DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
	The amendment filed February 14 2022 has been entered. Applicant amended claims 1, 3, 5-10, 16, and 18-20; and Applicant canceled claims 4 and 17. The Applicant’s amendment to the drawing and specification overcomes the drawing objection and the specification objection of November 15 2021. Therefore, the drawing and specification objections of November 15 2021 are withdrawn. The Applicant’s cancellation of claim 17 has rendered the claim objections of claims 17-18 moot. Therefore, the claim objections of November 15 2021 are withdrawn.  The Applicant’s amendment to claims 7-8 overcomes the 35 U.S.C 112(b) rejections; accordingly, the 35 U.S.C 112(b) rejections of claims 7-9 of November 15 2021 are  withdrawn.

Response to Arguments
Applicant’s arguments, see pages 12-13, filed February 14, 2022, with respect to the drawing objections, the specification objections, the claim objections, and the 35 U.S.C 112(b) rejections have been fully considered and are persuasive.  The drawing objection, the specification objection, the claim objections, and the 35 U.S.C 112(b) rejections of November 15, 2021 have been withdrawn.
Applicant's arguments with respect to the U.S.C 103 rejection filed November 15, 2021 have been fully considered but they are not persuasive. 
Neither Luria nor Mousavi, taken alone or in combination, can be seen to disclose each and every element of claim 1, including for example presenting a data privacy survey via a user interface of a data processing system, the data privacy survey identifying a ‘plurality of types of personal identifiable information PII that will be collected by the building management system of one or more of the plurality of end users of the building management system,’ and a plurality of data privacy settings for each of the plurality of types of PII, ‘wherein the plurality of data privacy setting define one or more end user rights that are associated with each of one or more of the plurality of types of PII and are each exercisable by the end user, wherein the one or more end user rights include one or more of a right to be forgotten, a right to data portability, a right to object, and a right to rectification,’ particularly in combination with the other elements of claim 1.” This is not persuasive because Luria in view of Mousavi teaches presenting a data privacy survey via a user interface (Luria: paragraph 68 reveals a dashboard interface for PII data survey elements ) of a data processing system (Luria: Table 1, paragraphs 34-35 disclose the survey connection profile is implemented via a computer), the data privacy survey identifying a ‘plurality of types of personal identifiable information PII  (Luria: Table 1, paragraphs 35-37 teach a survey connection profile that displays collected PII data) that will be collected by the building management system (Mousavi: paragraphs 109-111, 113-115, 118 and Figure 10 teach biometric PII is collected by the building management system) of one or more of the plurality of end users of the building management system,’ (Mousavi: paragraph 73 discloses personal information of the end user, the facility manager, is stored) and a plurality of data privacy settings for each of the plurality of types of PII (Luria: paragraphs 34-35 and Table 1 reveal the settings of “Block”, “Log”, “Modify/Delete”), ‘wherein the plurality of data privacy setting define one or more end user rights that are associated with each of one or more of the plurality of types of PII and are each exercisable by the end user (Luria: in Table 1, the privacy setting for each type of PII, the email address, the name, and the home address has the end user right of “Block”, “Log”, and “Modify/Delete”), wherein the one or more end user rights include one or more of a right to be forgotten, a right to data portability, a right to object, and a right to rectification(Luria: Table 1, Modify/Delete setting is the end user right to be forgotten).
“[i]n the Office Action, and with respect to claim 6, the Examiner cites to the Modify/Delete setting in Table 1 of Luria as discloses the right to be forgotten. However, this is not an end user right, and in particular an end user right that is exercisable by the end user. Instead, the Modify/Delete setting in Table 1 of Luria appears to relate to the functioning of the Security Enforcement Unit…of Luria” This is not persuasive because paragraph 47 of Luria discloses the administrator may configure rules( not the SEU) such as the rules described with reference to Table 1; paragraphs 48-51 and 68 provide an example of the administrator setting rules to block, modify, or delete the PII data elements. In addition, the Applicant does not define the right to be forgotten in the Applicant’s specification. Therefore, the examiner applied to broadest reasonably interpretation in light of the Applicant’s specification, wherein the right to be forgotten can be interpreted as modifying/deleting the  PII information. Paragraph 35 of Luria discloses that a user creates and define the privacy survey/ profile that include one or more rules  related to one or more PII data elements. Paragraph 56 of Applicant’s specification discloses a data privacy configurator that sets one or more constraints. This teaching is analogous to paragraph 31 and paragraph 47 of Luria that mention the SEU reports to the administrator when detecting that sensitive data is accessed by an external system. Paragraph 23 of Luria discloses the SEU is based on user input by configuring the SEU to control the transmission of PII data element; furthermore, paragraph 21 of Luria describes input devices operatively connected to computing device 100 which include the SEU. Paragraph 47 of Luria also  discloses the administrator may configure rules such as the rules described with reference to Table 1, see also paragraph 68. 

