed Voluntary Product Standard
2–10, Performance Standard for WoodBased Structural-Use Panels
National Institute of Standards
and Technology (NIST), Commerce.
ACTION: Notice and request for
comments.
AGENCY:
The National Institute of
Standards and Technology (NIST) is
soliciting public comment on a
proposed revision to Voluntary Product
Standard (PS) 2–10, Performance
Standard for Wood-Based StructuralUse Panels. The standard, prepared by
the Standing Committee for PS 2,
establishes requirements for those who
choose to adhere to the standard, for the
structural criteria to assess the
acceptability of wood-based structuraluse panels for construction sheathing
and single-floor applications. It also
provides a basis for common
understanding among the producers,
distributors, and the users of these
products. Interested parties are invited
to review the proposed standard and
submit comments to NIST.
DATES: Written comments regarding the
proposed revision to PS 2–10 should be
submitted to the Standards Services
Division, NIST, no later than December
14, 2018.
ADDRESSES: An electronic copy (an
Adobe Acrobat File) of the proposed
revision to the standard, PS 2–10, can be
obtained at the following website:
https://www.nist.gov/standardsgov/
voluntary-product-standards-program.
This site also includes an electronic
copy of PS 2–10 (the existing standard)
and a summary of the significant
changes. Written comments on the
proposed revision should be submitted
to David F. Alderman, Standards
Coordination Office, NIST, 100 Bureau
Drive, Stop 2100, Gaithersburg, MD
SUMMARY:
VerDate Sep<11>2014
18:29 Nov 13, 2018
Jkt 247001
20899–2100. Electronic comments may
be submitted to david.alderman@
nist.gov.
FOR FURTHER INFORMATION CONTACT:
David F. Alderman, Standards
Coordination Office, National Institute
of Standards and Technology, telephone
(301) 975–4019; fax: (301) 975–4715,
email: david.alderman@nist.gov.
SUPPLEMENTARY INFORMATION: The
proposed revision of the standard has
been developed and is being processed
in accordance with Department of
Commerce provisions in 15 CFR part 10,
Procedures for the Development of
Voluntary Product Standards, as
amended (published June 20, 1986). The
Standing Committee for PS 2 is
responsible for maintaining, revising,
and interpreting the standard, and is
comprised of producers, distributors,
users, and others with an interest in the
standard. Committee members voted on
the revision, which was approved
unanimously. The Committee then
submitted a report to NIST along with
the voting results and the draft revised
standard. NIST has determined that the
revised standard should be issued for
public comment.
Voluntary Product Standard PS 2–10
establishes structural criteria for
assessing the acceptability of woodbased structural-use panels for
construction sheathing and single-floor
application and provides a basis for
common understanding among the
producers, distributors, and the users of
these products. After conducting a
review of the current standard, PS 2–10,
the Standing Committee for PS 2
determined that updates were needed to
reflect current industry practices and
developed the proposed revision to the
standard through meetings to review the
standard and propose needed changes.
The proposed revision includes the
following changes: Change of title,
editorial corrections, new and revised
definitions, updated references, and
changes to Section 5 Requirements. A
complete list of proposed changes can
be found at https://www.nist.gov/
standardsgov/voluntary-productstandards-program. All public
comments will be reviewed and
considered.
Attachments will be accepted in plain
text, Microsoft Word, or Adobe PDF
formats. Comments containing
references, studies, research, and other
empirical data that are not widely
published should include copies or
electronic links of the referenced
materials.
All submissions, including
attachments and other supporting
materials, will become part of the public
PO 00000
Frm 00030
Fmt 4703
Sfmt 4703
56827
record and subject to public disclosure.
NIST reserves the right to publish
comments publicly, unedited and in
their entirety. Sensitive personal
information, such as account numbers
or Social Security numbers, or names of
other individuals, should not be
included. Submissions will not be
edited to remove any identifying or
contact information. Do not submit
confidential business information, or
otherwise sensitive or protected
information. Comments that contain
profanity, vulgarity, threats, or other
inappropriate language or content will
not be considered.
Written comments should be
submitted in accordance with the DATES
and ADDRESSES sections of this notice.
The Standing Committee for PS 2 and
NIST will consider all responsive
comments received and may revise the
standard accordingly.
Authority: 15 U.S.C. 272.
Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2018–24713 Filed 11–13–18; 8:45 am]
BILLING CODE 3510–13–P
COMMODITY FUTURES TRADING
COMMISSION
Agency Information Collection
Activities: Notice of Intent To Renew
Collection 3038–0043, Rules Relating
To Review of National Futures
Association Decisions in Disciplinary,
Membership Denial, Registration, and
Member Responsibility Actions
Commodity Futures Trading
Commission.
ACTION: Notice.
AGENCY:
The Commodity Futures
Trading Commission (‘‘CFTC’’) is
announcing an opportunity for public
comment on the renewal of a collection
of certain information by the agency.
Under the Paperwork Reduction Act
(‘‘PRA’’), Federal agencies are required
to publish notice in the Federal Register
concerning each proposed collection of
information, including each proposed
extension of an existing collection of
information, and to allow 60 days for
public comment. This notice solicits
comments on rules relating to review of
National Futures Association decisions
in disciplinary, membership denial,
registration, and member responsibility
actions.
DATES: Comments must be submitted on
or before January 14, 2019.
ADDRESSES: You may submit comments,
identified by ‘‘OMB Control No. 3038–
0043’’ by any of the following methods:
SUMMARY:
E:\FR\FM\14NON1.SGM
14NON1
]]>Agencies
[Federal Register Volume 83, Number 220 (Wednesday, November 14, 2018)]
[Notices]
[Pages 56824-56827]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-24714]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Institute of Standards and Technology
[Docket Number 181101997-8997-01]
Developing a Privacy Framework
AGENCY: National Institute of Standards and Technology, U.S. Department
of Commerce.
ACTION: Notice; request for information (RFI).
-----------------------------------------------------------------------
SUMMARY: The National Institute of Standards and Technology (NIST) is
developing a framework that can be used to improve organizations'
management of privacy risk for individuals arising from the collection,
storage, use, and sharing of their information.\1\ The NIST Privacy
Framework: An Enterprise Risk Management Tool (``Privacy Framework''),
is intended for voluntary use and is envisioned to consist of outcomes
and approaches that align policy, business, technological, and legal
approaches to improve organizations' management of processes for
incorporating privacy protections into products and services. This
notice requests information to help identify, understand, refine, and
guide development of the Privacy Framework. The Privacy Framework will
be developed through a consensus-driven, open, and collaborative
process that will include workshops and other opportunities to provide
input.
---------------------------------------------------------------------------
\1\ While NIST requests information about how organizations
define privacy risk in topic #3 below, for the purposes of this RFI,
NIST references the privacy risk model set forth in NISTIR 8062, An
Introduction to Privacy Engineering and Risk Management in Federal
Systems at https://csrc.nist.gov/publications/detail/nistir/8062/final, which analyzes the problems that individuals might experience
as a result of the processing of their information, and the impact
if they were to occur.
DATES: Comments in response to this notice must be received by 5:00
---------------------------------------------------------------------------
p.m. Eastern time on December 31, 2018.
ADDRESSES: Written comments may be submitted by mail to Katie
MacFarland, National Institute of Standards and Technology, 100 Bureau
Drive, Stop 2000, Gaithersburg, MD 20899. Electronic submissions may be
sent to [email protected], and may be in any of the following
formats: HTML, ASCII, Word, RTF, or PDF. Please cite ``Developing a
Privacy Framework'' in all correspondence. Comments received by the
deadline will be posted at https://www.nist.gov/privacyframework without
change or redaction, so commenters should not include information they
do not wish to be posted (e.g., personal or confidential business
information). Comments that contain profanity, vulgarity, threats, or
other inappropriate language or content will not be posted or
considered.
FOR FURTHER INFORMATION CONTACT: For questions about this RFI contact:
Naomi Lefkovitz, U.S. Department of Commerce, NIST, MS 2000, 100 Bureau
Drive, Gaithersburg, MD 20899, telephone (301) 975-2924, email
[email protected]. Please direct media inquiries to NIST's
Public Affairs Office at (301) 975-NIST.
SUPPLEMENTARY INFORMATION:
Genesis for the Privacy Framework's Development
It is a challenge to design, operate, or use technologies in ways
that are mindful of diverse privacy needs in an increasingly connected
and complex environment. Current and cutting-edge technologies such as
mobile devices, social media, the Internet of Things and artificial
intelligence are giving rise to increased concerns about their impacts
on individuals' privacy. Inside and outside the U.S., there are
multiple visions for how to address these concerns. Accordingly, the
U.S. Department of Commerce (DOC) is developing a forward-thinking
approach that supports both business innovation and strong privacy
protections. As part of this effort, NIST is developing a voluntary
Privacy Framework to help organizations: better identify, assess,
manage, and communicate privacy risks; foster the development of
innovative approaches to protecting individuals' privacy; and increase
trust in products and services.\2\ The Privacy Framework is intended to
be a tool that would assist with enterprise risk management.
