Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

This action is in response to a request for continued examination filed 1/31/22.
Claims 1, 6-12 and 16-20, and 23 are pending.

Response to Arguments
Applicant's arguments have been fully considered but they are not persuasive. 

Applicant notes that the symmetric key described in Awaraji is used to encrypt communications sent between a trusted information broker and a service provider. See Col. 8, lines 41 - 44 of Awaraji. As noted in the Office Action, the symmetric key is encrypted with the trusted information broker's public key. However, neither the symmetric key nor the trusted information broker's public key is "associated with a consent capture mechanism used in capturing the consent from the data subject" such as the unique consent receipt key recited in Claim 1. Therefore, Applicant respectfully submits Column 8, lines 41 - 44 of Awaraji fail to teach or suggest the unique consent receipt key recited in Claim 1.
(pg. 8, 1st full par.)

The examiner respectfully disagrees. Awaraji discloses that the transaction records also include “a record of the form used” (see col. 8, lines 50-52). Accordingly, the transaction record as a whole and any unique keys are associated with the consent capture mechanism.

As noted above, the symmetric key described in Awaraji is used to encrypt communications between a trusted information broker and a service provider. As noted in the Office Action, the symmetric key is also encrypted with the patient's public key. However, neither the symmetric key nor the patient's public key is received from a data subject (whose personal data is being processed). To further demonstrate this distinction, Claim 1 recites that the unique subject identifier originates from the data subject. Claims 10 and 17 have been amended to also recite the unique subject identifier originates from the data subject. Therefore, Applicant respectfully submits Column 8, lines 41 - 64 of Awaraji also fail to teach or suggest the unique subject identifier recited in Claim 1.
(pg. 8, last full par.)

The examiner respectfully disagrees. Awaraji discloses transaction records including an identification of the data subject (see col. 4, lines 20-23 “an identification of a client”). Further, the claim only indicates the identifier “originates” from the data subject but does not explicitly recite a means for the origination. The applicant’s par. [00239] discloses the identifier can be, e.g., “a hashed user ID, a unique user ID provided by the data subject, unique ID based on a piece of personal data such as an e-mail address, etc.”. Accordingly, the claim is not understood to be specifically limited to a user selected id. But even so, it is noted that Awaraji discloses a user login (see e.g. col. 11, lines 30-34) which would appear to at least make obvious a user supplied identifier (i.e. users are generally allowed to choose a user id in such situations). 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the 

Claims 1, 6-12, 16-20 and 23 are rejected under 35 U.S.C. 103 as being unpatentable over US 8,589,183 to Awaraji et al. (Awaraji) in view of US 8,677,472 to Dotan et al. (Dotan).

Claim 1: Awaraji discloses a method comprising: 
receiving, by computing hardware, an indication of consent to process personal data associated with a data subject (col. 7, lines 17-23 “the client consents to the service provider performing the service”); 
receiving, by the computing hardware, a unique subject identifier originating from the data subject (col. 4, lines 20-23 “at least one of the records including an identification of a client … about whom said record concerns”);
generating, by the computing hardware and based on the indication of the consent, a unique consent receipt key, wherein the unique consent receipt key is associated with a consent capture mechanism used in capturing the consent from the data subject (col. 8, lines 50-52 “The transaction record also preferably includes … a record of the form used by the service provider in entering the encrypted data”);
accessing a consent capture mechanism, wherein the consent capture mechanism is used in capturing the consent form the data subject (col. 7, lines 17-23 “the client consents to the service provider performing the service”, note that receipt of this consent must have been captured by some “mechanism”);

generating, by computing hardware, a digital consent receipt (col. 8, lines 41-44 “a symmetric key is generated”); and 
providing the digital consent receipt to the first entity (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”, Fig. 2, Service Provider #1, Service Provider #2, col. 8, lines 44-45 “this symmetric key is transmitted … as part of the authorization”).

Awaraji does not disclose the method further comprising: 
accessing a webpage hosting a consent capture mechanism; 
wherein the consent capture mechanism data indicates at least one of a selection or a text entry made by the data subject via the consent capture mechanism to provide the consent; and
modifying, by the computing hardware, the digital consent receipt to include metadata related to the consent capture mechanism data.

Dotan teaches; and
accessing a webpage hosting a capture mechanism (col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”);


It would have been obvious at the time of filing to identify and capture data from the consent capture mechanism (Dotan col. 7, lines 19-28 “capture rendered web pages”, Awaraji col. 8, lines 41-65 “stored in a transaction record”) including an indication of a selection or text entry (Dotan col. 7, lines 32-39 “clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”) and to modify the consent receipt with the data (Awaraji col. 8, lines 41-65 “stored in a transaction record”). Those of ordinary skill in the art would have been motivated to do so as a known means of collecting user input which would have produced only the expected results and would have allowed for additional documentation of the consent (see e.g. Awaraji col. 8, lines 13-15 “audit trail”).