On pages 14-15, Applicant alleges “according to Luria…, As can be seen the SEU of Luria appears to monitor and control the traffic between the internal protected system and the external system.  Table 1 of Luria defines a connection profile that helps define the functioning of the SEU 220….Thus, in this example, the SEU appears to intercept the data element send by the protected system and deletes the home address entry … from the data unit before forwarding the data unit to the external system 226. Notably, this does not disclose deleting the home address data element from the protected system 210. Moreover, the SEU appears to perform this function all of the time in order to maintain security. It does not appear to be an end user right that is exercisable by the end user, as recited in claim 1.” This is not persuasive because again paragraph 47 of Luria discloses the administrator may configure rules such as the rules described with reference to Table 1, see also paragraphs 48-51 and 68 which provide example of the administrator setting rules to block, modify, or delete the PII data elements. For example, with an SSN data element, the administrator may configure a rule or policy that include an action such as “block the data element”. An administrator can set a rule that blocks or prevents sending an email address and another rule that modifies or deletes a credit card number.
On pages 15-16, Applicant alleges “It is axiomatic that obviousness requires at least a suggestion of each and every element in a claim…Luria and Mousavi, individually or in combination clearly fail to do so. Nor would there be any motivation or other reason to modify Luria and Mousavi to arrive at the particular method of claim 1. For these and other reasons, claim 1, is believed to be clearly patentable over Luria in view of Mousavi.” This is not persuasive because the examiner disclose Luria in view Mousavi teaches each element in the claims. Furthermore, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, the teaching, suggestion, or motivation for the rejection is found in the knowledge generally available to one or ordinary skill in the art and in paragraphs 1-5 of the Mousavi.
On page 16, Applicant further recites “[f]or similar and other reasons, claims 2-3 and 5-15, which depend from claim 1 and include significant additional distinguishing features, are also believed to be clearly patentable over Luria in view of Mousavi.“ This is not persuasive, applicant should submit an argument pointing out disagreements with the examiner’s contentions. Applicant must also discuss the references applied against the claims, explaining how the claims avoid the references or distinguish from them. In addition, Applicant’s 
On page 16, Applicant further alleges, “…with respect to dependent claim 7, which recites ‘accepting a request from a particular end user of the building management system to exercise one or more of their end user rights associated with one or more types of PII, resulting in one or more exercised end user rights and in response, the building management system automatically exercising the one or more exercised end user right associated with the one or more types of PII. The Examiner cites to [0118], [0120] and [0126] of Mousavi with reference to claim 7. However, these passages of Mousavi cannot be seen to disclose what is not recited in claim 7. For these additional reasons claim 7 is believed to be clearly patentable over Luria and Mousavi.” This is not persuasive for paragraph 118 of Mousavi teaches that the facility manager is allowed to update the list of registered and or associated users. The facility manager is allowed to update the access rights for each of the users via the interface via a portable electronic device, which is the exercising the right to access control. Paragraph 126 of Mousavi reveals the facility management portal/application is operated on a user device to receive user credentials and these users’ credentials are biometric PII. The facility management portal/application is configured to received inputs from the facility manager pertaining to the spaces assigned to the authenticated user. Paragraph 126 of Mousavi further details that when a user tries to access the building equipment at a space, the user is prompted to provide biometric authentication information. When the user accepts the request of exercising their user rights, the user provides their biometric PII through the biometric identification device at the building equipment, which is sent to the server system for verification.
On page 16, Applicant further alleges, “with respect to dependent claim 10, which recites, wherein the plurality of data privacy settings for each of one or more plurality of types of PII comprises one or more  of: a legal requirement setting relating to whether the corresponding type of PII must be retained for legal reasons; and a location setting relating to the geographic location that the corresponding type of PII was collected. With respect to claim 10, the examiner cited to Table 1 of Luria….As such, the recited parts of Luria cannot be seen to disclose what is now recited in claim 10. For these additional reasons, claims 10 is believed to be clearly patentable over Luria and Mousavi.” Paragraph 46 of Luria discloses the 
On pages 16-17, Applicant states “turning now to claim 16, which recites….For similar reasons to those detailed above with respect to claim 1, claim 16 is also believed to be clearly patentable over Luria and Mousavi. For similar and other reasons, claim 18 which depends from claim 16 and includes significant additional distinguishing features, is also believed to be clearly patentable over Luria in view of Mousavi.” This is not persuasive, applicant should submit an argument pointing out disagreements with the examiner’s contentions. Applicant must also discuss the references applied against the claims, explaining how the claims avoid the references or distinguish from them. In addition, Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.
On pages 17-18, Applicant alleges “[t]urning now to claim 19, which recites….The cited referenced cannot be seen to disclose each and every element of claim 19 including for example, receiving ‘a particular configuration of a building management system, the particular configuration identifying a plurality of components that are to be included in the building management system’, ‘ automatically identify a plurality of types of personal identifiable information PII that will be collected by the building management system for one or more of a plurality of end users of the building management system based at least in part on the receive particular configuration of the building management system,’ present a data privacy survey identifying ‘the plurality of types of PII that will be collected by the building management system for one or more of the plurality of end users of the building management system having the particular configuration of the building management system’ and ‘ a plurality of data privacy settings for each of the plurality of types of PII’, particular in combination with the other elements of claim 19.” This is not persuasive, receiving ‘a particular configuration of a building management system is taught by paragraphs 120 and 126 of Mousavi, which teaches the processing circuit is enabled to receive and grant ; the particular configuration identifying a plurality of components that are to be included in the building management system’ is taught by paragraph 121 of Mousavi, which teaches the system comprises one or more portable electronic devices (wherein the plurality of components is the one or more portable electronic devices) associated with a registered user and is enabled to facilitate the user to provide input pertaining to the selection of one or more building equipment to be accessed; ‘ automatically identify a plurality of types of personal identifiable information PII that will be collected by the building management system for one or more of a plurality of end users of the building management system based at least in part on the receive particular configuration of the building management system is taught by paragraph 122 of Mousavi which teaches the portable electronic device is enable to scan at least one biometric parameter PII of the user, and generate scanned biometric information, the one or more biometric information is stored in a repository. This repository is further configured to store a list of registered users and one or more biometric information associated one or more building equipment, and access rights for the building equipment corresponding to each of the users; ,’ present a data privacy survey identifying ‘the plurality of types of PII that will be collected  is taught by paragraph 68 of Luria which reveals a dashboard survey interface for PII data elements for administrator users; by the building management system for one or more of the plurality of end users of the building management system is taught by paragraphs 106, 109-111, 113-115, 118-122, and 126 of Mousavi, wherein paragraph 126 of Mousavi teaches a facility management portal/application/survey used by the building management system for a user of the building management system; having the particular configuration of the building management system’ is taught by paragraphs 122 and 126 of Mousavi which disclose the access rights for one or more building equipment based on the biometric PII of the user; and ‘ a plurality of data privacy settings for each of the plurality of types of PII’  
On page 18, Applicant alleges “[i]t is axiomatic that obviousness require at least a suggestion of each and every element in a claim….Luria and Mousavi, individually or in combination, clearly fail to do so. Nor would there by any motivation or other reason to modify Luria and Mousavi to arrive at the particular non-transitory computer readable medium recited in claim 19. For these and other reasons, claim 19 is believed to be clearly patentable over Luria in view of Mousavi.” This is not persuasive because the examiner disclose Luria in view Mousavi teaches each element in the claims. Furthermore, the examiner recognizes that obviousness may be established by combining or modifying the teachings of the prior art to produce the claimed invention where there is some teaching, suggestion, or motivation to do so found either in the references themselves or in the knowledge generally available to one of ordinary skill in the art.  See In re Fine, 837 F.2d 1071, 5 USPQ2d 1596 (Fed. Cir. 1988), In re Jones, 958 F.2d 347, 21 USPQ2d 1941 (Fed. Cir. 1992), and KSR International Co. v. Teleflex, Inc., 550 U.S. 398, 82 USPQ2d 1385 (2007).  In this case, the teaching, suggestion, or motivation for the rejection is found in the knowledge generally available to one or ordinary skill in the art and in paragraphs 1-5 of the Mousavi. 
Finally, on pages 18-19, Applicant alleges “[f]or similar and other reasons, claim 20, which depends from claim 19 and include significant additional distinguishing features, is also believed to be clearly patentable over Luria in view of Mousavi. Reconsideration is respectfully requested.” This is not persuasive, applicant should submit an argument pointing out disagreements with the examiner’s contentions. Applicant must also discuss the references applied against the claims, explaining how the claims avoid the references or distinguish from them. In addition, Applicant’s arguments fail to comply with 37 CFR 1.111(b) because they amount to general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5-14, 16. 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over Luria US 20170193249( hereinafter Luria) in view of Mousavi et al US 2020/0342080 (hereinafter Mousavi).