---------------------------------------------------------------------------
\2\ In parallel with this effort, the DOC's National
Telecommunications and Information Administration is developing a
set of privacy principles in support of a domestic policy approach
that advances consumer privacy protections while protecting
prosperity and innovation, in coordination with DOC's International
Trade Administration to ensure consistency with international policy
objectives: https://www.ntia.doc.gov/federal-register-notice/2018/request-comments-developing-administration-s-approach-consumer-privacy.
---------------------------------------------------------------------------
Privacy Framework Development and Attributes
While good cybersecurity practices help manage privacy risk through
the protection of personally identifiable information (PII),\3\ privacy
risks also can arise from how organizations collect, store, use, and
share PII to meet their mission or business objective, as well as how
individuals interact with products and services. NIST seeks to
understand whether organizations that design, operate, or use these
products and services would be better able to address the full scope of
privacy risk with more tools to support better implementation of
privacy protections.
---------------------------------------------------------------------------
\3\ For the purposes of this RFI, NIST is using the definition
from the Office of Management and Budget Circular A-130. PII is
defined as ``information that can be used to distinguish or trace an
individual's identity, either alone or when combined with other
information that is linked or linkable to a specific individual.''
---------------------------------------------------------------------------
NIST will develop the Privacy Framework in a manner consistent with
its mission to promote U.S. innovation and industrial competitiveness,
and is seeking input from all interested stakeholders. NIST intends for
the Framework to provide a prioritized, flexible, risk-based, outcome-
based, and cost-effective approach that can be compatible with existing
legal and regulatory regimes in order to be the most useful to
organizations and enable widespread adoption. NIST expects that the
Privacy Framework development process will involve several iterations
to
[[Page 56825]]
allow for continuing engagement with interested stakeholders. This will
include interactive workshops, along with other forms of outreach.
On October 16, 2018, NIST held its first workshop in Austin, Texas
to launch the framework development process.\4\ NIST heard from
panelists from industry, civil society and academia, as well as
audience participants about the needs the Privacy Framework should
address and some key desired characteristics. As a consequence, NIST
believes that in order to be effective, the Privacy Framework should
have the following minimum attributes:
---------------------------------------------------------------------------
\4\ https://www.nist.gov/news-events/events/2018/10/kicking-nist-privacy-framework-workshop-1.
---------------------------------------------------------------------------
1. Consensus-driven and developed and updated through an open,
transparent process. All stakeholders should have the opportunity to
contribute to the Privacy Framework's development. NIST has a long
track record of successfully and collaboratively working with
stakeholders to develop guidelines and standards. NIST will model the
approach for the Privacy Framework on the successful, open,
transparent, and collaborative approach used to develop the Framework
for Improving Critical Infrastructure Cybersecurity (``Cybersecurity
Framework'').\5\
---------------------------------------------------------------------------
\5\ https://www.nist.gov/cyberframework/framework.
---------------------------------------------------------------------------
2. Common and accessible language. The Privacy Framework should be
understandable by a broad audience, including senior executives and
those who are not privacy professionals. The Privacy Framework can then
facilitate communications among various stakeholders by promoting use
of this common language.
3. Adaptable to many different organizations, technologies,
lifecycle phases, sectors, and uses. The Privacy Framework should be
scalable to organizations of all sizes, public or private, in any
sector, and operating within or across domestic borders. It should be
platform- and technology- agnostic and customizable.
4. Risk-based, outcome-based, voluntary, and non-prescriptive. The
Privacy Framework should provide a catalog of privacy outcomes and
approaches to be used voluntarily, rather than a set of one-size-fits-
all requirements, in order to: Foster innovation in products and
services; inform education and workforce development; and promote
research on and adoption of effective privacy solutions. The Privacy
Framework should assist organizations to better manage privacy risks
within their diverse environments without prescribing the methods for
managing privacy risk.
5. Readily usable as part of any enterprise's broader risk
management strategy and processes. The Privacy Framework should be
consistent with, or reinforce, other risk management efforts within the
enterprise, recognizing that privacy is one of several major areas of
risk that an organization needs to manage.
