Credit: Shutterstock/Rawpixel.com
Today’s blog celebrates Data Privacy Week, an international awareness initiative led by the National Cyber Security Alliance to help spread awareness about online privacy. NIST is very proud to participate again this year in this initiative that was successfully expanded from a single day event to a weeklong effort.
At NIST, our NIST Privacy Engineering Program plays an integral role in establishing trustworthiness in information system technologies. This blog aims to highlight NIST’s accomplishments in the privacy field, as well as celebrate the two-year anniversary of the NIST Privacy Framework! We interviewed Naomi Lefkovitz, Senior Privacy Policy Advisor in NIST’s Information Technology Lab. Here is what we asked—and what she had to say:
Can you please explain what the NIST Privacy Framework is and talk a bit about how it’s used?
The NIST Privacy Framework is a voluntary tool that can help organizations better manage privacy risks and increase trust in their products and services. It’s designed to help organizations prioritize and communicate the outcomes and activities necessary for achieving their privacy objectives. In the past two years, we’ve seen a range of organizations using it from multinational companies using it to organize foundational privacy programs that they can then tailor to meet their compliance obligations in different jurisdictions to small local government privacy programs using it to build their programs and increase privacy benefits for residents in key areas such as health services, law enforcement, and smart cities initiatives. We’re thrilled that the framework provides so much value to so many different types of organizations.
You are celebrating the two-year anniversary of the Privacy Framework this year – can you tell us some of the major highlights of the past two years?
Definitely one of the highlights was learning from a report put out by the International Association of Privacy Professionals and FairWarning that less than a year after the framework’s release more than a quarter of the survey respondents were already using it. That told us there was a real demand for this kind of tool. As a public servant, there’s nothing more satisfying than knowing you’re meeting a need. We’re also proud of the number of resources that we’ve been able to make available to support implementation of the framework. Our Learning Center houses a quick start guide for small and medium businesses, educational videos for every level of interest, and access to our repository of community contributions of mappings of the framework to key laws and regulations among other resources. We’re also happy to announce a new resource category – Success Stories – with our first from Arlington County, Virginia. We welcome more contributions from stakeholders willing to share their successes and lessons learned with the rest of the community! Learn about additional highlights in our two-year anniversary infographic.
Why is Data Privacy Week important to you and your program at NIST?
Data Privacy Week puts the spotlight on the importance of privacy in enabling trust in the technologies that are most impactful on our society. Privacy is essential for safeguarding equity and the civil rights and liberties – key components of this Administration’s platform for upholding our democratic values. We’ve been delighted to use this week to showcase some of the exciting work we’re doing at NIST to support these efforts such as our blog series on how to implement differential privacy and our integration of privacy into our cybersecurity guidance in topical areas such as crossover use of personal mobile devices for work purposes.
What direction do you think is needed for privacy to meet the technology challenges of today and for the future?
While we continue to need policy that is targeted at current societal challenges and encourages effective privacy solutions, as a field, we need to mature the developing discipline of privacy engineering to produce those effective privacy solutions. For example, we don’t even yet have a consistent understanding of the role of a privacy engineer. We also need to increase our capabilities to move from research on privacy-enhancing technologies to widescale adoption and standardization. Only then will we be able to realize the full promise of these technologies to help us attain the benefits of our data-driven society while minimizing privacy risks.
What are some new things that NIST working on that you’re excited about?
We’ve got lots going on this year! To address those privacy workforce challenges the 600+ members of our Privacy Workforce Public Working Group will be continuing to create descriptions of tasks, knowledge, and skills aligned with the Privacy Framework. We’re also part of a US-UK partnership to hold bilateral prize challenges to advance privacy-enhancing technologies. And now that we’ve completed our differential privacy blog series, we’ll be using it as a foundation to develop more in-depth guidelines. Look for a first draft sometime this summer! These are just a few of the areas we’ll be working on, but we always welcome feedback on stakeholder priorities at PrivacyEng [at] nist.gov or privacyframework [at] nist.gov.