As to claim 1, Luria teaches the method comprising: presenting a data privacy survey via a user interface (paragraph 68 reveals a dashboard survey interface for PII data elements) of a data processing system (Table 1, paragraphs 34-35, wherein table 1 shows the survey connection profile implemented via a computer), the data privacy survey identifying: a plurality of types of personal identifiable information (PII) that will be collected (Table 1, paragraphs 35-37 teach a connection profile that displays the collected PII data) for one or more of the plurality of end users (paragraphs 46-47 disclose the one end user is the administrator); and a plurality of data privacy settings for each of the plurality of types of PII (Table 1, paragraphs 34-35, wherein the table shows the settings “Block” “Log”, Modify/Delete” etc.,) wherein the plurality of data privacy settings define one or more end user rights that are associated with each of one or more of the plurality of types of PII and are each exercisable by the end user(Table 1, wherein the table shows the settings “Block” “Log”, Modify/Delete” etc.; paragraphs 34-39 disclose the privacy setting for each type of PII being the email address, the name, and the home address has User ID and Access ID settings which are inputs from a user), wherein the one or more end user rights include one or more of a right to be forgotten, a right to data portability, a right to object, and a right to rectification(Table 1, Modify/Delete setting is the one end user right to be forgotten); receiving a setting change to at least one of the plurality of data privacy settings for at least one of the plurality of types of PII (table 1, paragraphs 35-37, 68 wherein the table 1 shows the settings change in the grid of “YES” or “NO” to the settings of “Block” “Log”, Modify/Delete” etc.,); setting one or more constraints for each of the plurality of types of PII (table 1, paragraph 35 wherein the constraint is set by executing the setting change thereby blocking name for example as indicated in table 1) , the one or more constraints for each of the plurality of types of PII based at least in part on one or more of the corresponding plurality of data privacy settings (table 1, paragraph 35 disclose the constraint is based on the settings of an email being blocked or deleted).
Luria fails to teach a method for managing data privacy of personal identifiable information in a building management system, the method comprising: a plurality of types of personal identifiable information (PII) that will be collected by the building management system for one or more of the plurality of end users of the building management system; setting one or more constraints in the building management system and operating the building management system in accordance with the set constraints.
Mousavi teaches a method (Figures 9 and 10) for managing data privacy of personal identifiable information in a building management system (paragraphs 106, 109-111, 113-115, 118 teach managing access rights for biometric PIIs of a facility system), a plurality of types of personal identifiable information (PII) that will be collected by the building management system for one or more of the plurality of end users of the building management system (paragraphs 109-111,113-115, 118; Figure 10, reference number 1002 and 1004 teach biometric PII is collected by the user of the building management system); setting one or more constraints in the building management system for each of the plurality of types of PII (paragraphs 109-111, 113, 118 and 126,  Figure 10 reference number 1006 and 1008 teach the facility manager sets access right constraints to the biometric data of the users), and operating the building management system in accordance with the set constraints (paragraphs 109-111, 113,118 and 126, Figure 10 reference number 1010 disclose the facility management portal is operated based on the access constraints).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply Luria’s known technique of data management and privacy specifics to Mousavi’s known building management system  for improvement to yield the predictable results of such an application, namely to protect the privacy of individuals interacting with Mousavi’s building management system for the obvious benefit of shielding said individuals from data breaches and privacy incursions.

