AgentSkillsCN

PII & Privacy Regulations Skill

在欧洲及澳大利亚的隐私法规下妥善处理个人身份信息。

SKILL.md
--- frontmatter
name: "PII & Privacy Regulations Skill"
description: "Handling personally identifiable information under European and Australian privacy regulations."
applyTo: "**/*privacy*,**/*PII*,**/*personal*,**/*GDPR*,**/*data-protection*,**/*consent*,**/*user-data*"

PII & Privacy Regulations Skill

Handling personally identifiable information under European and Australian privacy regulations.

⚠️ Staleness Warning

Privacy regulations are actively evolving. Major changes expected.

Refresh triggers:

  • GDPR enforcement updates or new guidelines
  • Australian Privacy Act reform (ongoing review)
  • New adequacy decisions for data transfers
  • Significant enforcement actions or fines
  • EU AI Act privacy provisions (2025-2026)

Last validated: February 2026

Check current state:


What is PII?

Personally Identifiable Information (PII) is any data that can identify an individual directly or indirectly.

Direct Identifiers

CategoryExamples
NameFull name, maiden name, alias
Government IDsSSN, passport, driver's license, TFN (AU)
FinancialBank account, credit card numbers
ContactEmail, phone, physical address
BiometricFingerprints, facial recognition, voice

Indirect Identifiers (Quasi-identifiers)

CategoryExamples
LocationIP address, GPS coordinates, ZIP/postcode
DeviceDevice ID, MAC address, browser fingerprint
DemographicAge, gender, ethnicity, occupation
BehavioralPurchase history, browsing patterns

Key insight: Combining quasi-identifiers can uniquely identify individuals even without direct identifiers.


🇪🇺 GDPR (European Union)

Applies to: Any organization processing EU residents' data, regardless of location.

Core Principles (Article 5)

PrincipleRequirement
Lawfulness, Fairness, TransparencyProcess data legally with clear communication
Purpose LimitationCollect only for specified, legitimate purposes
Data MinimizationCollect only what's necessary
AccuracyKeep data accurate and up to date
Storage LimitationRetain only as long as necessary
Integrity & ConfidentialityEnsure appropriate security
AccountabilityDemonstrate compliance

Lawful Bases for Processing

BasisWhen to Use
ConsentFreely given, specific, informed, unambiguous
ContractNecessary for contract performance
Legal ObligationRequired by law
Vital InterestsProtect someone's life
Public TaskOfficial authority or public interest
Legitimate InterestsBusiness need balanced against rights

Individual Rights (Data Subject Rights)

RightDescriptionResponse Time
AccessObtain copy of their data1 month
RectificationCorrect inaccurate data1 month
Erasure ("Right to be Forgotten")Delete their data1 month
Restrict ProcessingLimit how data is used1 month
Data PortabilityReceive data in machine-readable format1 month
ObjectStop certain processingWithout delay
Automated Decision-MakingHuman review of automated decisions1 month

GDPR Compliance Checklist

markdown
## Lawful Basis & Transparency
- [ ] Document lawful basis for each processing activity
- [ ] Maintain records of processing activities (Article 30)
- [ ] Privacy policy is clear, accessible, updated

## Data Security
- [ ] Encryption at rest and in transit
- [ ] Pseudonymization where possible
- [ ] Data Protection Impact Assessment (DPIA) for high-risk processing
- [ ] Breach notification process (72 hours to authority)

## Governance
- [ ] Data Protection Officer (DPO) appointed if required
- [ ] Data Processing Agreements with third parties
- [ ] EU representative appointed (if outside EU)

## Individual Rights
- [ ] Process to handle access requests
- [ ] Process to handle deletion requests
- [ ] Process to handle data portability requests
- [ ] Consent mechanism (opt-in, not opt-out)

2025-2026 Updates

UpdateImpact
Simplified Record-Keeping (May 2025)Organizations <750 employees only need records for high-risk processing
Enhanced Enforcement Procedures (June 2025)Additional procedural rules for cross-border cases
AI Act IntegrationAdditional requirements for AI systems processing personal data

🇦🇺 Australian Privacy Principles (APPs)

Applies to: Organizations with annual turnover >$3M AUD, government agencies, health service providers, and some others.

The 13 APPs

APPTitleKey Requirement
APP 1Open & Transparent ManagementHave a clear, up-to-date privacy policy
APP 2Anonymity & PseudonymityAllow anonymous/pseudonymous dealings where practical
APP 3Collection of Solicited InformationOnly collect necessary info; higher bar for sensitive info
APP 4Unsolicited Personal InformationAssess and destroy if wouldn't have been collected
APP 5Notification of CollectionTell individuals what you're collecting and why
APP 6Use or DisclosureOnly for primary purpose or permitted secondary purposes
APP 7Direct MarketingOpt-out required; sensitive info needs consent
APP 8Cross-Border DisclosureEnsure overseas recipients comply with APPs
APP 9Government IdentifiersDon't adopt government IDs as your own identifier
APP 10Quality of InformationKeep data accurate, complete, up to date
APP 11Security of InformationProtect from misuse, loss, unauthorized access
APP 12Access to InformationProvide access when requested
APP 13Correction of InformationCorrect inaccurate information

Sensitive Information (Higher Protection)

Under Australian law, sensitive information includes:

  • Health information
  • Genetic information
  • Biometric data
  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Sexual orientation
  • Criminal record
  • Trade union membership

Rule: Sensitive information generally requires consent to collect.

