Generate a Privacy Impact Assessment in house format for a new feature, product, or processing activity, using the structure learned from your seed PIA. Use when the user says "write a PIA", "privacy impact assessment for", "do we need a PIA for this", "privacy review this feature", or describes a new data processing activity.
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "pia-generation" 技能: 1. 下载 https://raw.githubusercontent.com/anthropics/claude-for-legal/main/privacy-legal/skills/pia-generation/SKILL.md 2. 保存为 ~/.claude/skills/pia-generation/SKILL.md 3. 装好后重载技能,告诉我可以用了
~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → PIA house style (trigger, structure, depth, sign-off)./privacy-legal:pia-generation "Location sharing feature"
/privacy-legal:pia-generation
PRD: [Drive link]
Matter context. Check ## Matter workspaces in the practice-level CLAUDE.md. If Enabled is ✗ (the default for in-house users), skip the rest of this paragraph — skills use practice-level context and the matter machinery is invisible. If enabled and there is no active matter, ask: "Which matter is this for? Run /privacy-legal:matter-workspace switch <slug> or say practice-level." Load the active matter's matter.md for matter-specific context and overrides. Write outputs to the matter folder at ~/.claude/plugins/config/claude-for-legal/privacy-legal/matters/<matter-slug>/. Never read another matter's files unless Cross-matter context is on.
Before producing output, check where it's going. If the user has named a destination (a channel, a distribution list, a counterparty, "everyone"), ask whether it's inside the privilege circle. Public channels, company-wide lists, counterparty/opposing counsel, vendors, and clients (for work product) waive the protection. When the destination looks outside the circle, flag it and offer (a) the privileged version for legal only, (b) a sanitized version for the broader channel, or (c) both — don't silently apply a privileged header and then help paste it somewhere the header won't protect it. See the canonical ## Shared guardrails → Destination check in this plugin's CLAUDE.md.
A PIA is a conversation with the product team, captured. It asks: what data, why, how long, who sees it, what could go wrong. This skill structures that conversation and writes the output in this team's format — the one learned from the seed PIA during cold-start.
This assessment assumes the jurisdictional scope specified in your configuration. Privacy rules, assessment triggers, and lawful bases vary materially by jurisdiction (GDPR vs. state consumer privacy laws vs. sectoral). If the processing activity, controller, or affected data subjects fall under a different jurisdiction, this analysis may not apply as written.
Before writing a new PIA, check the outputs folder for prior work on the same feature, processing activity, or counterparty. Read ~/.claude/plugins/config/claude-for-legal/privacy-legal/CLAUDE.md → ## Outputs for the path. Scan for:
use-case-triage results covering this activity — the triage's risk rating, mandatory conditions, and called-out concerns are the entry point for the PIA.pia-generation outputs for the same or an overlapping activity — a superseding PIA should reconcile (what changed, what carried over). A PIA that silently produces different conclusions than a prior PIA on the same activity is a contradiction a reviewing attorney cannot see.dpa-review outputs for vendors in scope — the DPA review's findings inform the PIA's analysis of subprocessor / cross-border / retention risk.If a prior output is found, cite it in the PIA:
"Prior triage ([date]) rated this [risk level] and required [conditions]. This PIA builds on that finding — [which conditions are satisfied, which remain, which are re-scoped]."
If a prior PIA exists:
…
Ask questions against an open investigation log — what witnesses said, where accounts conflict, what gaps exist, what the strongest evidence is on each issue. Use when the attorney needs to query the investigation record without re-reading every entry.
EU AI Act per-system inventory — track each AI system's role (provider, deployer, importer, distributor, authorized representative, product manufacturer) and risk tier (prohibited, high-risk, limited, minimal, GPAI, GPAI+systemic). Role and tier are assessed per system, not per company. Use when the user says "ai inventory", "add an ai system", "what systems do we have", "classify this ai system", "eu ai act register", or "ai system registry".
Draft a firm AI usage policy from published model policies, adapted to your practice profile — a research-and-synthesis tool whose output is a draft for attorney review and adoption, not a finished policy. Use when user says "draft an AI policy", "we need an AI policy", "build an AI usage policy", "our firm needs a GenAI policy", or similar requests to generate a first-cut internal AI policy.
Review vendor AI terms — agreement, addendum, or ToS AI provisions — against your governance positions; flag training-on-data, liability, model changes, and AI policy consistency. Use when user says "review this AI agreement", "check OpenAI terms", "what did we agree to with [vendor]", "vendor sent an AI addendum", "is this AI contract okay", or attaches vendor AI terms.
Route a contract issue to the right approver per the escalation matrix in `~/.claude/plugins/config/claude-for-legal/commercial-legal/CLAUDE.md`, and draft the ask. Use when the user says "who needs to approve this", "escalate this", "does this need GC sign-off", "route this for approval", or when another skill finds an issue that exceeds the reviewer's authority.
Freedom-to-operate triage — a structured first look at potentially blocking patents, not an FTO opinion. Use when a product, process, or feature is being evaluated for blocking patents, when asked whether anything stops a launch, or to build a claim-chart first pass against the most plausible patents before patent counsel review. This skill never concludes a product is clear to launch.