Data Privacy
Skill Profile
(Select at least one profile to enable specific modules)
- [ ] DevOps
- [x] Backend
- [ ] Frontend
- [ ] AI-RAG
- [ ] Security Critical
Overview
Data privacy is a critical component of modern software development, ensuring that personal information is protected throughout its lifecycle. This skill provides comprehensive patterns for implementing privacy controls, from PII identification and classification to encryption, anonymization, and privacy-preserving techniques.
Why This Matters
Data privacy is essential for:
- Legal Compliance: Meeting GDPR, CCPA, and other privacy regulations
- User Trust: Building trust through responsible data handling
- Risk Mitigation: Avoiding data breaches and regulatory fines
- Brand Reputation: Maintaining a positive public image
- Competitive Advantage: Differentiating through privacy leadership
Core Concepts & Rules
1. Core Principles
- Follow established patterns and conventions
- Maintain consistency across codebase
- Document decisions and trade-offs
2. Implementation Guidelines
- Start with the simplest viable solution
- Iterate based on feedback and requirements
- Test thoroughly before deployment
Inputs / Outputs / Contracts
- Inputs:
- <e.g., env vars, request payload, file paths, schema>
- Entry Conditions:
- <Pre-requisites: e.g., Repo initialized, DB running, specific branch checked out>
- Outputs:
- <e.g., artifacts (PR diff, docs, tests, dashboard JSON)>
- Artifacts Required (Deliverables):
- <e.g., Code Diff, Unit Tests, Migration Script, API Docs>
- Acceptance Evidence:
- <e.g., Test Report (screenshot/log), Benchmark Result, Security Scan Report>
- Success Criteria:
- <e.g., p95 < 300ms, coverage ≥ 80%>
Skill Composition
- Depends on: None
- Compatible with: None
- Conflicts with: None
- Related Skills: None
Quick Start / Implementation Example
- Review requirements and constraints
- Set up development environment
- Implement core functionality following patterns
- Write tests for critical paths
- Run tests and fix issues
- Document any deviations or decisions
# Example implementation following best practices
def example_function():
# Your implementation here
pass
Assumptions
- Encryption keys are securely managed
- PII can be identified through patterns or field names
- Users can be authenticated for access requests
- Legal requirements are understood
Compatibility
- GDPR Article 25 compliant (Privacy by Design)
- CCPA compliant
- HIPAA compliant (for health data)
- Works with all major databases
Test Scenario Matrix
| Scenario | Input | Expected Output | Priority | |----------|-------|-----------------|----------| | Detect PII | User data object | List of PII fields | P0 | | Encrypt data | Sensitive string | Encrypted data with IV and tag | P0 | | Decrypt data | Encrypted data | Original plaintext | P0 | | Anonymize data | User data object | Anonymized data object | P0 | | Mask data | Data with masking rules | Masked data | P1 | | Assess privacy | Data processing info | Privacy assessment report | P0 | | Check k-anonymity | Dataset, k value | Boolean result | P1 |
Technical Guardrails & Security Threat Model
1. Security & Privacy (Threat Model)
- Top Threats: Injection attacks, authentication bypass, data exposure
- [ ] Data Handling: Sanitize all user inputs to prevent Injection attacks. Never log raw PII
- [ ] Secrets Management: No hardcoded API keys. Use Env Vars/Secrets Manager
- [ ] Authorization: Validate user permissions before state changes
2. Performance & Resources
- [ ] Execution Efficiency: Consider time complexity for algorithms
- [ ] Memory Management: Use streams/pagination for large data
- [ ] Resource Cleanup: Close DB connections/file handlers in finally blocks
3. Architecture & Scalability
- [ ] Design Pattern: Follow SOLID principles, use Dependency Injection
- [ ] Modularity: Decouple logic from UI/Frameworks
4. Observability & Reliability
- [ ] Logging Standards: Structured JSON, include trace IDs
request_id - [ ] Metrics: Track
error_rate,latency,queue_depth - [ ] Error Handling: Standardized error codes, no bare except
- [ ] Observability Artifacts:
- Log Fields: timestamp, level, message, request_id
- Metrics: request_count, error_count, response_time
- Dashboards/Alerts: High Error Rate > 5%
Agent Directives & Error Recovery
(ข้อกำหนดสำหรับ AI Agent ในการคิดและแก้ปัญหาเมื่อเกิดข้อผิดพลาด)
- Thinking Process: Analyze root cause before fixing. Do not brute-force.
- Fallback Strategy: Stop after 3 failed test attempts. Output root cause and ask for human intervention/clarification.
- Self-Review: Check against Guardrails & Anti-patterns before finalizing.
- Output Constraints: Output ONLY the modified code block. Do not explain unless asked.
Definition of Done (DoD) Checklist
- [ ] Tests passed + coverage met
- [ ] Lint/Typecheck passed
- [ ] Logging/Metrics/Trace implemented
- [ ] Security checks passed
- [ ] Documentation/Changelog updated
- [ ] Accessibility/Performance requirements met (if frontend)
Anti-patterns
- Over-collection: Collecting more data than needed
- Weak Encryption: Using outdated or weak encryption
- Insufficient Anonymization: Data that can be re-identified
- No Access Controls: Anyone can access PII
- Ignoring Consent: Processing data without proper consent
Reference Links & Examples
- Internal documentation and examples
- Official documentation and best practices
- Community resources and discussions
Versioning & Changelog
- Version: 1.0.0
- Changelog:
- 2026-02-22: Initial version with complete template structure
Scan to join WeChat group