Implementing the NIST Privacy Framework – Control Function


The National Institute of Standards and Technology (NIST) Privacy Framework is a widely known control set used to assist organizations in identifying privacy risks within their business environment and allocating resources to mitigate these risks. We previously published an article outlining the best ways to leverage the NIST Privacy (NIST-P) Framework to assess data privacy posture, develop readiness roadmaps, and mature organizational privacy programs.

The NIST Privacy Framework consists of 100 controls divided into five core functions. We also published articles on how organizations can best implement the first two core functions of Identify and Govern. This article is the next in a series of articles centered on each of the five core functions. In this article, we outline the third function – Control – and the corresponding privacy management activities to consider in order to align with the NIST Privacy Framework.

NIST defines the Control function as the administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and manage privacy risks. Controls can be selected to achieve both privacy and security objectives. The Control function includes three categories: Data Processing Policies, Procedures, and Procedures; Data Processing Management; and Disassociated Processing. The categories within the Control function include 19 subcategory controls as listed in Table 1 below.

Table 1



Data Processing Policies, Processes, and Procedures (CT.PO-P): Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy.

CT.PO-P1: Policies, processes, and procedures for authorizing data processing (e.g., organizational decisions, individual consent), revoking authorizations, and maintaining authorizations are established and in place.

CT.PO-P2: Policies, processes, and procedures for enabling data review, transfer, sharing or disclosure, alteration, and deletion are established and in place (e.g., to maintain data quality, manage data retention).

CT.PO-P3: Policies, processes, and procedures for enabling individuals’ data processing preferences and requests are established and in place.

CT.PO-P4: A data life cycle to manage data is aligned and implemented with the system development life cycle to manage systems.

Data Processing Management (CT.DM-P): Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).

CT.DM-P1: Data elements can be accessed for review.

CT.DM-P2: Data elements can be accessed for transmission or disclosure.

CT.DM-P3: Data elements can be accessed for alteration.

CT.DM-P4: Data elements can be accessed for deletion.

CT.DM-P5: Data are destroyed according to policy.

CT.DM-P6: Data are transmitted using standardized formats.

CT.DM-P7: Mechanisms for transmitting processing permissions and related data values with data elements are established and in place.

CT.DM-P8: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy and incorporating the principle of data minimization.

CT.DM-P9: Technical measures implemented to manage data processing are tested and assessed.

CT.DM-P10: Stakeholder privacy preferences are included in algorithmic design objectives and outputs are evaluated against these preferences.

Disassociated Processing (CT.DP-P): Data processing solutions increase disassociability consistent with the organization’s risk strategy to protect individuals’ privacy and enable implementation of privacy principles (e.g., data minimization).

CT.DP-P1: Data are processed to limit observability and linkability (e.g., data actions take place on local devices, privacy-preserving cryptography).

CT.DP-P2: Data are processed to limit the identification of individuals (e.g., de-identification privacy techniques, tokenization).

CT.DP-P3: Data are processed to limit the formulation of inferences about individuals’ behavior or activities (e.g., data processing is decentralized, distributed architectures).

CT.DP-P4: System or device configurations permit selective collection or disclosure of data elements.

CT.DP-P5: Attribute references are substituted for attribute values.


Assessing an Organization’s Privacy Posture for the Control Function

Organizations could consider the following questions to properly assess their current privacy posture relative to the Control function within the NIST Privacy Framework:

  1. What policies, procedures, or controls does your organization have in place that ensure personal information is processed in compliance with data protection laws?
  2. How does your organization manage data throughout an information lifecycle from collection through deletion?
  3. Do your policies incorporate procedures to maintain data quality, data minimization, and manage data retention?
  4. Do you have an existing process or procedure for receiving and managing data subject requests?
  5. Can data elements be accessed for review, correction, deletion, and transmission or disclosure?
  6. What policies and processes are in place to manage data retention and destruction?
  7. What standardized mechanisms are used or in place when transmitting data internally or externally to third parties?
  8. Do you have an existing policy or procedure for managing access logs and audit trails?
  9. Does your organization conduct profiling or automate decision-making?
  10. Do your systems storing personal information separate and/or restrict viewing/modifying data elements to only the elements necessary for conducting the relevant business activity?

Privacy Management Activities to Align with the Control Function

After assessing an organization’s governance maturity level based on the Control function, organizations may consider implementing privacy management activities like those outlined below in order to align and remediate gaps towards privacy maturity.

  1. Create a formal Data Processing Management Policy and Procedure that covers topics including obtaining valid consent, data quality maintenance, and reviewing processes conducted partially or wholly by automated means.
  2. Create a Data Subject Request Policy and Procedure for responding to privacy rights requests, including requests for access, correction, or deletion.
  3. Create or update the organization’s Access Control Policy to cover high-level requirements on how access is managed and who may access data under specific circumstances.
  4. Create and disseminate a Data Sharing Policy for standardized mechanisms for sharing information both internally and externally to third parties.
  5. Create and implement an Audit and Logging Policy to record events and changes across IT devices and activities.
  6. Integrate data privacy into an Information Security Policy.
  7. Create a De-identification Procedure for detecting and deleting personal identifiers throughout business infrastructure and processes.

The privacy management activities in the Control function are critical for organizations to ensure they effectively manage data with sufficient granularity to identify and mitigate privacy risks. An organization should consider assessing and implementing these foundational activities as it progresses toward complying with the NIST Privacy Framework.

1The information provided in this article is for general informational purposes only and does not constitute legal advice.

Written by:


Ankura on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide