Skills
skills/fabioc-aloha/lithium/PII & Privacy Regulations Skill

PII & Privacy Regulations Skill

SKILL.md

PII & Privacy Regulations Skill

Handling personally identifiable information under European and Australian privacy regulations.

⚠️ Staleness Warning

Privacy regulations are actively evolving. Major changes expected.

Refresh triggers:

  • GDPR enforcement updates or new guidelines
  • Australian Privacy Act reform (ongoing review)
  • New adequacy decisions for data transfers
  • Significant enforcement actions or fines
  • EU AI Act privacy provisions (2025-2026)

Last validated: February 2026

Check current state:

What is PII?

Personally Identifiable Information (PII) is any data that can identify an individual directly or indirectly.

Direct Identifiers

Category Examples
Name Full name, maiden name, alias
Government IDs SSN, passport, driver's license, TFN (AU)
Financial Bank account, credit card numbers
Contact Email, phone, physical address
Biometric Fingerprints, facial recognition, voice

Indirect Identifiers (Quasi-identifiers)

Category Examples
Location IP address, GPS coordinates, ZIP/postcode
Device Device ID, MAC address, browser fingerprint
Demographic Age, gender, ethnicity, occupation
Behavioral Purchase history, browsing patterns

Key insight: Combining quasi-identifiers can uniquely identify individuals even without direct identifiers.

🇪🇺 GDPR (European Union)

Applies to: Any organization processing EU residents' data, regardless of location.

Core Principles (Article 5)

Principle Requirement
Lawfulness, Fairness, Transparency Process data legally with clear communication
Purpose Limitation Collect only for specified, legitimate purposes
Data Minimization Collect only what's necessary
Accuracy Keep data accurate and up to date
Storage Limitation Retain only as long as necessary
Integrity & Confidentiality Ensure appropriate security
Accountability Demonstrate compliance

Lawful Bases for Processing

Basis When to Use
Consent Freely given, specific, informed, unambiguous
Contract Necessary for contract performance
Legal Obligation Required by law
Vital Interests Protect someone's life
Public Task Official authority or public interest
Legitimate Interests Business need balanced against rights

Individual Rights (Data Subject Rights)

Right Description Response Time
Access Obtain copy of their data 1 month
Rectification Correct inaccurate data 1 month
Erasure ("Right to be Forgotten") Delete their data 1 month
Restrict Processing Limit how data is used 1 month
Data Portability Receive data in machine-readable format 1 month
Object Stop certain processing Without delay
Automated Decision-Making Human review of automated decisions 1 month

GDPR Compliance Checklist

## Lawful Basis & Transparency
- [ ] Document lawful basis for each processing activity
- [ ] Maintain records of processing activities (Article 30)
- [ ] Privacy policy is clear, accessible, updated

## Data Security
- [ ] Encryption at rest and in transit
- [ ] Pseudonymization where possible
- [ ] Data Protection Impact Assessment (DPIA) for high-risk processing
- [ ] Breach notification process (72 hours to authority)

## Governance
- [ ] Data Protection Officer (DPO) appointed if required
- [ ] Data Processing Agreements with third parties
- [ ] EU representative appointed (if outside EU)

## Individual Rights
- [ ] Process to handle access requests
- [ ] Process to handle deletion requests
- [ ] Process to handle data portability requests
- [ ] Consent mechanism (opt-in, not opt-out)

2025-2026 Updates

Update Impact
Simplified Record-Keeping (May 2025) Organizations <750 employees only need records for high-risk processing
Enhanced Enforcement Procedures (June 2025) Additional procedural rules for cross-border cases
AI Act Integration Additional requirements for AI systems processing personal data

🇦🇺 Australian Privacy Principles (APPs)

Applies to: Organizations with annual turnover >$3M AUD, government agencies, health service providers, and some others.

The 13 APPs

APP Title Key Requirement
APP 1 Open & Transparent Management Have a clear, up-to-date privacy policy
APP 2 Anonymity & Pseudonymity Allow anonymous/pseudonymous dealings where practical
APP 3 Collection of Solicited Information Only collect necessary info; higher bar for sensitive info
APP 4 Unsolicited Personal Information Assess and destroy if wouldn't have been collected
APP 5 Notification of Collection Tell individuals what you're collecting and why
APP 6 Use or Disclosure Only for primary purpose or permitted secondary purposes
APP 7 Direct Marketing Opt-out required; sensitive info needs consent
APP 8 Cross-Border Disclosure Ensure overseas recipients comply with APPs
APP 9 Government Identifiers Don't adopt government IDs as your own identifier
APP 10 Quality of Information Keep data accurate, complete, up to date
APP 11 Security of Information Protect from misuse, loss, unauthorized access
APP 12 Access to Information Provide access when requested
APP 13 Correction of Information Correct inaccurate information

Sensitive Information (Higher Protection)

Under Australian law, sensitive information includes:

  • Health information
  • Genetic information
  • Biometric data
  • Racial or ethnic origin
  • Political opinions
  • Religious beliefs
  • Sexual orientation
  • Criminal record
  • Trade union membership

Rule: Sensitive information generally requires consent to collect.