	As to claim 2, the combination of Luria in view of Mousavi teaches wherein the one or more constraints comprise one or more of use constraints, access constraints and retention constraints (Luria: Table 1 reveals access ID and user ID constraint setting) .

As to claim 3, the combination of Luria in view of Mousavi teaches wherein the one or more constraints comprise one or geographic constraints on where at least some of the plurality of types of PII can be geographically processed and/or stored (Luria: paragraph 31 reveals that the PII can be stored).

As to claim 5, the combination of Luria in view of Mousavi teaches informing one or more of the plurality of end users of the building management system of their user rights for each of one or  ( Mousavi: paragraph 118, 120, 126 teach the user being the facility manager has access to the user right settings/access to different spaces of the facility based on the biometric PII).

As to claim 6, the combination of Luria teaches in view of Mousavi wherein the one or more user rights include a right to access control (Luria: paragraph 68 discloses the administrator has the right to access control by setting an action of Allow, Block, or set any of the options described in reference to table 1).

As to claim 7, the combination of Luria in view of Mousavi teaches accepting a request from a particular user of the building management system to exercise one or more of their end user rights associated with one or more types of PII resulting in one or more exercised end user rights (Mousavi: paragraph 118, 120, 126 teach the facility manager accepts a request by updating the access rights of the biometric PII; paragraph 118 of Mousavi also teaches that the facility manager is allowed to update the list of registered and or associated users. The facility manager is allowed to update the access rights for each of the users via the interface via a portable electronic device. Paragraph 126 of Mousavi reveals the facility management portal/application is operated on a user device to receive user credentials and these users’ credentials are biometric PII. The facility management portal/application is configured to received inputs from the facility manager pertaining to the spaces assigned to the authenticated user. Paragraph 126 of Mousavi further details that when a user tries to access the building equipment at a space, the user is prompted to provide biometric authentication information. When the user accepts the request of exercising their user rights, the user provides their biometric PII through the biometric identification device at the building equipment, which is sent to the server system for verification); and in response, the building management system automatically  (Mousavi: paragraph 118, 120, 126 disclose the biometric PII is compared with the stored authentication information and if there is a match the user automatically is provided access to the building equipment).

As to claim 8, the combination of Luria in view of Mousavi teaches wherein the one or more exercised end user right includes the right to be forgotten (Luria: Table 1 shows the “Delete” right which is the right to be forgotten), and in response, the building management system automatically deletes the corresponding end user’s data associated with the one or more types of PII (Mousavi: paragraph 76 discloses the server system may be configured to delete biometric information of the user from the information repository).

As to claim 9, the combination of Luria in view of Mousavi also teaches further comprising logging all requests to exercise one or more of the user rights associated with a type of PII and the corresponding responses to the requests (Luria: Table 1 shows the log option for the PII, paragraph 38).

As to claim 10, the combination of Luria in view of Mousavi teaches wherein the plurality of data privacy settings for each of  one or more of the plurality of types of PII comprise one or more of: a legal requirement setting relating to whether the corresponding type of PII must be retained for legal reasons; and  a location setting relating to the location that the corresponding type of PII was collected (Paragraph 46 of Luria discloses an administrator may access sensitive information PII data elements that may be displayed in the web browser and the data element includes location, via home address of a user, see also paragraphs 47-48, 56, and 68. Paragraph 56 discloses the SEU may also store, create, modify, or update any rules  described in the connection profile, which include location of the PII data element).
 
As to claim 11, the combination of Luria in view of Mousavi teaches  wherein the plurality of types of PII comprise one or more of: user's name; user's phone number; user's gender; user's nationality; user's Visa number; user's Passport number; user's driver's license number; user's biometric data; user's photograph; user's badge number; user's government identification number; user's license plate number; and user's location(Luria: table 1 reveal the name PII).

As to claim 12, the combination of Luria in view of Mousavi teaches further comprising generating a privacy impact assessment report that documents the plurality of data privacy settings for each of the plurality of types of PII (Luria: paragraph 38 discloses a report in the form of a log or record that documents the data element and their settings).

As to claim 13, the combination of Luria in view of Mousavi teaches generating a privacy impact assessment report that documents the one or more constraints (Luria: table 1, paragraphs 31 and 38 disclose a report in the form of a log or record that documents the data element and their constraint such as when the PII is being accessed by an external system).