6. Compatible with or may be paired with other privacy approaches.
The Privacy Framework should take advantage of existing privacy
standards, methodologies, and guidance. It should be compatible with
and support organizations' ability to operate under applicable domestic
and international legal or regulatory regimes.
7. A living document. The Privacy Framework should be updated as
technology and approaches to privacy protection change and as
stakeholders learn from implementation.
Although the goal of the Privacy Framework is to help organizations
better identify, assess, manage, and communicate privacy risks, NIST
expects there may be aspects of privacy practices that are not
sufficiently developed for inclusion in the Privacy Framework. When
developing the Cybersecurity Framework, NIST produced a related roadmap
that identified focus areas that still needed more research and
understanding before they were mature enough for widespread adoption,
but that could potentially inform future revisions of the Cybersecurity
Framework. With respect to the Privacy Framework, NIST anticipates that
a roadmap may be needed for similar reasons.
As noted below, NIST solicits comments on the desired attributes of
a Privacy Framework, as well as high-priority gaps in organizations'
ability to manage privacy risk, as part of this RFI.
Goals of This Request for Information
Based upon discussions that took place during the October 16, 2018
workshop, this RFI seeks further information about the topics discussed
by stakeholders, as elaborated in the sections below. The RFI invites
stakeholders to submit ideas, based on their experience as well as
their mission and business needs, to assist in prioritizing elements
and development of the Privacy Framework. NIST invites industry, civil
society groups, academic institutions, Federal agencies, state, local,
territorial, tribal, and foreign governments, standard-setting
organizations, and other interested stakeholders to respond.
The goals of the Privacy Framework development process, generally,
and this RFI, specifically, are:
(i) To better understand common privacy challenges in the design,
operation, and use of products and services that might be addressed
through a voluntary Privacy Framework,
(ii) to gain a greater awareness about the extent to which
organizations are identifying and communicating privacy risk or have
incorporated privacy risk management standards, guidelines, and best
practices, into their policies and practices; and
(iii) to specify high-priority gaps for which privacy guidelines,
best practices, and new or revised standards are needed and that could
be addressed by the Privacy Framework or a related roadmap.
Details About Responses to This Request for Information
When addressing the topics below, commenters may address the
practices of their organization or a group of organizations with which
they are familiar. If desired, commenters may provide information about
the type, size, and location of the organization(s). Provision of such
information is optional and will not affect NIST's full consideration
of the comment.
Comments containing references, studies, research, and other
empirical data that are not widely published (e.g., available on the
internet) should include copies of or electronic links to the
referenced materials. Beyond that, responses should not include
additional information. Do not include in comments or otherwise submit
information deemed to be proprietary, private, or in any way
confidential, as all comments relevant to this RFI topic area that are
received by the deadline will be made available publicly at https://www.nist.gov/privacyframework.
Request for Information
The following list of topics covers the major areas about which
NIST seeks information. The listed areas are not intended to limit the
topics that may be addressed by respondents so long as they address
privacy and how a useful Privacy Framework might be developed.
Responses may include any topic believed to have implications for the
development of the Privacy Framework, regardless of whether the topic
is included in this document.
Risk Management
NIST solicits information about how organizations assess risk; how
privacy
[[Page 56826]]
considerations factor into that risk assessment; the current usage of
existing privacy standards, frameworks, models, methodologies, tools,
guidelines, and principles; and other risk management practices related
to privacy. In addition, NIST is interested in understanding whether
particular frameworks, standards, guidelines, and/or best practices are
mandated by legal or regulatory requirements and the challenges
organizations perceive in meeting such requirements. This will assist
in achieving NIST's goal of developing a framework that includes and
identifies common practices across contexts and environments and is
structured to help organizations achieve positive privacy outcomes.
