The Bank Policy Institute (BPI), through its technology policy division known as ‘BITS’, along with the American Bankers Association (ABA) and the Securities Industry and Financial Markets Association (SIFMA), submitted a comment letter to the US Department of Commerce regarding the National Institute of Standards and Technology’s (NIST) preliminary draft of the Privacy Framework.
The Privacy Framework is a voluntary tool designed to help organizations of all sizes identify and assess privacy risk and implement solutions to better protect consumers.
“Modernization and the digitization of our economy have created numerous benefits for individuals, businesses, and society, but we must ensure all organizations take responsibility for managing and protecting individuals’ information,” the Associations wrote in their letter. “We believe that the NIST Privacy Framework can serve as a valuable tool that organizations may use to build and adapt a privacy program that fits the size, complexity, risk profile, and unique attributes of a particular institution and their sector.”
This is the Associations’ second comment letter on the Privacy Framework. In the most recent draft of the Privacy Framework, NIST included many of the recommendations submitted in the Associations’ January 2019 joint comment letter. In its second letter the Associations urge NIST to further refine the Privacy Framework in the following four ways:
- Align definitions within the Framework to well-established privacy terms. The current draft includes a glossary of privacy terms but does not include or reference terms widely used by privacy professionals.
- Ensure references to ethical decision making appropriately recognize the lack of objective standards. The agency should instead adopt the approach taken within the financial sector of “responsible” use of data.
- Provide a mechanism to help organizations address conflicts of law and demonstrate compliance. Organizations are facing a patchwork of emerging state laws, data localization requirements, data security demands, and individual data rights, which creates inconsistencies and at times conflict, and poses considerable challenges that NIST could help to address.
- Clarify intersections of the Privacy Framework with the NIST Cybersecurity Framework (CSF). Data privacy protections and cybersecurity are inter-related, and stronger cross-references could be established, specifically with regards to breaches.