Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to claims filed on 04/22/2020
Claims 1-20 are pending and rejected; claims 1, 10 and 16 are independent claims

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/22/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Fleming et al. US Pub. No.: 2021/0256163 A1 (hereinafter Fleming), in view of Daftary US Pub. No.: 2021/0042428 A1 (hereinafter Daftary).

Fleming teaches:
As to claim 1,  a data management computing system for tracking data protection compliance of a plurality of entities using personally identifying information (“PII”) (see Fleming ¶114, data consent manager also records and stores a log of the current data subjects and data types that the data controllers are currently holding (i.e. PII)), the data management computing system comprising a data management (“DM”) server in communication with a user computing device associated with a user and a requesting entity (see Fleming ¶126, data consent manager 802 is configured to communicate with each of the data subject 801, data controllers 803a, 803b, 803c, 803d, 803e and data requestor 804), the DM server comprising: 
a memory device for storing data, wherein the memory device includes a user profile associated with the user, the memory device including a records database, the records database including a plurality of compliance records generated by the DM server to track interactions between the DM server and the requesting entity (see Fleming ¶32, memory may comprise a database populated with data subjects and their respective data sharing preferences; ¶76, preferences are stored in a secured database located on a server); and 
at least one processor communicatively coupled to the memory device, the at least one processor programmed to: receive, from the requesting entity, a PII consent request for access to a requested PII set of the user, the PII consent request identifying a reason code associated with the requested PII set (see Fleming ¶86, the data consent manager may only present the relevant data types for the selection of preferences for those categories of data requestor); 
determine, based on the PII consent request, at least one PII item associated with the reason code (see Fleming ¶113, validation may also comprise confirming whether the data requestor has a legitimate reason for requesting data); 
compare the at least one PII item to the requested PII set (see Fleming ¶127, compare the at least one PII item to the requested PII set); 
generate, based on the comparison, a consent recommendation, wherein the consent recommendation provides a course of action regarding the at least one PII item (see Fleming ¶75, Operation 102 comprises recording the data subject's data sharing preferences); 
receive, from the user computing device, in response to the consent recommendation, a response indicating user consent for the requesting entity to access the at least one PII item (see Fleming ¶78, If a data requestor submits a data share request pertaining to a data subject who has the “as me” option selected for the relevant data requestor, then a notification is sent to the data subject detailing the request); 
transmit, to the requesting entity, a notification indicating the user consent for the requesting entity to retrieve the at least one PII item from a third-party PII storage entity (see Fleming ¶78, data subject can then review the request and decide whether to accept or decline the request. The data subject can then respond to the notification with their preference on that occasion and the request either accepted or declined in dependence on the data subject's response); and 
update, in the memory device, the user profile to track the requesting entity with the at least one PII item (see Fleming ¶122, data consent manager may also provide the data subject with the ability to view and review who currently has access to their data, who is currently storing their data and what data is currently being held).
Fleming does not explicitly teach but the related art Daftary teaches:
transmit the consent recommendation to the user computing device (see Daftary ¶91, cyber-privacy system 201 may generate recommendations based on the identification of the sources of the accounts); 
Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the invention, to modify the data contentment manager disclosed by Fleming to include the privacy score, as thought by Daftary, in order to transmit the consent recommendation to user. A person with ordinary skill in the art would have been motivated to add the feature of transmitting the consent recommendation because, it is important from a personal privacy perspective that the consumer be aware of all of their online accounts and be informed about the privacy practices of the companies with which they have these accounts (see Daftary ¶2).

As to claim 2, the data management computing system of claim 1, wherein the at least one processor is further programmed to: generate a first compliance record including (i) a request date associated with the PII consent request, (ii) a consent date on which the user provided the user consent (see Fleming ¶84, sub-types may then again be broken down into further sub-types, such as viewing patterns related data (which may include data such as lengths of periods of time which a data subject consumes media and at what times of the day the data subject consumes media)); and (iii) a description of the at least one PII item; link the first compliance record with the user profile (see Fleming ¶101, profile may comprise the information described as being linked to the data requestor ID above) ; and store the first compliance record in the records database (see Fleming ¶75, Operation 102c comprises saving and storing the data subject's data sharing preferences. The preferences are stored in a secured database located on a server).

As to claim 3, the data management computing system of claim 1, wherein the at least one processor is programmed to generate the consent recommendation by: parsing the records database for compliance records associated with the requesting entity to determine (i) a characteristic compliance rate  and (ii) a characteristic compliance time (see Fleming ¶138, upon receiving the data share request the data controller unpackages and reads the request at operation 1102; ); and 
recommending that the user provide user consent based in part on the characteristic compliance rate and the characteristic compliance time satisfying a compliance criterion (see Daftary ¶91, cyber-privacy system 201 may generate recommendations based on the identification of the sources of the accounts).

