Privacy is a challenging subject that spans a number of domains, including law, policy and technology. Notwithstanding numerous sets of principles, including the foundational Fair Information Practice Principles (FIPPs), that seek to address the handling of individuals' personal information, many concerns exist about the future of privacy in the face of rapidly evolving technologies. Process-oriented principles (such as FIPPs) are an important component of an overall privacy framework, but on their own they have not achieved consistent and measurable results in privacy protection. In the security field, risk management models, along with technical standards and best practices, are key components of improving security. Similarly, the safety risk management field also has well-developed models, technical standards and best practices. To date, the privacy field has lagged behind in the development of analogous components.
To address this gap, NIST has begun the Privacy Engineering initiative. Privacy Engineering focuses on providing guidance to information system users, owners, developers and designers that handle personal information. Such guidance can be used to decrease risks related to privacy harms, and to make purposeful decisions about resource allocation and effective implementation of controls.
On September 15-16, 2014, NIST held its Second Privacy Engineering Workshop in San Jose, CA. Co-sponsored with the International Association of Privacy Professionals (IAPP), this workshop considered draft privacy engineering definitions and concepts. The results of this workshop will inform the development of the NIST report on privacy engineering.