Notifiable Data Breaches (NDB) Scheme

When to notify:

  • Unauthorized access, disclosure, or loss of personal information
  • Likely to result in serious harm to individuals
  • Remedial action hasn't prevented serious harm

Timeline:

  • Notify OAIC and affected individuals as soon as practicable
  • Assessment must be completed within 30 days

Australian Privacy Act Reform (Ongoing)

The Privacy Act is under review. Expected changes:

Proposed ChangeStatus
Expanded definition of personal informationUnder review
New individual rights (erasure, explanation of AI decisions)Proposed
Higher penaltiesEnacted (up to $50M AUD)
Direct right of action for individualsUnder review
Removal of small business exemptionUnder consideration

Cross-Jurisdictional Comparison

AspectGDPR (EU)APP (Australia)
ScopeAll organizations processing EU data>$3M turnover + exceptions
ConsentMust be explicit opt-inCan be implied in some cases
Right to ErasureExplicit rightNot explicit (under review)
Breach Notification72 hours to authority"As soon as practicable"
PenaltiesUp to €20M or 4% global revenueUp to $50M AUD
Cross-Border TransferAdequacy decisions, SCCs, BCRsMust ensure APP compliance
DPO RequiredYes, in certain casesNo requirement

Code Implementation Patterns

Never Log PII

typescript
// ❌ BAD
logger.info(`User ${user.email} logged in from ${user.ipAddress}`);

// ✅ GOOD
logger.info(`User ${hashUserId(user.id)} logged in`);

Encrypt PII at Rest

typescript
// Encrypt before storing
const encryptedEmail = encrypt(user.email, encryptionKey);
await db.users.update({ id: user.id, email: encryptedEmail });

// Decrypt only when needed
const email = decrypt(storedUser.email, encryptionKey);

Implement Data Minimization

typescript
// ❌ BAD - Fetching everything
const user = await db.users.findById(id);
return user; // Contains PII you don't need

// ✅ GOOD - Select only needed fields
const user = await db.users.findById(id, {
  select: ['id', 'displayName', 'preferences']
});
return user;

Consent Management

typescript
interface ConsentRecord {
  userId: string;
  purpose: 'marketing' | 'analytics' | 'personalization';
  granted: boolean;
  timestamp: Date;
  source: 'web' | 'mobile' | 'api';
  version: string; // Privacy policy version
}

// Always check consent before processing
async function canProcess(userId: string, purpose: string): Promise<boolean> {
  const consent = await getLatestConsent(userId, purpose);
  return consent?.granted === true;
}

Data Subject Request Handler

typescript
interface DataSubjectRequest {
  type: 'access' | 'rectification' | 'erasure' | 'portability' | 'objection';
  userId: string;
  requestedAt: Date;
  deadline: Date; // 30 days for GDPR
  status: 'pending' | 'processing' | 'completed' | 'denied';
}

// Implement audit trail for all requests
async function handleDSR(request: DataSubjectRequest) {
  await auditLog.record({
    action: 'dsr_received',
    requestType: request.type,
    userId: request.userId,
    timestamp: new Date()
  });

  // Process based on type...
}

Pseudonymization Pattern

typescript
// Replace direct identifiers with tokens
function pseudonymize(record: UserRecord): PseudonymizedRecord {
  return {
    pseudoId: generateToken(record.id), // Reversible with key
    ageGroup: getAgeGroup(record.birthDate), // 18-25, 26-35, etc.
    region: record.country, // Keep general location
    // Omit: name, email, exact address, etc.
  };
}

Compliance Checklist

For New Projects

markdown
## Privacy Impact Assessment
- [ ] What PII will be collected?
- [ ] What is the lawful basis (GDPR) / primary purpose (APP)?
- [ ] Is all collected data necessary? (data minimization)
- [ ] How long will data be retained?
- [ ] Who will have access?
- [ ] Will data cross borders?
- [ ] What security measures are in place?

## Technical Implementation
- [ ] PII encrypted at rest
- [ ] PII encrypted in transit (TLS 1.2+)
- [ ] Logging excludes PII
- [ ] Consent captured before processing
- [ ] Data subject request endpoints implemented
- [ ] Retention/deletion automation in place
- [ ] Audit logging for PII access

Quick Reference: When Processing is Prohibited

ScenarioGDPRAPP
No lawful basis identified
Sensitive data without explicit consent
Marketing without opt-out option
Cross-border transfer without safeguards
Retention beyond stated period
Collection beyond stated purpose

Resources

Official

Tools

  • Data Protection Impact Assessment templates
  • Consent management platforms
  • Data discovery and classification tools

Synapses

See synapses.json for connections.