Consumers want their privacy, but they’re also willing to sell their digital souls for apps that make their lives easier. And when it comes to sharing information with the government, worries about Big Brother come into play.

Privacy data also has a flip side: For those who collect that data, there’s the risk that it could be compromised. And when that happens, companies and government agencies can be liable for damages.

The National Institute of Standards and Technology (NIST) is developing standards for reducing that risk. Its new Privacy Risk Management for Federal Information Systems, released in draft for review in May, aims to help agencies manage the risk associated with collecting personal information.

The document outlines privacy engineering objectives and a privacy risk model for agencies. The privacy engineering objectives will help engineers and system designers build information systems that implement agencies’ privacy goals and manage and minimize risk. The privacy risk model provides a way for the engineers and designers to calculate risk by looking at what happens when an agency processes personal information.

Here are five things you should know about Privacy Risk Management for Federal Information Systems:

1. What is it?
The 27-page document is intended to define how Federal IT systems affect consumer privacy and to identify how agencies can secure the information systems that gather personal information. Here’s how NIST explained it: “This publication lays the groundwork for greater understanding of privacy impacts and the capability to address them in federal information systems through risk management.”

As John Fontana put it in a piece on ZDNet, “the document introduces a privacy risk management framework (PRMF) for anticipating and addressing risks that result from the processing of personal information in federal information technology systems.”

In other words, once you collect personal information, there’s the risk that it can be hacked or stolen. Agencies need to understand and identify those risks, and when possible, find ways to mitigate risk by not collecting or duplicating data that isn’t absolutely necessary to the task at hand.

2. How Will it Help?
Standards and guidance will define requirements and expectations. NIST understands the growing concern over privacy, and it wants agencies to think about that, too. This effort is an attempt to build off of the best practices in the private sector.

The increasing connectedness of all kinds of products and systems promised by the Internet of Things raises the potential for more systems to gather personally identifiable information.

So how should agencies balance the ability to collect data with the public’s desire to protect the data?

“What I’m really interested in is starting to learn more about technologies that actually try to build privacy-enhancing technologies into them,” Naomi Lefkovitz, NIST senior privacy policy adviser and a co-author of the framework, told Aliya Sternstein at NextGov. “There’s work being done on studying photo and video images that can do anonymization techniques. Those are the things that are really exciting because, I think, often you get this sort of attitude of despair: ‘Oh, we have all these sensors and they are just going to collect all this information and there’s nothing more we can do.’”

3. What’s the purpose of this draft? What does NIST want to find out?
NIST has compiled a number of questions they want people to consider as they review the framework. You can find them on NIST’s website.

One of the intriguing issues surrounds its privacy engineering objectives. These are the goals that designers and engineers should keep in mind when building information systems. There are three – predictability, manageability, and something they call “disassociability.”

“These objectives are designed to enable system designers and engineers to build information systems that implement an agency’s privacy goals and support the management of privacy risk,” the draft says. “A system should exhibit each objective to some degree to be considered a system that could enable privacy protections while achieving its functional purpose.”

It defines the objectives this way:

  • Predictability is the enabling of reliable assumptions by individuals, owners, and operators about personal information and its processing by an information system
  • Manageability is providing the capability for granular administration of personal information including alteration, deletion, and selective disclosure
  • Disassociability is enabling the processing of personal information or events without association to individuals or devices beyond the operational requirements of the system

4. What are people saying about the proposed framework so far?
In speaking about the report at an event hosted by the General Services Administration on May 21, NIST privacy engineer and co-author of the framework Sean Brooks said “cybersecurity has come a long way in the last 10 years, in sort of unifying the type of conversation about risks across organizations. And privacy has really lagged behind.”

Dan Morgan, Chief Data Officer at the Transportation Department, added: “We can build all the beautiful digital services that we want but if people don’t trust them, they’re not going to use them.”

In a blog post, Lefkovitz wrote “we see the release of this draft report as a critical step in the process of how to address privacy concerns in the Identity Ecosystem in a more meaningful and consistent way.”

5. What happens next?
Read the document, then file your comments to before July 13. After NIST digests all the comments, they will produce a final document to be released, though no timeline has been set for the final guidance.
Join the conversation. Post a comment below or email me at

Read More About
More Topics
MeriTalk Staff