Today I had the opportunity to listen in on “A Conversation on the NIST Privacy Framework” hosted by CSIS. The full video has been uploaded to youtube, here for your viewing.
Not only do businesses need to be aware of the risks surrounding personal data, as the individuals of concern, we need to be more aware of the conditions under which our personal data is being used, and take the time to ensure that organizations who are asking for our consent, have in place appropriate risk management processes to protect our data from misuse or theft. In Canada, the Privacy Act has regulations for government protection of personal information, and PIPEDA has regulations for Canadian businesses’ protection of personal data. Just last fall, on November 1, 2018, PIPEDA put new provisions in place related to breach of security safeguards and their associated breach of security safeguards regulations. However, most of our personal data applications are based, not in Canada, but out of the United States i.e. FaceBook, Google Maps, Email Services and Cloud Services, etc…. The United States does not currently have any federal regulatory requirements in place for the protection of our data. The Organizations mentioned above may be performing privacy risk management and protection, but not from a regulatory requirement. This leaves us open to risk without a guarantee that any organization is using appropriate controls to protect our personal information.
I doubt many of us are reading the 4000 word privacy policy documents prior to clicking on “I consent” in order to use these tools. Without a standard policy set for businesses, we could be consenting to data usage that is not in our best interests. The framework that NIST has released provides a voluntary tool for building these standard process baselines. We should be ensuring standards such as these, are a priority for all businesses.
The NIST Privacy Framework was released last month (Jan 16, 2020), after an extensive collaborative effort that included stakeholders in public and private sectors. NIST followed a “transparent, consensus-based process” relying on workshops, formal requests for information from industry, multiple webinars, and hundreds of direct interactions with stakeholders.
In publishing this framework, NIST has provided “A Tool for Improving Privacy through Enterprise Risk Management”, a valuable tool to support all sizes of organizations to understand and weight privacy risks, design appropriate privacy engineering practices, and ultimately protect our private data.
Dr. Walter Copan, the Under Secretary of Commerce for Standards and Technology and NIST Director, introduced the NIST framework discussing how the framework was specifically designed to be risk based, focused on outcomes, flexible, and in alignment to tools such as the 2014 Cybersecurity Framework, that has had great success.
Jason Matusow, General Manager, Corporate Standards at Microsoft noted that the framework lends well to mapping, called crosswalks, of other frameworks such as ISO 27001 standards.
Chris Calabrese, Vice President for Policy at the Center for Democracy & Technology (CDT), noted that the framework is excellent to provide guidance to future legislation but is not a substitute for regulatory approach for privacy legislation. Noted that legislation is being discussed in Washington, including data privacy harms, civil rights, AI and Machine Learning etc… it will be crucial to protect consumers and build trust.
Naomi Lefkovitz, Senior Privacy Policy Advisor and Lead for the Privacy Framework in the Information Technology Lab at NIST, brought up the experience they had in Brussels recently discussing mapping of the framework to the specific solutions for data protection i.e. data minimization, and noted that the NIST policy is specifically designed to be solution and technology agnostic. It is a model to allow consistent conversations in policies.
Michael Cronin, VP Ethics and Policy at IBM, noted that the tool is very timely since data privacy concerns are a top rated public issue - equal alongside climate change. He noted that the framework is based on an accountability philosophy and is risk based, allowing for organizations to build privacy into their designs. IBM will be working on supporting NIST mapping skills that are necessary in the privacy world as well as the taxonomy of privacy terminology. Companies will not stay long in the industry without critical attention to privacy in order to breed trust, keeping customers coming back, he noted it’s in IBM’s DNA, it is the ethical underpinning in addition to compliance that is necessary.
My next endeavour is to take the framework and build a solution baseline for small businesses, one that any organization could utilize as a first step, performing a risk assessment on their own privacy behaviours and policies. Reach out anytime should you have any questions or concerns.
Comments
Post a Comment