Monday, 12 April 2010

US - NIST guide to protecting confidentiality of personally identifiable information (PII)

The US standards agency National Institute of Standards and Technology (NIST) on 6 April 2010 issued a practical 59-pg Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) with guidelines on identifying PII and determining the appropriate level of protection for each instance of PII, suggesting safeguards that may offer appropriate levels of protection for PII and providing recommendations for developing response plans for incidents involving PII.

It includes Appendices with scenarios, FAQs about PII, glossary and definitions of common terms, abbreviations etc.

From the summary:

"To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, ―If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds."

(The UK Information Commissioner's recent Privacy Dividend paper focused on promoting the business case for implementing data protection best practices rather than providing detailed guidelines or recommendations, but the ICO has a raft of guidance notes.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.