Claim 6: Awaraji and Dotan teach the method of Claim 1, wherein the consent comprises consent for a vendor utilized by the first entity to process the personal data (Fig. 2, Service Provider #1, Service Provider #2).

Claim 7: Awaraji and Dotan teach the method of Claim 6, the method further comprising providing the digital consent receipt to the vendor (Fig. 2, Service Provider #1, Service Provider #2).

Claim 8: Awaraji and Dotan teach the method of Claim 1, the method further comprising: 
receiving, from a second entity, a request to process the personal data associated with the data subject (col. 6, lines 36-40 “receives the service request”); 
determining, based on the digital consent receipt, whether the data subject has consented to the second entity processing the data (col. 6, lines 36-40 “if the service provider is not preauthorized”); 
in response to determining that the data subject has not consented to the second entity processing the personal data, having, by the computing hardware, the data subject prompted to provide consent for the second entity to process the personal data (col. 6, lines 36-40 “sends a request to the client to permit the service provider to access the information”); 
receiving, by the computing hardware, the consent from the data subject for the second entity to process the one or more pieces of personal data associated with the data subject by the third entity (col. 6, lines 45-47 “the client can … approve the entire request”); and 
in response to receiving consent for the second entity to process the personal data associated with the data subject, modifying, by the computing hardware, the digital consent receipt based on the consent for the second entity to process personal data associated with the data subject (col. 9, lines 6-14 “store a reference to … the public keys for any service providers permitted to access the transaction data”).

Claim 9: Awaraji and Dotan teach the method of Claim 8, the method further comprising providing the digital consent receipt to the second entity (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”).

Claim 10: Awaraji disclose a method comprising: 
providing, by computing hardware, a consent capture mechanism for initiating a transaction between an entity and a data subject, the transaction involving the collection or processing of personal data associated with the data subject by the entity (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31", e.g. col. 10, lines 40-46 "smart forms"); 
receiving, by the computer hardware, a request to initiate the transaction between the entity and the data subject via the consent capture mechanism (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31");
in response to receiving the request, generating, by the computing hardware, a unique consent receipt key (col. 8, lines 41-64 "the symmetric key ... encrypted with the trusted information broker's public key"), wherein the unique consent receipt key is associated with the consent capture mechanism (col. 8, lines 50-52 “The transaction record also preferably includes … a record of the form used by the service provider in entering the encrypted data”); 
receiving, by the computing hardware and originating from the data subject, a unique subject identifier (col. 8, lines 41-64 "the symmetric key ... encrypted with the patient's public 
electronically storing, by the computing hardware, in computer memory, the unique subject identifier, the unique consent receipt key, and a unique transaction identifier associated with the transaction (col. 8, lines 41-64 "stored in a transaction record … a transaction ID … the symmetric key … encrypted with the patient’s public key … the symmetric key … encrypted with the service provider’s public key”); 
electronically associating, by the computing hardware, the unique subject identifier, the unique consent receipt key, and the unique transaction identifier (col. 8, lines 41-64 "stored in a transaction record”);
in response to receiving the request to initiate the transaction between the entity and the data subject (col. 7, lines 17-18 “a client requests service from service provider 3”): 
capturing the consent capture mechanism by capturing consent capture mechanism data associated with the consent capture mechanism (col. 7, lines 17-23 “the client consents to the service provider performing the service”). 

Awaraji does not teach in response to receiving the request to initiate the transaction between the entity and the data subject:
accessing a webpage hosting the consent capture mechanism;
scanning the webpage to identify the consent capture mechanism; and

electronically associating, by the computer hardware, the unique subject identifier, the unique consent receipt key, the unique transaction identifier, and metadata associated with the consent capture mechanism.

Dotan teaches in response to receiving a user interaction:

accessing a webpage hosting the user input capture mechanism (col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”);
scanning the webpage to identify the user input mechanism (col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”);
capturing capture mechanism data that indicates at least one of a selection or a text entry made by the data subject via the capture mechanism (col. 7, lines 32-39 “the cursor data might indicate the user 46 clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”).

It would have been obvious at the time of filing to identify and capture data from the user interface (Dotan col. 7, lines 19-28 “capture rendered web pages”, Awaraji col. 8, lines 41-65 “stored in a transaction record”) including an indication of a selection or text entry (Dotan col. 7, lines 32-39 “clicked at … a radio button associated with a particular account”, col. 7, lines 55-

Claim 11: Awaraji and Dotan teach the method of Claim 10, the method further comprising: 
identifying, based at least in part on a privacy policy associated with the transaction at a time of the transaction, at least one third party entity entitled to process the personal data associated with the data subject under the transaction (Awaraji col. 6, lines 55-59 “the service provider is advised of the results of the information request … and is given access to any information to which the service provider has been granted access”); and 
in response to identifying the at least one third party entity, transmitting a copy of the unique consent receipt key to the at least one third party entity (Awaraji col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”, col. 8, lines 44-45 “this symmetric key is transmitted … as part of the authorization”).

