AGENCY:

National Institute of Standards and Technology, U.S. Department of Commerce.

ACTION:

Notice; request for comment.

SUMMARY:

The National Institute of Standards and Technology (NIST) seeks comments on the Preliminary Draft of the NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (“Preliminary Draft”). The Preliminary Draft was developed by NIST using information collected through the Request for Information (RFI) that was published in the Federal Register on November 14, 2018, and a series of open public workshops and webinars. NIST developed the Preliminary Draft in collaboration with public and private stakeholders. It is intended for voluntary use to help organizations: Better identify, assess, manage, and communicate privacy risks when designing or deploying systems, products, and services; foster the development of innovative approaches to protecting individuals' privacy; and increase trust in systems, products, and Start Printed Page 47256services. The Preliminary Draft is available electronically from the NIST website at: https://www.nist.gov/​privacy-framework.

DATES:

Comments in response to this notice must be received by 5:00 p.m. Eastern time on October 24, 2019.

ADDRESSES:

Written comments may be submitted by mail to Katie MacFarland, National Institute of Standards and Technology, 100 Bureau Drive, Stop 2000, Gaithersburg, MD 20899. Electronic submissions may be sent to privacyframework@nist.gov, and may be in any of the following formats: HTML, ASCII, Word, RTF, or PDF. Please cite “NIST Privacy Framework: Preliminary Draft Comments” in all correspondence. An optional comment template is available at https://www.nist.gov/​privacy-framework and is encouraged for both written and electronic comments. Relevant comments received by the deadline will be posted at https://www.nist.gov/​privacy-framework without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity, vulgarity, threats, or other inappropriate language or content will not be posted or considered.

The Preliminary Draft is available electronically from the NIST website at: https://www.nist.gov/​privacy-framework.

FOR FURTHER INFORMATION CONTACT:

For questions about this notice, contact: Naomi Lefkovitz, U.S. Department of Commerce, NIST, MS 2000, 100 Bureau Drive, Gaithersburg, MD 20899, telephone (301) 975-2924, email privacyframework@nist.gov. Please direct media inquiries to NIST's Public Affairs Office at (301) 975-NIST.

SUPPLEMENTARY INFORMATION:

For more than two decades, the internet and associated information technologies have driven unprecedented innovation, economic value, and improvement in social services. Many of these benefits are fueled by data about individuals that flow through a complex ecosystem. As a result of this complexity, individuals may not understand the potential consequences for their privacy as they interact with systems, products, and services. At the same time, organizations may not realize the full extent of these consequences for individuals, for society, or for their enterprises, which can affect their reputations, their bottom line, and their future prospects for growth. In response to these risks, and in order to further technological innovation and increase trust in information systems, NIST has undertaken development of the voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.

The Preliminary Draft, as presented, is intended to provide an organizational tool for:

• Building customer trust by supporting ethical decision-making in product and service design or deployment that optimizes beneficial uses of data while minimizing adverse consequences for individuals' privacy and society as a whole;
• Helping to fulfill current compliance obligations, as well as future-proofing products and services in a changing technological and policy environment; and
• Facilitating communication about privacy practices with customers, assessors, and regulators.

It is designed to enable organizations to manage privacy risks through a prioritized, flexible, outcome-based, and cost-effective approach that is compatible with existing legal and regulatory regimes in order to be most useful to a broad range of organizations and enable widespread adoption. It is modeled after the structure of the Framework for Improving Critical Infrastructure Cybersecurity to facilitate the complementary use of both frameworks.^[1]

The Preliminary Draft was developed through a public review and comment process that included information collected through a Request for Information (RFI), 83 FR 56824 (November 14, 2018), and a series of public workshops and webinars. Comments received in response to the RFI are available at https://www.nist.gov/​privacy-framework/​request-information.

NIST held three open public workshops and four webinars to provide the public with additional opportunities to provide input. The first workshop was conducted on October 16, 2018, in Austin, Texas. The second workshop was conducted on May 13-14, 2019 at the Georgia Institute of Technology Scheller College of Business in Atlanta, Georgia. The third workshop was conducted on July 8-9, 2019, at the Boise State University School of Public Service in Boise, Idaho. The four webinars were held on November 29, 2018; March 14, 2019; May 28, 2019; and June 27, 2019. In addition, NIST provided materials on its website to aid in the development process. These materials included an outline (February 2019), a discussion draft (April 2019), and supplemental materials to the discussion draft (June 2019). These materials, as well as workshop agendas, presentation slides, and summary reports, and recordings of workshop plenary sessions and webinars are available at https://www.nist.gov/​privacy-framework.

Request for Comments

NIST seeks public comments on the Preliminary Draft available electronically from the NIST website at: https://www.nist.gov/​privacy-framework. An optional comment template is available at the same address and is encouraged for both written and electronic comments. Interested parties should submit comments in accordance with the DATES and ADDRESSES sections of this notice. Relevant comments received by the deadline will be posted at https://www.nist.gov/​privacy-framework without change or redaction, so commenters should not include information they do not wish to be posted (e.g., personal or confidential business information). Comments that contain profanity vulgarity, threats, or other inappropriate language or content will not be posted or considered.

Authority: 15 U.S.C. 272(b), (c), & (e); 15 U.S.C. 278g-3.

Footnotes