[Federal Register Volume 84, Number 174 (Monday, September 9, 2019)]
[Notices]
[Pages 47255-47256]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-19315]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Institute of Standards and Technology


Preliminary Draft of the NIST Privacy Framework

AGENCY: National Institute of Standards and Technology, U.S. Department 
of Commerce.

ACTION: Notice; request for comment.

-----------------------------------------------------------------------

SUMMARY: The National Institute of Standards and Technology (NIST) 
seeks comments on the Preliminary Draft of the NIST Privacy Framework: 
A Tool for Improving Privacy through Enterprise Risk Management 
(``Preliminary Draft''). The Preliminary Draft was developed by NIST 
using information collected through the Request for Information (RFI) 
that was published in the Federal Register on November 14, 2018, and a 
series of open public workshops and webinars. NIST developed the 
Preliminary Draft in collaboration with public and private 
stakeholders. It is intended for voluntary use to help organizations: 
Better identify, assess, manage, and communicate privacy risks when 
designing or deploying systems, products, and services; foster the 
development of innovative approaches to protecting individuals' 
privacy; and increase trust in systems, products, and

[[Page 47256]]

services. The Preliminary Draft is available electronically from the 
NIST website at: https://www.nist.gov/privacy-framework.

DATES: Comments in response to this notice must be received by 5:00 
p.m. Eastern time on October 24, 2019.

ADDRESSES: Written comments may be submitted by mail to Katie 
MacFarland, National Institute of Standards and Technology, 100 Bureau 
Drive, Stop 2000, Gaithersburg, MD 20899. Electronic submissions may be 
sent to [email protected], and may be in any of the following 
formats: HTML, ASCII, Word, RTF, or PDF. Please cite ``NIST Privacy 
Framework: Preliminary Draft Comments'' in all correspondence. An 
optional comment template is available at https://www.nist.gov/privacy-framework and is encouraged for both written and electronic comments. 
Relevant comments received by the deadline will be posted at https://www.nist.gov/privacy-framework without change or redaction, so 
commenters should not include information they do not wish to be posted 
(e.g., personal or confidential business information). Comments that 
contain profanity, vulgarity, threats, or other inappropriate language 
or content will not be posted or considered.
    The Preliminary Draft is available electronically from the NIST 
website at: https://www.nist.gov/privacy-framework.

FOR FURTHER INFORMATION CONTACT: For questions about this notice, 
contact: Naomi Lefkovitz, U.S. Department of Commerce, NIST, MS 2000, 
100 Bureau Drive, Gaithersburg, MD 20899, telephone (301) 975-2924, 
email [email protected]. Please direct media inquiries to 
NIST's Public Affairs Office at (301) 975-NIST.

SUPPLEMENTARY INFORMATION: For more than two decades, the internet and 
associated information technologies have driven unprecedented 
innovation, economic value, and improvement in social services. Many of 
these benefits are fueled by data about individuals that flow through a 
complex ecosystem. As a result of this complexity, individuals may not 
understand the potential consequences for their privacy as they 
interact with systems, products, and services. At the same time, 
organizations may not realize the full extent of these consequences for 
individuals, for society, or for their enterprises, which can affect 
their reputations, their bottom line, and their future prospects for 
growth. In response to these risks, and in order to further 
technological innovation and increase trust in information systems, 
NIST has undertaken development of the voluntary NIST Privacy 
Framework: A Tool for Improving Privacy through Enterprise Risk 
Management.
    The Preliminary Draft, as presented, is intended to provide an 
organizational tool for:
     Building customer trust by supporting ethical decision-
making in product and service design or deployment that optimizes 
beneficial uses of data while minimizing adverse consequences for 
individuals' privacy and society as a whole;
     Helping to fulfill current compliance obligations, as well 
as future-proofing products and services in a changing technological 
and policy environment; and
     Facilitating communication about privacy practices with 
customers, assessors, and regulators.
    It is designed to enable organizations to manage privacy risks 
through a prioritized, flexible, outcome-based, and cost-effective 
approach that is compatible with existing legal and regulatory regimes 
in order to be most useful to a broad range of organizations and enable 
widespread adoption. It is modeled after the structure of the Framework 
for Improving Critical Infrastructure Cybersecurity to facilitate the 
complementary use of both frameworks.\1\
---------------------------------------------------------------------------

    \1\ National Institute of Standards and Technology (2018) 
Framework for Improving Critical Infrastructure Cybersecurity, 
Version 1.1. (National Institute of Standards and Technology, 
Gaithersburg, MD), https://doi.org/10.6028/NIST.CSWP.04162018.
---------------------------------------------------------------------------

    The Preliminary Draft was developed through a public review and 
comment process that included information collected through a Request 
for Information (RFI), 83 FR 56824 (November 14, 2018), and a series of 
public workshops and webinars. Comments received in response to the RFI 
are available at https://www.nist.gov/privacy-framework/request-information.
    NIST held three open public workshops and four webinars to provide 
the public with additional opportunities to provide input. The first 
workshop was conducted on October 16, 2018, in Austin, Texas. The 
second workshop was conducted on May 13-14, 2019 at the Georgia 
Institute of Technology Scheller College of Business in Atlanta, 
Georgia. The third workshop was conducted on July 8-9, 2019, at the 
Boise State University School of Public Service in Boise, Idaho. The 
four webinars were held on November 29, 2018; March 14, 2019; May 28, 
2019; and June 27, 2019. In addition, NIST provided materials on its 
website to aid in the development process. These materials included an 
outline (February 2019), a discussion draft (April 2019), and 
supplemental materials to the discussion draft (June 2019). These 
materials, as well as workshop agendas, presentation slides, and 
summary reports, and recordings of workshop plenary sessions and 
webinars are available at https://www.nist.gov/privacy-framework.

Request for Comments

    NIST seeks public comments on the Preliminary Draft available 
electronically from the NIST website at: https://www.nist.gov/privacy-framework. An optional comment template is available at the same 
address and is encouraged for both written and electronic comments. 
Interested parties should submit comments in accordance with the DATES 
and ADDRESSES sections of this notice. Relevant comments received by 
the deadline will be posted at https://www.nist.gov/privacy-framework 
without change or redaction, so commenters should not include 
information they do not wish to be posted (e.g., personal or 
confidential business information). Comments that contain profanity 
vulgarity, threats, or other inappropriate language or content will not 
be posted or considered.

    Authority: 15 U.S.C. 272(b), (c), & (e); 15 U.S.C. 278g-3.

Kevin A. Kimball,
Chief of Staff.
[FR Doc. 2019-19315 Filed 9-6-19; 8:45 am]
BILLING CODE 3510-13-P