Labsco
microsoft logo

privacy-standards

✓ Official1,245

by microsoft · part of microsoft/hve-core

Privacy planning reference for data-flow reasoning, standards mapping, and DPIA thresholds

🧩 One of 7 skills in the microsoft/hve-core package — works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates — you don't need to read it to use the skill, but it's here to audit before installing.

Privacy Standards Skill

This skill is the reusable privacy reference package for the Privacy Planner and Privacy Reviewer. It consolidates the privacy standards backbone, the core data-flow and classification heuristics, and the DPIA threshold logic needed to keep privacy reviews focused on workflow, evidence, and implementation readiness.

[!NOTE] This skill is a planning aid, not legal advice. Its standards summaries support privacy reasoning and review preparation; they do not substitute for qualified legal counsel or a formal regulatory interpretation.

Attribution and licensing posture

  • NIST Privacy Framework and NISTIR 8062 are U.S. Government documents and are referenced here with attribution as public-domain reference material.
  • GDPR and CCPA/CPRA content is paraphrased and attributed rather than quoted verbatim, consistent with the repository's open legal-text posture.
  • OWASP privacy-risk material is used as a planning reference and is attributed to the OWASP project.

Framework index

Privacy planning heuristics

  • Start with a data inventory and map the personal data lifecycle: collection, transfer, storage, use, sharing, retention, and deletion.
  • Separate the data categories from the processing purpose so the planner or reviewer can assess necessity, proportionality, and appropriate control selection.
  • Identify whether the workflow involves sensitive data, automated decision-making, profiling, or cross-organization sharing, because these conditions often trigger a deeper review.
  • Track the evidence trail for each privacy decision so the handoff can include the standards references, the supporting rationale, and the review context.

Citation-field vocabulary

Use these fields when capturing a finding, control, or risk so the reviewer can assert a stable source-control reference:

  • gdpr_article
  • ccpa_section
  • nist_pf_category
  • nistir8062_objective
  • owasp_privacy_id

Phase-to-framework mapping

Privacy phasePrimary standards packageNotes
Phase 1 CaptureNIST Privacy Framework + GDPRContext, scope, and legal basis framing
Phase 2 Data MappingNIST Privacy Framework + NISTIR 8062Data inventory, purpose, and minimization reasoning
Phase 3 Risk and DPIAGDPR + CCPA/CPRA + NISTIR 8062DPIA triggers, risk analysis, and proportionality
Phase 4 ControlsNIST Privacy Framework + OWASP Privacy RisksControls for collection, use, sharing, and retention
Phase 5 ImpactGDPR + CCPA/CPRA + OWASP Privacy RisksPotential harm, mitigation, and monitoring
Phase 6 HandoffAll sourcesEvidence handoff, review notes, and action tracking

Open-standards catalog

Use the links below as the reference catalog for open privacy standards and governance resources. Treat the material as planning and review guidance rather than a substitute for legal advice or formal regulatory interpretation.