On June 2, 2015, the National Institute of Standards and Technology (“NIST”) issued a press release on its recently published draft report, entitled Privacy Risk Management Framework for Federal Information Systems (the “Report”). The Report describes a privacy risk management framework (“PRMF”) for federal information systems designed to promote “a greater understanding of privacy impacts and the capability to address them in federal information systems through risk management.” The draft PRMF includes a Privacy Risk Assessment Methodology (“PRAM”) consisting of several worksheets for assessing the privacy impact of data actions.

Key elements and objectives of the PRMF include:

  • A common vocabulary concerning privacy risks and the implementation of privacy principles.
  • A means for bridging the gap between high-level principles and practical implementation of privacy protections.
  • Three privacy engineering objectives – predictability, manageability and disassociability – that enable effective privacy risk management systems.
  • A methodology that enables agencies to identify and quantify privacy risks.
  • A methodology that “yield[s] repeatable and measurable” results and allows agencies to prioritize and allocate resources to achieve their missions while also minimizing any adverse impacts on individuals and themselves.

NIST has requested that comments on the Report be submitted by July 13. The comments form can be found on the NIST website and can be submitted to privacyeng@nist.gov. NIST has indicated that its future work in the area of privacy risk management will focus on the controls to mitigate the risks identified in the PRMF.