- In parallel with the NIST Privacy Framework effort, the Commerce Department’s NTIA is working on a set of consumer data privacy principles. On Tuesday, it published a request for comment to get consumer and industry feedback on the principles.
NTIA argued that the adoption of distinct data privacy protections by some US states and foreign governments has created a fragmentary regulatory structure that discourages innovation. By providing a comprehensive risk-based approach to data privacy, the US administration hopes to reduce fragmentation nationally and increase harmonization globally.
To achieve this goal, NTIA has worked to coordinate its efforts with the International Trade Administration (ITA) to ensure consistency with international policy objectives and in parallel with NIST in developing a Privacy Framework as an enterprise risk management tool for private sector organizations.
“The United States has a long history of protecting individual privacy, but our challenges are growing as technology becomes more complex, interconnected, and integrated into our daily lives,” said NTIA Administrator and Assistant Secretary of Commerce for Communications and Information David Redl.
According to an analysis of 2017 Census Bureau data by NTIA, 73 percent of US online households said they had privacy or security concerns about being online. One-third said that privacy concerns stopped them from doing certain online activities.
NTIA is seeking comment on the following data privacy principles:
- Transparency: Organizations should be transparent about how they collect, use, share, and store users’ personal information.
- Control: Users should be able to exercise control over the personal information they provide to organizations.
- Reasonable Minimization: The collection, use, storage and sharing of personal data should be reasonably minimized in a manner proportional to the scope of privacy risks.
- Security. Organizations should employ security safeguards to protect the data that they collect, store, use, or share.
- Access and Correction: Users should be able to reasonably access and correct personal data they have provided.
- Risk Management: Organizations should take steps to manage the risk of disclosure or harmful uses of personal data.
- Accountability: Organizations should be accountable for the use of personal data that has been collected, maintained, or used by its systems.
In addition, NTIA wants feedback on proposed privacy goals for federal action. These include harmonizing the regulatory landscape, providing legal clarity while maintaining innovation flexibility, employing comprehensive application, using a risk- and outcome-based approach, encouraging interoperability, incentivizing privacy research, supporting FTC enforcement efforts, and ensuring scalability.
Public comments are due by the end of Oct. 26 and can be submitted by email to [email protected] or by mail to NTIA, Department of Commerce, 1401 Constitution Avenue NW, Room 4725, Attn: Privacy RFC, Washington, DC 20230.
Earlier this month, NIST launched its Privacy Framework initiative as a complement to the NIST Cybersecurity Framework.
The privacy framework would provide an enterprise-level approach that helps organizations prioritize strategies for flexible and effective privacy protection solutions so that individuals can enjoy the benefits of innovative technologies with greater confidence and trust.
Naomi Lefkovitz, NIST’s senior policy adviser and the project lead for the NIST Privacy Framework, explained the difference between the NTIA/ITA and NIST efforts in this way: “NTIA/ITA is working on a domestic policy approach to privacy, a set of core privacy principles that organizations should use. The NIST Privacy Framework is envisioned as a voluntary tool that will help organizations of all kinds better manage privacy risk to increase trust in their products and services.”
NIST plans to hold a public workshop on the privacy framework in conjunction with the International Association of Privacy Professionals’ Privacy. Security. Risk. 2018 conference being held in Austin, Texas, next month.
The Austin public workshop is the first in a series planned to collect current practices, challenges, and requirements in managing privacy risks in ways that go beyond common cybersecurity practices.