On January 4, 2017, the National Institute of Standards and Technology (“NIST”) published the final version of NIST IR 8062 “An Introduction to Privacy Engineering and Risk management in Federal Systems.” The report introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on systems. In the blog post accompanying the release, NIST notes that the report is intended to address the absence of a vocabulary for talking about privacy outcomes and to produce “processes that are repeatable and could lead to measurable results.”
To this end, the report introduces three (3) privacy engineering objectives, which are intended to help system designers, engineers and policy teams to help “bridge the gap between high-level privacy principles and their implementation within systems.” These objectives are defined as follows:
- Predictability. Enabling reliable assumptions by individuals, owners, and operators about PII and its processing by an information system.
- Manageability. Providing the capability for granular administration of Personally Identifiable Information (“PII”) including alteration, deletion, and selective disclosure.
- Disassociability. Enabling the processing of PII or events without association to individuals or devices beyond the operational requirements of the system.
These privacy engineering objectives can provide an organized, outcome-oriented approach to translating a general set of principles into system requirements, enabling system designers, engineers and policy teams to focus on the system capabilities needed to demonstrate privacy compliance. In doing so, the objectives enable organizations to better assess privacy-protecting attributes of certain system capabilities.
As an example, NIST cited its report on “Privacy-Enhanced Identity Brokers,” which include online intermediaries, such as Google, that enable users to log onto several websites or applications using one set of credentials. To meet the “disassociability” objective, an identity broker might implement capabilities that demonstrate its ability to transmit user information to a site or application without accessing the information itself. To meet the “predictability” objective, an identity broker might implement capabilities enabling user assumptions that the broker cannot access the user’s identity attributes.
In addition, NIST IR 8053 also introduces a privacy risk framework. The risk model examines the likelihood and impact of a “problematic data action,” which it defines as a data action (such as the processing or sharing of information) that “causes an adverse effect or problem for individuals.” A “problematic data action” might include the sharing of sensitive personal information with a third party contrary to the user’s expectations. By modeling privacy risk in their organization, agencies can better allocate resources to implement the privacy engineering objectives.
NIST notes that the report is introductory and that future development of comprehensive guidance will be conducted through collaborative and open processes.