Insight Center: Publications

NIST Proposes Privacy Control Roadmap for Organizations

Corporate and Securities Law Alert

Authors: Sharon R. Klein and Odia Kagan


In an age in which safeguarding the privacy of a person’s information is becoming increasingly challenging, the National Institute of Standards and Technology (NIST) encourages organizations to devote time and resources to develop a system of privacy controls that would enable them to mitigate the risks to privacy.

The newest edition of the “Security and Privacy Controls for Federal Information Systems and Organizations” report, also known as NIST Special Publication 800-53, published April 30, 2013,1 contains, for the first time, a detailed appendix dedicated to privacy controls.

Privacy Best Practices Catalog

With the exponential growth in popularity of social media and mobile and cloud computing, privacy concerns are, once again, at the top of the list of concerns of both corporations and individuals. The catalog is intended to address the privacy needs of federal agencies and to serve as a roadmap in identifying and implementing privacy controls concerning the entire life cycle of personally identifiable information (PII). It contains a structured set of privacy controls, based on best practices organizations should strive for, that helps organizations comply with applicable federal laws, executive orders, directives, instructions, regulations, policies, standards, guidance, and organization-specific issuance. The document also establishes a linkage and relationship between privacy and security controls for purposes of enforcing respective privacy and security requirements that may overlap in concept and in implementation within federal information systems, programs, and organizations.


The controls in the privacy appendix are derived from legislation, executive orders, policies, directives, regulations, standards, and/or mission/business needs and actually contain provisions very similar to those set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which are dedicated to safeguarding informational privacy in the health care sector. NIST intends to broaden the applicability of these standards to federal organizations, and as the NIST controls and standards are generally used as a model for entities in the private sector, to the private sector as well.

Privacy Controls Catalog

Below is a short overview of the privacy controls set forth in the NIST report privacy appendix:

  • Ask for Permission, Not Forgiveness – organizations should only collect personally identifiable information (PII) that they are legally authorized to collect
  • Say What You Do
    • establish effective notices (in privacy policies, System of Records Notices (SORNs), etc.) that are publicly available, explaining how PII is collected, used, shared, etc.; the authority for collection; the choices for the individuals whose PII it is; and the ability to access the information
    • in privacy notices (and other privacy compliance documents), clearly describe the purposes for which PII is collected, used, maintained, and shared
  • A Few Good (Wo)men – appoint a senior officer who will be responsible for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations pertaining to privacy. Give this officer sufficient authority and resources to accomplish the mission
  • Brace for Impact – this is twofold: (i) Assess the potential risk to the individual from the collection, storage, use, transmission and disposal of such individual’s PII; and (ii) conduct Privacy Impact Assessments (PIAs) to identify privacy risks and methods to mitigate those risks in information systems, programs, or other activities that pose a privacy risk
  • Ask and Ye Shall Receive – establish privacy roles, responsibilities, and access requirements for contractors and service providers (including those that provide and process information); and include privacy requirements in contracts and other acquisition-related documents
  • Look Within – periodically monitor and audit privacy controls and internal privacy policies
  • Train, Train, Train – develop and administer privacy training for personnel having responsibility for PII
  • Report – develop and disseminate reports to the Office of Management and Budget, Congress, and other oversight bodies, as appropriate, to demonstrate accountability
  • Privacy by Design – design information systems with automated privacy controls that are built into the system
  • Record-keeping – keep an accurate record of disclosure of information
  • Simply the Best – confirm to the best of ability the accuracy, relevance, timeliness, and completeness of the information being collected, as it is collected
  • Integrity – ensure the integrity of PII
  • Minimalism in Collection – collect only the minimum PII elements that are relevant and necessary to accomplish the legally authorized purpose of collection
  • Minimalism in Retention – retain only the minimum PII for the purpose authorized or as legally required; dispose of, destroy, erase, and/or anonymize the PII, regardless of the method of storage, in accordance with data retention requirements
  • Minimalism in Use – minimize the use of PII for testing, training, and research
  • Informed Consent – where possible, acquire consent for the collection, use, storage and sharing of PII, where the individual consenting is aware of the consequences of such decision
  • Access – allow individuals to review PII about them in a timely, simple and inexpensive manner
  • Redress – allow individuals to correct or amend PII maintained by the organization and disseminate the corrected information to other authorized users of the PII
  • Suggestion Box – implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational privacy practices
  • Log It – regularly maintain and update an inventory containing a listing of all programs and information systems identified as collecting, using, maintaining, or sharing PII and share it with the organization’s senior privacy officer
  • What’s Your Emergency? – establish a plan to respond to incidents relating to PII.

Pepper Point: The establishment and refinement of working organization-wide privacy controls is no small feat and requires the dedication of time and resources. Corporations that are not in the health care sector, but that handle personal information, should consider starting to implement such controls, using the NIST catalog as a benchmark, so that they are well positioned when such controls become binding law or the governing industry standard.


1 http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

Sharon R. Klein and Odia Kagan

The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.