PAS-01A: Privacy Intake Form (v1.0)

The First Step Out of the Fire Drill

By Dr. SK, CIPT, PMP

PAS-01A is the minimum viable privacy gate. It prevents collection drift and establishes accountability before code or procurement begins.

This form is the minimal viable control to stop shadow IT and enforce Privacy by Design at the source. Do not allow a new system, project, or vendor engagement to proceed past concept without completing this form. This ensures every piece of data has a clear owner, purpose, and disposal plan.

Section 1: Project Metadata (Who & What)

This section documents the basic context and accountability for the request.

Field	Required	Description
Project Name/Code	Yes	Official name and unique identifier for the project (e.g., 'Project Phoenix', 'SYS-CRM-007').
Requestor / Project Lead	Yes	Name and Title of the primary technical/product contact.
Business Sponsor	Yes	Name and Title of the executive sponsor responsible for the business outcome.
Date of Submission	Yes	Date form submitted for initial review.
System Type	Yes	Select one: - [ ] Internal Dev - [ ] SaaS Vendor - [ ] Pilot/PoC - [ ] Existing System Change

Section 2: Data Scope Definition (The What & Why)

This is the most critical section. It translates the business need into the exact data elements and purpose. This stops the "collect everything just in case" default.

2A: Processing Purpose (Lawful Basis Anchor)

Purpose Limitation requires a single, specific goal for collection.
Intended Processing Purpose: (Select only ONE primary purpose and justify)

Contractual Necessity (e.g., fulfilling a subscription)

Legitimate Interest (e.g., anti-fraud, internal reporting)

Legal Obligation (e.g., tax reporting)

Consent (e.g., optional marketing)

Other (must be justified below)

Justification: Briefly explain why this processing is necessary to achieve the selected purpose. (E.g., "To process monthly billing under the SaaS contract.")

2B: Data Elements & Sensitivity

Data Minimization requires collecting the least amount of data necessary.
Does this project collect or process any of the following? (Check all that apply)

General PII (Name, Email, Phone, Address)

Sensitive PII/SPI (Health, Financial Account Numbers, Race, Religion, Biometrics)

Children’s Data (Ages 16 and under)

Derived Data/Profiling (e.g., credit scores, psychological profiles)

List Data Elements: List every personal data element collected (e.g., 'IP Address', 'User ID', 'Last Name'). Attach a detailed Data Element Dictionary if available.

Section 3: Data Flow & Lifecycle (Where & When)

This section forces accountability for data retention and disposal.

Field	Required	Description
Data Source(s)	Yes	Where is the data collected from (e.g., web form, internal API, third-party log)?
Cross-Border Transfer?	Yes	Will data leave the initial collection jurisdiction (e.g., EU data moved to US cloud)? - [ ] Yes / - [ ] No
Retention Requirement	Yes	Specific Time Limit: (e.g., 90 days, 7 years, Contract End Date + 6 months).
Retention Justification	Yes	Why is this specific time limit necessary (e.g., "Tax reporting mandate," "Standard contract term")?
Deletion Owner	Yes	Specific Individual/Role responsible for ensuring automated deletion occurs.

Section 4: Risk Classification & Approvals

This section acts as your DPIA Triage Grid and audit log.

Risk Dimension	Impact (L/M/H)	Likelihood (L/M/H)	Residual Risk	Notes
Legal/Regulatory				Potential for fines or litigation.
Reputational				Potential for public backlash or loss of trust.
Technical/Security				Potential for breach or unauthorized access.
Is a full DPIA/PIA Required? (HINT: If Impact or Likelihood is 'H' in any category, the answer is likely Yes)	- [ ] Yes / - [ ] No (If No, justify below)

Sign-Off (Approval Required to Proceed)

Role	Name/Signature	Date of Approval
Governance Lead (Dr. SK)
Legal Counsel
CISO/Security Liaison

Audit Trail

Version	Reviewer	Date	Comments
1.0	Dr. SK	2025-11-05	Initial release as core control for Level 2 maturity.

*PAS-01A is a fictional internal form used for illustrative purposes.