Claim 12: Awaraji, and Dotan teach the method of Claim 11, the method further comprising: 
analyzing the privacy policy to determine a type of personal data that the at least one third party entity is entitled to process under the transaction (Awaraji col. 6, lines 45-53 “selectively grant and deny portions of the request”); and 


Claim 16: Awaraji, and Dotan teach the method of Claim 10, the method further comprising providing the consent receipt key to a plurality of third parties to the transaction (Awaraji col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”, Awaraji col. 8, lines 44-45 “this symmetric key is transmitted … as part of the authorization”).

Claim 17: Awaraji disclose a method comprising: 
providing a user interface for initiating a transaction between an entity and a data subject (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31", e.g. col. 10, lines 40-46 "smart forms"); 
receiving a request to initiate the transaction between the entity and the data subject (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31"); 
in response to the request:
generating, by a third party consent receipt management system, a unique consent receipt key (col. 8, lines 41-64 "the symmetric key ... encrypted with the trusted information broker's public key"), wherein the unique consent receipt key is associated with the user interface (col. 8, lines 50-52 “The transaction record also preferably 
capturing user interface data for the user interface (col. 7, lines 17-18 "a client requests service from service provider 3 as part of Step 31"); 
receiving, originating from the data subject, a unique subject identifier (col. 8, lines 41-64 "the symmetric key ... encrypted with the patient's public key", col. 4, lines 20-23 “at least one of the records including an identification of a client … about whom said record concerns”); 
electronically storing the unique subject identifier, the unique consent receipt key, and a unique transaction identifier associated with the transaction in computer memory (col. 8, lines 41-64 "stored in a transaction record … a transaction ID … the symmetric key … encrypted with the patient’s public key … the symmetric key … encrypted with the service provider’s public key”);
electronically associating the unique subject identifier, the unique consent receipt key, and the unique transaction identifier (col. 8, lines 41-64 "stored in a transaction record”); and 
transmitting a consent receipt to the data subject, the consent receipt comprising at least the unique subject identifier and the unique consent receipt key (col. 7, lines 27-29 "The trusted information broker consolidates this information and presents it to the client as part of Step 35").

Awaraji does not disclose 
accessing a webpage hosting the user interface; 

modifying the unique consent receipt key to include the underlying computer code.

Dotan teaches 
accessing a webpage hosting a user input capture mechanism (col. 7, lines 19-28 “capture rendered web pages … produced by the virtual web browser 82”); 
capturing user interface data for the user interface, wherein the user interface data indicates at least one of a selection or a text entry made by the data subject via the user interface to provide the consent (col. 7, lines 32-39 “the cursor data might indicate the user 46 clicked at … a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”).

It would have been obvious at the time of filing to identify and capture data from the user interface (Dotan col. 7, lines 19-28 “capture rendered web pages”, Awaraji col. 8, lines 41-65 “stored in a transaction record”) including at least a selection or text entry (Dotan col. 7, lines 32-39 “a radio button associated with a particular account”, col. 7, lines 55-59 “the user 46 may enter text”) and to modify the consent receipt with the data (Awaraji col. 8, lines 41-65 “stored in a transaction record”). Those of ordinary skill in the art would have been motivated to do so as a known means of collecting user input which would have produced only the expected 

Claim 18: Awaraji and Dotan teach the method of Claim 17, the method further comprising: 
identifying at least one second entity associated with the transaction (e.g. col. 9, lines 6-14 “store a reference to … any service providers permitted to access the transaction data”, Fig. 2, Service Provider #2); and 
transmitting the consent receipt to the at least one second entity (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”, col. 8, lines 44-45 “this symmetric key is transmitted … as part of the authorization”).

Claim 19: Awaraji and Dotan teach the method of Claim 17, the method further comprising: 
analyzing the transaction to identify a vendor utilized by the entity as part of the transaction (col. 6, lines 36-40 “the service provider”); and 
transmitting the consent receipt to the vendor (col. 6, lines 55-59 “the service provider is … given access to any information to which the service provider has been granted access”).

Claim 20: Awaraji and Dotan teach the method of Claim 18, wherein the request to initiate the transaction includes consent to the use of the vendor by the entity as part of the transaction (col. 6, lines 36-40 “the service provider”).

Claim 23: Awaraji and Dotan teach the method of Claim 10, wherein the consent receipt capture server is different computing hardware than computing hardware being used by the data subject to access the webpage (see e.g. Awaraji fig. 1, “Client (Patient)”, “Trusted Information Broker”).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JASON D MITCHELL whose telephone number is (571)272-3728. The examiner can normally be reached Monday through Thursday 7:00am - 4:30pm and alternate Fridays 7:00am 3:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lewis Bullock can be reached on (571)272-3759. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for 





/JASON D MITCHELL/Primary Examiner, Art Unit 2199