As to claim 4, the data management computing system of claim 1, wherein the at least one processor is further programmed to generate an entity trust score for the requesting entity, the entity trust score indicating a likelihood that the requesting entity securely manages PII, wherein the entity trust score is based on the plurality of compliance records generated by the DM server (see Daftary ¶35, collects information from various information data sources to assist a consumer in keeping track of numerous accounts and to provide the consumer with privacy scores corresponding to those accounts).

As to claim 5, the data management computing system of claim 1, wherein the at least one processor is further programmed to: receive, from the requesting entity, a PII share request to share the at least one PII item with a share-requesting entity, wherein the requesting entity is registered with the DM server and the share-requesting entity is not registered with the DM server (see Fleming ¶7, receiving a data share request from a requestor to obtain personal data relating to the data subject and held by one or more of the data controllers) ; 
transmit a share notification to the user computing device to alert the user of the PII share request (see Fleming ¶74, inform and prompt the data subject as to their preferences a notification, which may be in the form of an email, push-notification, or a letter, may be sent which notifies the data subject of their current preferences and informs them as to the various options available); 
receive, from the user computing device, in response to the share notification, a response indicating user consent for the requesting entity to share the at least one PII item with the share-requesting entity (see Fleming ¶76, f a data subject has particular preferences for a data requestor within a specific group then the data consent manager may provide a “drill down” function, by which the data subject can expand the group into the individual organizations to modify the preferences for each organization independently); and 
transmit, to the requesting entity, a notification indicating the user consent (see Fleming ¶86, the data consent manager may only present the relevant data types for the selection of preferences for those categories of data requestor).

As to claim 6,  The data management computing system of claim 5, wherein the at least one processor is further programmed to: generate a second compliance record including (i) a share request date associated with the PII share request, (ii) a consent date on which the user provided user consent to share the at least one PII item (see Fleming ¶86, the data consent manager may only present the relevant data types for the selection of preferences for those categories of data requestor); and 
(iii) a description of the at least one PII item; link the second compliance record with the user profile; and store the second compliance record in the records database (see Fleming ¶123, data consent manager may be configured to report some or all of the data currently being held on them at the request of the data subject… from some (such as more than one) or all of the data controllers currently storing the data subject's data).

As to claim 7, the data management computing system of claim 5, wherein the at least one processor is further programmed to: register the share-requesting entity with the DM server to monitor data compliance of the share-requesting entity with respect to the at least one PII item; and update the user profile to track the share-requesting entity with the at least one PII item (see Fleming ¶122, data consent manager may also provide the data subject with the ability to view and review who currently has access to their data, who is currently storing their data and what data is currently being held).

As to claim 8, the data management computing system of claim 5, wherein the at least one processor is further programmed to: generate, in response to the response indicating the user consent, a secure token associated with the at least one PII item; and transmit, to the share-requesting entity, the token to enable the share-requesting entity to submit the token to the requesting entity to access the at least one PII item (see Fleming ¶¶101-102, one of the specific identity or the type of organization is required and so the data requestor ID may only contain one of the two criteria. In some examples the on-boarding of a data requestor comprises the creation of a profile for the data requestor in the data consent manager).

As to claim 9, the data management computing system of claim 1, wherein the at least one processor is further programmed to: receive, from the user computing device, a PII removal request indicating that the user revokes the user consent previously provided to the requesting entity; transmit, to the requesting entity, a removal notification including (i) the revoked user consent, (ii) an identification of the at least one PII item to be removed, and receive, from the requesting entity, a removal compliance response in response to the removal notification, the removal compliance response indicating that the at least one PII item has been removed (see Fleming ¶21, sending an instruction, from the data consent manager to the data controller, to share the personal data with the requestor or rejecting the data share request in dependence on the comparison).
As to independent claim 10, this claim directed to a computer-implemented executed by system of claim 1; therefore, it is rejected along similar rationale.
As to independent claim 16, this claim directed to a non-transitory computer-readable storage media that includes computer-executable instructions executed by system of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 11-15 and 17-20,  these claims contain substantially similar subject matter as claim 2-9; therefore, they are rejected along the same rationale.

Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NEGA WOLDEMARIAM/               Examiner, Art Unit 2433           

/JEFFREY C PWU/             Supervisory Patent Examiner, Art Unit 2433