Notifiable Data Breaches (NDB) Scheme

When to notify:

  • Unauthorized access, disclosure, or loss of personal information
  • Likely to result in serious harm to individuals
  • Remedial action hasn't prevented serious harm

Timeline:

  • Notify OAIC and affected individuals as soon as practicable
  • Assessment must be completed within 30 days

Australian Privacy Act Reform (Ongoing)

The Privacy Act is under review. Expected changes:

Proposed Change Status
Expanded definition of personal information Under review
New individual rights (erasure, explanation of AI decisions) Proposed
Higher penalties Enacted (up to $50M AUD)
Direct right of action for individuals Under review
Removal of small business exemption Under consideration

Cross-Jurisdictional Comparison

Aspect GDPR (EU) APP (Australia)
Scope All organizations processing EU data >$3M turnover + exceptions
Consent Must be explicit opt-in Can be implied in some cases
Right to Erasure Explicit right Not explicit (under review)
Breach Notification 72 hours to authority "As soon as practicable"
Penalties Up to €20M or 4% global revenue Up to $50M AUD
Cross-Border Transfer Adequacy decisions, SCCs, BCRs Must ensure APP compliance
DPO Required Yes, in certain cases No requirement

Code Implementation Patterns

Never Log PII

// ❌ BAD
logger.info(`User ${user.email} logged in from ${user.ipAddress}`);

// ✅ GOOD
logger.info(`User ${hashUserId(user.id)} logged in`);

Encrypt PII at Rest

// Encrypt before storing
const encryptedEmail = encrypt(user.email, encryptionKey);
await db.users.update({ id: user.id, email: encryptedEmail });

// Decrypt only when needed
const email = decrypt(storedUser.email, encryptionKey);

Implement Data Minimization

// ❌ BAD - Fetching everything
const user = await db.users.findById(id);
return user; // Contains PII you don't need

// ✅ GOOD - Select only needed fields
const user = await db.users.findById(id, {
  select: ['id', 'displayName', 'preferences']
});
return user;

Consent Management

interface ConsentRecord {
  userId: string;
  purpose: 'marketing' | 'analytics' | 'personalization';
  granted: boolean;
  timestamp: Date;
  source: 'web' | 'mobile' | 'api';
  version: string; // Privacy policy version
}

// Always check consent before processing
async function canProcess(userId: string, purpose: string): Promise<boolean> {
  const consent = await getLatestConsent(userId, purpose);
  return consent?.granted === true;
}

Data Subject Request Handler

interface DataSubjectRequest {
  type: 'access' | 'rectification' | 'erasure' | 'portability' | 'objection';
  userId: string;
  requestedAt: Date;
  deadline: Date; // 30 days for GDPR
  status: 'pending' | 'processing' | 'completed' | 'denied';
}

// Implement audit trail for all requests
async function handleDSR(request: DataSubjectRequest) {
  await auditLog.record({
    action: 'dsr_received',
    requestType: request.type,
    userId: request.userId,
    timestamp: new Date()
  });

  // Process based on type...
}

Pseudonymization Pattern

// Replace direct identifiers with tokens
function pseudonymize(record: UserRecord): PseudonymizedRecord {
  return {
    pseudoId: generateToken(record.id), // Reversible with key
    ageGroup: getAgeGroup(record.birthDate), // 18-25, 26-35, etc.
    region: record.country, // Keep general location
    // Omit: name, email, exact address, etc.
  };
}

Compliance Checklist

For New Projects

## Privacy Impact Assessment
- [ ] What PII will be collected?
- [ ] What is the lawful basis (GDPR) / primary purpose (APP)?
- [ ] Is all collected data necessary? (data minimization)
- [ ] How long will data be retained?
- [ ] Who will have access?
- [ ] Will data cross borders?
- [ ] What security measures are in place?

## Technical Implementation
- [ ] PII encrypted at rest
- [ ] PII encrypted in transit (TLS 1.2+)
- [ ] Logging excludes PII
- [ ] Consent captured before processing
- [ ] Data subject request endpoints implemented
- [ ] Retention/deletion automation in place
- [ ] Audit logging for PII access

Quick Reference: When Processing is Prohibited

Scenario GDPR APP
No lawful basis identified
Sensitive data without explicit consent
Marketing without opt-out option
Cross-border transfer without safeguards
Retention beyond stated period
Collection beyond stated purpose

Resources

Official

Tools

  • Data Protection Impact Assessment templates
  • Consent management platforms
  • Data discovery and classification tools

Synapses

See synapses.json for connections.

Weekly Installs
0
Repository
fabioc-aloha/lithium
First Seen
Jan 1, 1970