From their site:
"The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals’ privacy."
What is a voluntary tool? Beats me.
Who are the stakeholders? Beats me.
Help organizations to manage risk. What kind of risk? Whose privacy?
yadda yadda yadda.. Run on sentence.
My take away: NIST needs to hire writers.
This is something that organizations can choose to use. We are a standards body, not a regulatory agency.
> developed in collaboration with stakeholders
We actually talked to people who need and use standards of this sort. We integrated their feedback.
> intended to help organizations identify and manage privacy risk
The goal is to help organizations understand the chances they are taking with private data.
> build innovative products and services while protecting individuals’ privacy
While still being able to actually make use of the data to accomplish goals that matter in some way.
----
Basically, this is completely comprehensible to most people and organizations who expect to be making use of this sort of standard. Like any technical document, it has a specialized vocabulary. It is not written for, and should not be judged by, the prose expectations of the general population.
NIST has writers. They are technical writers who are writing technical documentation intended for technical readers. We should calibrate our expectations accordingly.
I agree full stop. Would like to know background of parent poster just to understand his motivation for criticizing.
Was he writing with negative approach just because he can or he just failed to get the meaning between the lines because he is not the target audience?
At a guess, not the target audience combined with a failure to recognize it as a technical document. The latter is completely understandable. NIST uses words that can be found in daily business use, but they take on technical meanings.
I disagree. It's a overly wordy and imprecise read for the kind of person who is the target audience (which is what "technical" means here). Further, this sort of translation only works on this particular snippet because it's an introduction and statement of purpose. The policy details would not translate nearly so well or coherently.
You may as well request that IETF RFCs be rendered into lay language. You can do it, but it would likely make them much less useful as specifications.
I can imagine the benefit of having this as a reference, instead of needing to have meetings across departments and levels to negotiate who's responsible for what, in an open-ended way.
Thanks to NIST for providing a Schelling point for appropriate coordination to uphold privacy, and a scaffold of reasonable good, reasonably thorough thinking about how to appropriately handle privacy, and the general roles of everyone involved in a coherent effort inside or outside an enterprise. Raising the water line!
"Voluntary tool" means other federal agencies are not required to adopt it. "Developed in collaboration with stakeholders" means this was not 100% internally developed at NIST.
The rest of your questions are answered in the FAQ.
It's not a run-on sentence; it's just a long one, and if you're looking for a way to ensure your users' privacy while building a computer-oriented service, that executive summary tells you enough to decide whether this is something you want to further investigate. Drive-by web forum commentators, in general, are not considered target audience for these documents.
NIST is a government organization, and it helps to explain that this is a tool provided by government for your discretionary use; it is not a regulatory framework.
It doesn't take a genius to understand what a voluntary tool/framework is. Like many of the NIST frameworks including the well known cyber security framework, these aren't mandated by NIST to be used.
But that organisations globally can use the framework in uplifting or driving improved measures around privacy.
If you go to the NIST website and read it, you will have all of your questions clearly answered.
This one is in the tl;dr HN uninformed expert Hall of Fame. Did you click even one level down? NIST is a standards organization whose usually very careful work is to provide frameworks for people to make products, make business decisions, and create entire industries. It's not a single Github repo you can clone or a blog post can can dissect. The companies, researchers, and organizations that will use this framework understand it and will I am sure be able to use it and suggest areas of improvement.
If you were there when we were writing that copy back in 2005, you could have schooled us in how not to write like a LLM that hadn't been invented yet.
Also, the copy you're referring to was written by a contractor, not "a bureaucrat."
What is a voluntary tool? Beats me. Who are the stakeholders? Beats me. Help organizations to manage risk. What kind of risk? Whose privacy? yadda yadda yadda.. Run on sentence. My take away: NIST needs to hire writers.