Accordingly, NIST is requesting information related to the following
topics:
Organizational Considerations
1. The greatest challenges in improving organizations' privacy
protections for individuals;
2. The greatest challenges in developing a cross-sector standards-
based framework for privacy;
3. How organizations define and assess risk generally, and privacy
risk specifically;
4. The extent to which privacy risk is incorporated into different
organizations' overarching enterprise risk management;
5. Current policies and procedures for managing privacy risk;
6. How senior management communicates and oversees policies and
procedures for managing privacy risk;
7. Formal processes within organizations to address privacy risks
that suddenly increase in severity;
8. The minimum set of attributes desired for the Privacy Framework,
as described in the Privacy Framework Development and Attributes
section of this RFI, and whether any attributes should be added,
removed or clarified;
9. What an outcome-based approach to privacy would look like;
10. What standards, frameworks, models, methodologies, tools,
guidelines and best practices, and principles organizations are aware
of or using to identify, assess, manage, and communicate privacy risk
at the management, operational, and technical levels, and whether any
of them currently meet the minimum attributes described above;
11. How current regulatory or regulatory reporting requirements
(e.g., local, state, national, international) relate to the use of
standards, frameworks, models, methodologies, tools, guidelines and
best practices, and principles;
12. Any mandates to use specific standards, frameworks, models,
methodologies, tools, guidelines and best practices, and principles or
conflicts between requirements and desired practices;
13. The role(s) national/international standards and organizations
that develop national/international standards play or should play in
providing confidence mechanisms for privacy standards, frameworks,
models, methodologies, tools, guidelines, and principles;
14. The international implications of a Privacy Framework on global
business or in policymaking in other countries; and
15. How the Privacy Framework could be developed to advance the
recruitment, hiring, development, and retention of a knowledgeable and
skilled workforce necessary to perform privacy functions within
organizations.
Structuring the Privacy Framework
NIST is interested in understanding how to structure the Privacy
Framework to achieve the desired set of attributes and improve
integration of privacy risk management processes with the
organizational processes for developing products and services for
better privacy outcomes. NIST is seeking any input from the public
regarding options for structuring the Privacy Framework, and is
particularly interested in receiving comment on the following issues,
if applicable:
16. Please describe how your organization currently manages privacy
risk. For example, do you structure your program around the information
life cycle (i.e., the different stages--from collection to disposal--
through which PII is processed), around principles such as the fair
information practice principles (FIPPs), or by some other construct?
17. Whether any aspects of the Cybersecurity Framework could be a
model for this Privacy Framework, and what is the relationship between
the two frameworks.
18. Please describe your preferred organizational construct for the
Privacy Framework. For example, would you like to see a Privacy
Framework that is structured around:
a. The information life cycle;
b. Principles such as FIPPs;
c. The NIST privacy engineering objectives of predictability,
manageability, and disassociability \6\ or other objectives;
---------------------------------------------------------------------------
\6\ NISTIR 8062, An Introduction to Privacy Engineering and Risk
Management in Federal Systems at https://csrc.nist.gov/publications/detail/nistir/8062/final.
---------------------------------------------------------------------------
d. Use cases or design patterns;
e. A construct similar to the Cybersecurity Framework functions,
categories, and subcategories; or
f. Other organizing constructs?
Please elaborate on the benefits or challenges of your preferred
approach with respect to integration with organizational processes for
managing enterprise risk and developing products or services. If you
provided information about topic 10 above, please identify any
supporting examples of standards, frameworks, models, methodologies,
tools, guidelines and best practices, and principles.
Specific Privacy Practices
In addition to the approaches above, NIST is interested in
identifying core privacy practices that are broadly applicable across
sectors and organizations. NIST is interested in information on the
degree of adoption of the following practices regarding products and
services:
De-identification;
Enabling users to have a reliable understanding about how
information is being collected, stored, used, and shared;
Enabling user preferences;
Setting default privacy configurations;
Use of cryptographic technology to achieve privacy
outcomes--for example, the disassociability privacy engineering
objective;
Data management, including:
[cir] Tracking permissions or other types of data tracking tools,
[cir] Metadata,
[cir] Machine readability,
[cir] Data correction and deletion; and
Usable design or requirements.
19. Whether the practices listed above are widely used by
organizations;
20. Whether, in addition to the practices noted above, there are
other practices that should be considered for inclusion in the Privacy
Framework;
21. How the practices listed above or other proposed practices
relate to existing international standards and best practices;
22. Which of these practices you see as being the most critical for
protecting individuals' privacy;
23. Whether some of these practices are inapplicable for particular
sectors or environments;
24. Which of these practices pose the most significant
implementation challenge, and whether the challenges vary by technology
or other factors such as size or workforce capability of the
organization;
[[Page 56827]]
25. Whether these practices are relevant for new technologies like
the Internet of Things and artificial intelligence; and
26. How standards or guidelines are utilized by organizations in
implementing these practices.
Authority: 15 U.S.C. 272(b), (c), & (e); 15 U.S.C. 278g-3.
Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2018-24714 Filed 11-13-18; 8:45 am]
BILLING CODE 3510-13-P
