NIST's Guide to Protecting the Confidentiality of Personally Identifiable Information called for organizations to identify all personally identifiable information (PII) in their environment, and to categorize it according to the impact level. They should then apply appropriate safeguards, including the identification, proper training, the implementation of access control lists, and enforcing confidentiality during data transmission (generally using encryption). Event auditing to pinpoint unauthorized access was also recommended.
"Organizations should minimize the collection and retention of PII to what is strictly necessary to accomplish their business purpose and mission," the draft report added, recommending that they review existing information to see what is deal relevant and what can be discarded. "For example, organizations could have an annual PII perching awareness day," it said.
Also on the list of recommendations was an incident response plan to handle breaches of PII, and coordination among privacy officers, chief information officers, and legal counsel over PII issues.
The FPF requirements, directly targeted at the incoming Administration, call for a chief privacy officer to help provide fair information practices across both the public and the private spheres. It also hopes to see best practice guidelines for the use of interactive tools by the Government and its private sector partners. In particular, it called on the Office of Management and Budget and the E-government administrator to govern the use of cookies and social media tools. They should obscure IP addresses as soon as possible, and make use options for privacy more transparent, said the FPF.
A standard definition of personal information should be created, it said, arguing that the interpretations are currently too broad and not standardized. "NIST should work with the FTC and the proposed chief privacy officer to established standards and levels of anonymity and identify ability," the FPF said in a statement.
The FTC should also be given more research and criminal law enforcement support as it grapples with privacy issues in the 21st century, the Forum warned, advocating centers of excellence to help identify and research aspects of consumer privacy.
"The Administration is also create a National Internet Safety Technical Task Force to develop a national policy that balances conflicting pressures for online authentication, age screening, and child safety versus online identity and privacy," the Forum recommended. It identified a tension between the need for technologies used to authenticate users of social networks and the privacy impact of those technologies. It questioned a recent call by the National Telecommunications and Information Administration for individuals to sit on an Online Safety and Technology Working Group for 15 months, instead calling for a "senior level effort, including representation on the attorneys general, members of Congress, advocates, academics and industry experts".
Finally, it asked for accountable business models which would force companies operating online to be more transparent about how a share information with partners.