DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1- 8, 11-15 and 17-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Drost-Hansen, publication number: US 2017/0308715.

As per claims 1 and 17, Drost-Hansen teaches a method comprising: 
receiving, by a processing resource of a hosting system, first Personally Identifiable Information (PII) of a first user from a first application hosted on the hosting system, wherein the first Pll is to be part of call home data captured from the hosting system (Metadata tagging, [0030], PII, [0050][0052], API [0040]); 
adding, by the processing resource, a first metadata tag and a second metadata tag to the first Pll, the first metadata tag being indicative of security rules to be complied with for the first application and the second metadata tag being indicative of security 
protecting, by the processing resource, the first Pll, the first metadata tag, and the second metadata tag to prevent unauthorized access of the first PIl, the first metadata tag, and the second metadata tag (encrypting, [0049]); and 
transmitting, by the processing resource, in response to a determination to transmit the call home data, the protected first Pll, the protected first metadata tag, and the protected second metadata tag to a data processing center (transmitting protected data, [0043], Fig. 1A).

As per claims 2 and 18, Drost-Hansen teaches wherein the first application is to handle second PIl of a second user and the method further comprises: receiving the second PII from the first application; adding the first metadata tag to the second PIl; and adding a third metadata tag to the second PIl, wherein the third metadata tag is indicative of security rules that are to be complied with for the second user (Source specific tagging, [0042]).

As per claims 3 and 19, Drost-Hansen teaches further comprising: receiving third PIl of a third user from a second application hosted on the hosting system; and adding a fourth metadata tag to the third PIl, the fourth metadata tag being indicative of security 

As per claim 4, Drost-Hansen teaches wherein the first metadata tag comprises information of an authorization level for the first application, a type of first application, a level of sensitivity for the first application, permitted usage for the first application, and an encryption level for the first application (Permitted usage, [0044][0063] Fig. 6, 612).

As per claim 5, Drost-Hansen teaches wherein the second metadata tag comprises information of at least one of location and citizenship of the first user (region, [0001]).

As per claim 6, Drost-Hansen teaches comprising determining a portion of the call home data for which the first metadata tag is to be applied based on a specification by an owner of the first application, wherein the portion of the call home data comprises the first PII (Source specific, [0042]).



As per claim 8, Drost-Hansen teaches comprising protecting the first PIl and the first metadata tag using at least one of digital signature-based protection and encryption (encryption, [0049]).

As per claim 11, Drost-Hansen teaches comprising receiving the security rules to be complied with for the first application from an owner of the first application along with service level agreement (SLA) parameters for the first application (contractual consideration, [0052]).

As per claim 12, Drost-Hansen teaches a system comprising: 
a hosting system comprising: 
a processor; and 
a memory coupled to the processor, the memory storing instructions executable by the processor to: 

perform a first determination of security rules to be complied with for the first application based on at least one of specification by an owner of the first application and a type of first application (Adding metadata, [0050], metadata based on source [0002][0042]); 
perform a second determination of location of the first user, the location being indicative of security rules that are to be complied with for the first user (Adding metadata, [0050], metadata based on source [0002][0042]); 
tag the first Pll based on the first determination and the second determination (Tags specified by owner [0038-0040], region, [0001]); 
encrypt the tag and the first PIl (encrypt, [0049]); and 
in response to a determination to transmit the call home data, transmit the encrypted tag and the encrypted first PIl to a data processing center (transmitting protected data, [0043], Fig. 1A).

As per claim 13, Drost-Hansen teaches wherein the first application is to handle second Pll of a second user and the instructions are executable by the processor 

As per claim 14, Drost-Hansen teaches wherein the instructions are executable by the processor to: 
receive third PII of a third user from a second application hosted on the hosting system; 
perform a fourth determination of security rules to be complied with for the third PIl based on at least one of specification by an owner of the second application and a type of second application; and 
tag the third PII based on the fourth determination (Source specific [0042], API, [0040]). 

As per calim 15, Drost-Hansen teaches wherein the tag comprises information of authorization level for the first application, the type of first application, level of sensitivity for the first application, permitted usage for the first application, an encryption level for the first application, location of the first user and citizenship of the first user (Permitted usage, [0044][0063] Fig. 6, 612).

receive the protected first Pll, protected first metadata tag, and protected second metadata tag; and 
handle the first PII based on the first metadata tag and the second metadata tag to comply with the security rules for the first application and the security rules for the first user (Data governing module, 116, [0044]).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 9 -10 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Drost-Hansen, publication number: US 2017/0308715 in view of Kumar, publication number: US 2017/0344754.

As per claim 9, Drost-Hansen teaches comprising: 

protecting, by the data processing center, the first PII to comply with the security rules for the first application and the security rules for the first user (data governing module 116, [0046])

Drost-Hansen does not teach selecting, by the data processing center, a location in which the first Pll is to be backed up based on the second metadata tag.
In an analogous art, Kumar teaches selecting, by the data processing center, a location in which the first Pll is to be backed up based on the second metadata tag (metadata including geographic limitations, [0065]).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Drost-Hansen’s data governance system to include location specific requirements for the advantage of further controlling access to data as described in Kumar’s data management system. 

As per claim 10, the combination teaches comprising protecting, by the data processing center, the first Pll using at least one of: an access control list (ACL), an encryption level, configuration of expiry date of the first Pll, a sanitization mechanism, and anonymization (Kumar: expiration metadata, [0066]).



receive the encrypted tag and the encrypted first PIl; 
protect the first PII using at least one of: an access control list (ACL), an encryption level, configuration of expiry date of the first Pll, and a sanitization algorithm, based on information in the tag (data governing module 116, [0046]); and 

Drost-Hansen does not teach to determine a geographical boundary within which the first Pll is to be stored based on information in the tag; 
store the first PIl in a storage device within the geographical boundary; and 
delete the first PIl from the storage device in response to completion of the expiry date.

In an analogous art, Kumar teaches determine a geographical boundary within which the first Pll is to be stored based on information in the tag; 
store the first PIl in a storage device within the geographical boundary; and 
delete the first PIl from the storage device in response to completion of the expiry date (metadata including geographical limitation and expiry information, [0055][0065-0066]).
Therefore it would have been obvious to one of ordinary skill in the art prior to the effective filing date of the claimed invention to modify Drost-Hansen’s data governance system to include location specific and expiration requirements for the advantage of further controlling access to data as described in Kumar’s data management system. 


Conclusion





Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLUGBENGA O IDOWU whose telephone number is (571)270-1450. The examiner can normally be reached Monday-Friday 8am - 5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 5712723804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-





/OLUGBENGA O IDOWU/Primary Examiner, Art Unit 2494