As to claim 14, the combination of Luria in view of Mousavi teaches sending an alert when a change is made to the operation of the building management system that is not in compliance with the plurality of data privacy settings for each of the plurality of types of PII (Luria: Table 1 and paragraph 37 indicate that the PII name is block; paragraph 37 further mentions that an alert is generated if an attempt to send a name from the protected system to an external system over connection is detected).

As to claim 16, Luria teaches  a memory for storing (paragraph 32): a plurality of types of personal identifiable information (PII) (paragraph 38 teaches a connection profile that displays the collected PII data); and a plurality of data privacy settings for each of the plurality of types of PII (Table 1, paragraphs 34-38, wherein the table shows the settings “Block” “Log”, Modify/Delete” etc.,); a user interface (paragraph 68 reveals a dashboard interface of PII data elements); a processor operatively coupled to the memory and the user interface (paragraphs 68-69 reveal a dashboard survey interface for PII data elements), the processor configured to: present a data privacy survey (paragraph 38 reveal a dashboard survey interface for PII data elements); the data privacy survey identifying: the plurality of types of personal identifiable information (PII) (paragraph 35-38); and the plurality of data privacy settings for each of the plurality of types of PII(Table 1, paragraphs 34-35, wherein the table shows the settings “Block” “Log”, Modify/Delete” etc.,), wherein the plurality of data privacy settings define one or more end user rights that are associated with each of one or more of the plurality of types of PII and are each exercisable by the end user(Table 1, wherein the table shows the settings “Block” “Log”, Modify/Delete” etc.; paragraphs 34-39 disclose the privacy setting for each type of PII being the email address, the name, and the home address has User ID and Access ID settings ), wherein the one or more end user rights include one or more of a right to be forgotten, a right to data portability, a right to object and a right to rectification(Luria: Table 1, Modify/Delete setting is the one end user right to be forgotten); receive a setting change to at least one of the plurality of data privacy settings for at least one of the plurality of types of PII(table 1, paragraphs 35-37, 68 wherein the table 1 shows the settings change in the grid of “YES” or “NO” to the settings of “Block” “Log”, Modify/Delete” etc.,); set one or more constraints for each of the plurality of types of PII (paragraphs 37-38), the one or more constraints (paragraphs 35-38 disclose the constraint is based on the settings of an email being blocked or deleted).
Luria fails to teach a building management system comprising: a memory for storing: a plurality of types of personal identifiable information (PII) that will be collected by the building management system for each of at least some of a plurality of end users of the building management system; the data privacy survey identifying: the plurality of types of personal identifiable information (PII) that will be collected by the building management system; and operating the building management system in accordance with the set constraints.
Mousavi teaches a building management system (abstract; Figure 7b), comprising: a memory (Figure 7b reference numbers 704 and 740 reveals a memory and repository) for storing: a plurality of types of personal identifiable information (PII) that will be collected by the building management system for each of at least some of a plurality of end users of the building management system (paragraphs 80 and 110, wherein paragraph 110 discloses the repository store biometric PII for all users); a user interface (Figure 7b reference number 738 reveals biometric identification unit); a processor (Figure 7b reference number 702 reveals a processor) operatively coupled to the memory (Figure 7b, reference number 704) and the user interface (Figure 7b, reference number 738), the data privacy survey identifying: the plurality of types of personal identifiable information (PII) that will be collected by the building management system (paragraph 110 disclose the PII information is identified: the PII taken by the user device from the user is compared to the PII stored in the repository, which determines the level of access for the user); and operating the building management system in accordance with the set constraints (paragraphs 106-107 and 110 disclose the level of access for the user is determine based on the biometric PII).
Luria’s known technique of data management and privacy specifics to Mousavi’s known building management system  for improvement to yield the predictable results of such an application, namely to protect the privacy of individuals interacting with Mousavi’s building management system for the obvious benefit of shielding said individuals from data breaches and privacy incursions.

As to claim 18, the combination of Luria in view of Mousavi teaches wherein the one or more user rights include one or more of: 27 of 32 a right to access control (Luria: paragraph 68 discloses the administrator has the right to access control to set an action of Allow, Block, or set any of the options described in reference to table 1).

