NIST Issues Privacy GuidanceSafeguarding Personally Identifiable Information Aim of New Publication Guidance on how organizations should protect the confidentiality of personal identifiable information has been issued by the National Institute of Standards and Technology.
According to NIST, Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information provides practical, context-based guidelines for identifying PII and determining what level of protection is appropriate for each instance of PII.
The guidance defines PII confidentiality impact levels - low, moderate or high - which indicate the potential harm that could result to individuals and/or the organization if PII were inappropriately accessed, used or disclosed.
The document also suggests safeguards that may offer appropriate levels of protection for PII and provides recommendations for developing response plans for incidents involving PII.
To effectively protect PII, NIST says organizations should:
- Identify all PII residing in their environment.
- Minimize the use, collection and retention of PII to what is strictly necessary to accomplish their business purpose and mission.
- Categorize their PII by the PII confidentiality impact level.
- Apply the appropriate safeguards for PII based on the PII confidentiality impact level.
- Develop an incident response plan to handle breaches involving PII.
- Encourage close coordination among their chief privacy officers, senior agency officials for privacy, chief information officers, chief information security officers and legal counsel13 when addressing issues related to PII.