Privacy Check Skill

Privacy Check Skill

Privacy by Design assessment.

Workflow

7 Foundational Principles (Cavoukian)

1. Proactive not Reactive: Are privacy measures built in from the start?

   • [ ] Privacy considered in design phase, not bolted on
   • [ ] Risks identified before implementation

2. Privacy as Default: Is the most private option the default?

   • [ ] Data collection opt-in, not opt-out
   • [ ] Minimum data collected by default
   • [ ] Sharing disabled by default

3. Privacy Embedded in Design: Is privacy integral to the system?

   • [ ] Privacy controls are core features, not add-ons
   • [ ] Architecture supports data minimization

4. Positive-Sum, not Zero-Sum (originally "Full Functionality"): Privacy without trade-offs?

   • [ ] Privacy features don't degrade user experience
   • [ ] Not a false choice between privacy and functionality
   • [ ] Avoid false dichotomies: privacy vs. security, privacy vs. business value

5. End-to-End Security: Data protected throughout its lifecycle?

   • [ ] Encryption at rest and in transit
   • [ ] Secure deletion when no longer needed
   • [ ] Access controls throughout the data lifecycle

6. Visibility and Transparency: Is data processing transparent?

   • [ ] Users know what data is collected and why
   • [ ] Processing purposes documented and communicated
   • [ ] Third-party sharing disclosed

7. Respect for User Privacy: Are user interests centered?

   • [ ] Users can access their data
   • [ ] Users can correct their data
   • [ ] Users can delete their data
   • [ ] Consent is informed, specific, and revocable

Data Protection Assessment

• What data is collected? List all personal data fields.
• Why? Lawful basis for each data element.
• How long? Retention period for each data type.
• Who accesses it? List all parties with access.
• Where is it stored? Data residency and cross-border transfers.
• How is it protected? Encryption, access control, monitoring.
• What if breached? Incident response plan exists?

Output

## Privacy Assessment: [Feature/System]

### PbD Principles
| Principle | Status | Notes |
|-----------|--------|-------|
| Proactive | Pass/Fail | ... |
| Default privacy | Pass/Fail | ... |
| Embedded | Pass/Fail | ... |
| Full functionality | Pass/Fail | ... |
| End-to-end security | Pass/Fail | ... |
| Transparency | Pass/Fail | ... |
| User respect | Pass/Fail | ... |

### Data Inventory
| Data | Purpose | Basis | Retention | Protection |
|------|---------|-------|-----------|-----------|
| ... | ... | ... | ... | ... |

### Risks and Recommendations
1. [risk and recommended action]

Decision Log (MANDATORY per G-P4)

APPEND a ### Privacy Assessment entry to .claude/harness/decision-log.md with: principles assessed, data flows identified, risks found, GDPR compliance status.

Theory Citations

• Cavoukian: Privacy by Design (7 principles)
• GDPR: Data protection regulation