As to claim 19, Luria teaches a non-transitory computer readable medium storing instructions thereon (paragraph 32)  that when executed cause a processor to: present a data privacy survey identifying: a plurality of types of personal identifiable information (PII)  (paragraphs 35-37 teach a connection profile that displays the collected PII data) and a plurality of data privacy settings for each of the plurality of types of PII (Table 1, paragraphs 34-35, wherein the table shows the settings “Block” “Log”, Modify/Delete” etc.,); receive a setting change to at least one of the plurality of data privacy settings for at least one of the plurality of types of PII (table 1, paragraphs 35-37, 68 wherein the table 1 shows the settings change in the grid of “YES” or “NO” to the settings of “Block” “Log”, Modify/Delete” etc.,); set one or more constraints for each of the plurality of types of PII, the one or more constraints for each of the plurality of types of PII based at least in part on the corresponding plurality of data privacy settings (Table 1, paragraphs 35-37 disclose the constraint is based on the settings of an email being blocked or deleted). 
Luria fails to teach receive a particular configuration of a building management system, the particular configuration identifying a plurality of components that are to be included in the building management system; automatically identify a plurality of types of personal identifiable information PII that will be collected by the building management system for one or more of a plurality of end users of the building management system based at least in part on the receive particular configuration of the building management system; a plurality of types of personal identifiable information (PII) that will be collected by the building management system for one or more of the plurality of end users of the building management system having the particular confirmation of the building management system; and operating a building management system in accordance with the set constraints.
Mousavi teaches receive a particular configuration of a building management system (paragraph 120 of Mousavi teaches the processing circuit enabled to grant access rights based on the determined access level), the particular configuration identifying a plurality of components that are to be included in the building management system (paragraph 121 of Mousavi teaches the system comprises one or more portable electronic devices associated with a registered user and is enabled to facilitate the user to provide input pertaining to the selection of one or more building equipment to be accessed); automatically identify a plurality of types of personal identifiable information PII that will be collected by the building management system for one or more of a plurality of end users of the building management system based at least in part on the receive particular configuration of the building management system (paragraph 122 of Mousavi teaches the portable electronic device is enable to scan at least one biometric parameter of the user, and generate scanned biometric information, the one or more biometric information is stored in a repository. This repository is further configured to store a list of registered users and one or more biometric information associated one or more building equipment, and access rights for the building equipment corresponding to each of the users); a plurality of types of personal identifiable information (PII) that will be collected by the building (paragraphs 109-111,113-115, 118 and 126; Figure 10, reference number 1002 and 1004 teach biometric PII is collected by the user of the building management system); and operating a building management system in accordance with the set constraints (paragraphs 109-111, 113, 118 and 126 disclose the facility manager operates the building management system by updating the list of registered and or associated users and their access rights).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Luria’s known technique of data management and privacy specifics to Mousavi’s known building management system  for improvement to yield the predictable results of such an application, namely to protect the privacy of individuals interacting with Mousavi’s building management system for the obvious benefit of shielding said individuals from data breaches and privacy incursions.

As to claim 20, the combination Luria in view of Mousavi teaches wherein the one or more user rights include one or more of: 27 of 32a right to be forgotten; a right to data portability; a right to object; a right to rectification(Luria: Table 1, Modify/Delete setting is right to be forgotten).

Claim 15 is rejected under 35 U.S.C. 103 as being unpatentable over Luria US 20170193249 (hereinafter Luria) in view of Mousavi et al US 2020/0342080 (hereinafter Mousavi) in further view of Vidhani et al US 20160132696 (hereinafter Vidhani).
As to claim 15, the combination of Luria in view of Mousavi teaches all the limitations of claim 1 above. The combination of Luria in view of Mousavi do not teach wherein the data privacy survey is presented via a sequence of two or more screens via the user interface.
Vidhani teaches wherein the data privacy survey is presented via a sequence of two or more screens via the user interface (Figures 6A, 7A, & 7B shows the two or more screen sequence that has the privacy data).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claim invention to modify Luria’s data privacy specifics in view of Mousavi’s building management system with Vidhani’s display preferences to facilitate managing data privacy (paragraph 7).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FELICIA FARROW whose telephone number is (571)272-1856. The examiner can normally be reached M - F 7:30--5:30pm (EST).

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571)272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/F.F/               Examiner, Art Unit 2437        

/KRISTINE L KINCAID/               Supervisory Patent Examiner, Art Unit 2437