by Nancy Peaslee

Information Privacy Defined

Information privacy is “the right to have some control over how your personal information is collected and used,” according to the International Association of Privacy Professionals (IAPP), the largest global information privacy community.

In today’s world of immense access to information, it is even more critical to protect privacy and personal data given the natural tendency of technology to continuously collect and aggregate more personal data through a variety of methods, including:

  • Organizational portals
  • Financial data processing
  • Emails
  • Social media
  • Online and retail purchases
  • Storage of medical data
  • Wearable tech
  • Internet of things (IoT)

NIST Privacy Framework

The National Institute of Standards and Technology (NIST) defines privacy controls in the context of a Privacy Officer or other assigned individual incorporating privacy protections and practices within their organization. This role is important to ensure the security of the data along with an organized structure for maintenance, sharing, and disposition of personally identifiable information (PII).

Privacy controls provide the structure for policies, procedures, and methodologies to better identify and manage personally identifiable information (PII) relative to the governance of that privacy data and considering the data processing of the information.

NIST has developed a NIST Privacy Framework to help organizations identify and manage privacy risk with the goal of identifying privacy standards for individuals and enterprises. It helps organizations improve privacy through enterprise risk management and helps you future-proof products while protecting an individual’s privacy. This framework helps organizations improve individual privacy to:

  • Make ethical decisions in the collection and usage of PII data that minimizes privacy exposure
  • Meet current and future PII corporate obligations, legal requirements or government regulations
  • Facilitate privacy discussions among individuals, organizations, and regulatory entities to build trust

Personally identifiable information (PII) has a comprehensive life cycle. It is critical to understand how privacy information will be managed through each stage. NIST Privacy Control Groups are similar in a hierarchical structure to the NIST Risk Management Framework. The five functions are defined as:

  • Identify –  Capture organization’s understanding of how to manage privacy risk at a high level
  • Govern – Track the effectiveness of the governance structure related to the organization’s risk management priorities as informed by privacy risk
  • Control – Measure compliance by activities the organization uses to manage data and privacy risks
  • Communicate – Enable organizations to understand and engage in a dialogue with individuals about how privacy data is processed and the associated risks
  • Protect – Develop and implement data processing safeguards to protect against cybersecurity risks

Why is this a critical tool for your organization?

Utilizing the NIST framework allows an organization to identify potential risks of exposure of privacy data and make a determination about how to reduce or mitigate the risks. It drives best practices in privacy management and the protection of personally identifiable information (PII).

Contact us today to learn how Graham Technologies can help you implement the NIST privacy framework in your organization.

Graham provides privacy support in the development of Privacy Impact Assessments (PIA), System of Records Notices (SORNs), privacy policy development, Machine-Readable Privacy Policy (MRPP) compliance tracking, and preparing, posting, and facilitating privacy education and awareness content.