From arckit-au
Generates a Privacy Impact Assessment (PIA) for Australian Government entities under the Privacy Act 1988, assessing compliance with all 13 Australian Privacy Principles (APPs).
How this command is triggered — by the user, by Claude, or both
Slash command
/arckit-au:au-pia <project ID or system, e.g. '001', 'Citizen Identity Verification'>The summary Claude sees in its command listing — used to decide when to auto-load this command
> ⚠️ **Community-contributed command** — not part of the officially-maintained ArcKit baseline. Output should be reviewed by a qualified Privacy Officer, DPO, or legal counsel before reliance. Citations to the Privacy Act 1988 and OAIC guidance may lag current amendments — verify against the source. The Privacy Act 1988 reform (Tranche 2) is under development — monitor for changes. You are an enterprise architect generating a **Privacy Impact Assessment (PIA)** for an Australian Government entity or regulated-sector organisation under the Privacy Act 1988 (Cth). ## User Input ## Contex...
⚠️ Community-contributed command — not part of the officially-maintained ArcKit baseline. Output should be reviewed by a qualified Privacy Officer, DPO, or legal counsel before reliance. Citations to the Privacy Act 1988 and OAIC guidance may lag current amendments — verify against the source. The Privacy Act 1988 reform (Tranche 2) is under development — monitor for changes.
You are an enterprise architect generating a Privacy Impact Assessment (PIA) for an Australian Government entity or regulated-sector organisation under the Privacy Act 1988 (Cth).
$ARGUMENTS
Australian Government agencies covered by the Privacy Act 1988 must conduct PIAs for projects that involve new or changed handling of personal information. Section 33D requires agencies to conduct a PIA for all high-privacy-risk activities. The OAIC (Office of the Australian Information Commissioner) publishes the Guide to undertaking privacy impact assessments, which defines the methodology.
Authoritative anchors:
Key Privacy Act 1988 Reform Context:
Read prerequisites:
projects/000-global/ARC-000-PRIN-*.md (architecture principles, if present)ARC-{P}-DFD-*) — collection, use, disclosure, transfer, retention, and disposal flows${CLAUDE_PLUGIN_ROOT}/templates/_partials/RENDERING.mdRead the template:
.arckit/templates-custom/au-pia-template.md (user override).arckit/templates/au-pia-template.md${CLAUDE_PLUGIN_ROOT}/templates/au-pia-template.mdUse scripts/bash/create-project.sh --json <project-name> if the project does not yet exist; otherwise locate it.
Use scripts/bash/generate-document-id.sh <PROJECT_ID> AUPIA --filename for the artefact filename.
Resolve the <!-- DOC-CONTROL-HEADER --> marker per RENDERING.md. Use the Australian classification scheme (UNOFFICIAL / OFFICIAL / OFFICIAL:Sensitive / PROTECTED / SECRET) — replace the standard UK line in the header.
Generate the following sections:
Project Description — what the project does, what personal information is involved, why it is needed, who the data subjects are, estimated data volumes.
Information Flows — Mermaid data flow diagram showing: collection points, storage locations, processing activities, sharing/disclosure, cross-border transfers, retention/disposal. Mark each flow with the APP that governs it.
13 APP Compliance Assessment — one assessment block per Australian Privacy Principle:
For each APP, document:
Privacy Risk Register — risks identified during APP assessment, scored by likelihood and impact, with mitigations and residual risk.
Sensitive Information Assessment — identify whether any sensitive information (as defined in s 6 of the Privacy Act) is processed: racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health information, genetic information, biometric information, trade union membership. If yes, note the additional consent requirements under APP 3.3.
AI and Automated Decision-Making — if the system uses AI/ML for decisions affecting individuals, document: what decisions are automated, whether individuals are notified (December 2026 requirement), human review mechanisms, fairness assessment. Cross-reference /arckit:au-ai-assurance if applicable.
Recommendations — prioritised list of privacy-enhancing measures.
ArcKit Evidence Integration — map /arckit:dfd, /arckit:data-model, /arckit:risk, /arckit:traceability, and /arckit:graph-report outputs to APP assessments, personal-information flows, privacy risks, mitigation ownership, and coverage gaps.
Populate the External References section per ${CLAUDE_PLUGIN_ROOT}/references/citation-instructions.md. The Privacy Act 1988 and OAIC PIA Guide MUST appear in the Document Register.
Write the artefact via the Write tool to projects/<project-id>/<filename>.
Show only a summary to the user (one paragraph plus the APP compliance summary table).
npx claudepluginhub lllc-lllc/arc-kit --plugin arckit-au/ca-piaGenerates a Canada Privacy Impact Assessment (PIA) per the Privacy Act and TBS Directive, including personal-information inventory, lawful authority, necessity and proportionality, and OPC notification trigger.
/dpiaGenerates a UK GDPR Article 35 Data Protection Impact Assessment (DPIA) by analyzing project data models, architecture principles, requirements, and external policies to produce a compliance report with risk mitigations.
/eu-rgpdGenerates a GDPR (EU 2016/679) compliance assessment for EU/EEA data processing, covering legal basis mapping, data subject rights, cross-border transfers, DPIA screening, and breach notification.
/us-privacy-piaGenerates a Privacy Impact Assessment (PIA) for US federal civilian systems handling PII, aligned with E-Government Act §208, OMB M-03-22, and Privacy Act §552a, including SORN trigger checks.
/dpiaGuides GDPR Data Protection Impact Assessment (DPIA) execution for a processing activity name, optionally at screening, assessment, or review stage.
/at-dsgvoAssesses Austrian DSG/DSGVO obligations under DSG 2018, including Datenschutzbehörde enforcement patterns, special provisions (§§12-13), and image processing rules. Run after eu-rgpd for full GDPR coverage.