DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This office action is in response to amendment filed on 3/17/2022.  Claims 1, 4-5, 7-8, 11-12, and 14-15 have been amended and claims 6, 13 have been canceled by the Applicant.  Claims 1-5, 7-12, and 14-20 have been examined.  This office action is Final.

Response to Amendment

Applicant’s arguments, see Applicant’s Arguments, filed 3/17/2022, with respect to the claims have been fully considered and are persuasive.  New art has been applied to the newly added limitation,  “executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor”.  Thus, the Applicant’s arguments on pages 8-9, in regards to prior art of Cheery are moot, because new art has been applied to the amendment, the prior art of Chathoth (2016/0285871).  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-5, 7-12, and 14-20 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
More Specifically, independent amended claims 1, 8, and 15 recite, “wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor”.  The Examiner has reviewed the Applicant’s specification, there is not disclosed wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor, in the Applicant’s specification there is discloses the data subject requestor to transmit a copy of a document or legal (see Applicant’s specification pgs. 3 and 5, para. 007, 0010).  The limitation  “wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor”, is not disclosed in the Applicant’s specification.  There is not disclosed “collecting”, nor “authentication methodology involves interacting with the data subject requestor to collect”…
	Regarding claims 2-5, and 7; 9-12, and 14; and 16-20 are also rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph for the same reasons addressed above.  In addition, claims 2-5, and 7 are dependent on claim 1, claims 9-12 are dependent on claim 8, and claims 16-20 are dependent on claim 15 and therefore inherit 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph issues of the independent claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 8-10, 12, 15-17, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Roundtree et al. (2002/0004736) in view of Cherry et al. (2017/0070495), and further in view of Chathoth (2016/0285871).
As per claim 1, Roundtree discloses a method comprising:
Roundtree discloses receiving, by computing hardware, a data subject access request from a data subject access requestor to perform an action with regard to personal data associated with the data subject access requestor (Roundtree: para. 0020-0021, See Fig. 1, receiving, by the system server #10 (i.e. computing hardware), a data subject access request from a #12 requestor (i.e. data subject access requestor) to perform an action (i.e. provide/access) with regard to personal data #38 associated with the data subject access requestor #12);
determining, by the computing hardware, a type of the data subject access request (Roundtree: para. 0021, determining, by the system server (i.e. computing hardware), a type of data subject access request (i.e. type of information requested)), 
determining, by the computing hardware based on the type, a computer-implemented
workflow for processing the data subject access request (Roundtree: para. 0050, 0058, See Fig. 6 #174 (i.e. workflow) determining, by a system server (i.e. computing hardware) based on type (i.e. type, purpose of request), a particular protocol/ system criteria/technique/ or strategy (i.e. computer-implemented workflow) for processing the data subject access request (i.e. request for personal information of target person));
Roundtree does not explicitly disclose the type comprising at least one of: (1) a request to delete the personal data, (2) a request to provide the personal data, (3) a request to opt out of having the personal data processed, or (4) a request to update the personal data; determining, by the computing hardware based on the computer-implemented workflow, an authentication methodology that is to be used to verify an identity of the data subject access requestor; using the authentication methodology, by the computing hardware, to verify the identity of the data subject access requestor; and responsive to verifying the identity of the data subject access requestor, processing, by the computing hardware, the data subject access request according to the computer-implemented workflow.
However, analogous art of Cherry discloses the type comprising at least one of: (1) a request to delete the personal data, (2) a request to provide the personal data, (3) a request to opt out of having the personal data processed, or (4) a request to update the personal data (Cherry: para. 0010, 0030, 0043, as claimed only one of these types needs to be disclosed “at least one of, followed by “or”, Cherry discloses a request to update the personal data (i.e. requesting update of the file); determining, by the computing hardware based on the computer-implemented workflow, an authentication methodology that is to be used to verify an identity of the data subject access requestor (Cherry: para. 0041, 0052,  determining based on the workflow, an authentication methodology (i.e. based on the received permissions credential) that is used to verify the identity of the requestor (i.e. sender) depends on which task within the workflow to be executed depending on the credential); upon determining the authentication methodology, executing the authentication methodology, by the computing hardware, to verify the identity of the data subject access requestor (Cherry: para. 0031-0033, 0041, 0052, transmitting a permission credential such as fingerprint/geolocation, so that authentication can take place, the receiver verifies the identity by performing authentication/authentication methodology); and responsive to verifying the identity of the data subject access requestor, processing, by the computing hardware, the data subject access request according to the computer-implemented workflow (Cherry: para. 0041, 0052, responsive to verifying the identity of the requestor (i.e. sender), the request of the file is processed).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the type comprising at least one of: (1) a request to delete the personal data, (2) a request to provide the personal data, (3) a request to opt out of having the personal data processed, or (4) a request to update the personal data; determining, by the computing hardware based on the computer-implemented workflow, an authentication methodology that is to be used to verify an identity of the data subject access requestor; upon determining the authentication methodology, executing the authentication methodology, by the computing hardware, to verify the identity of the data subject access requestor, wherein; and responsive to verifying the identity of the data subject access requestor, processing, by the computing hardware, the data subject access request according to the computer-implemented workflow of Cherry with Roundtree, the motivation is that this is a security measure that ensures that  the sender is trusted by following certain sequences of workflow events (Cherry: para. 0041).
Roundtree and Cherry do not disclose or suggest wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor.
Chathoth discloses wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor (Chathoth: para. 0037-0042, declarative request, interacting with a client to collect information (i.e. authentication information).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor of Chathoth with the Roundtree and Cherry, the motivation is that this is an efficient method that requires enforcement in order to validate credentials, using a policies (Chathoth: para. 0037).
As per claim 2, the combination of Roundtree, Cherry, and Chathoth disclose the method of Claim 1.   Cherry further disclose wherein processing the data subject access request according to the computer-implemented workflow comprises performing at least one of deleting, providing, or updating the personal data by using a data model to identify a storage location for the personal data (Cherry: para. 0041, 0052, processing the request according to a workflow, and updating the personal data using a data model to identify a storage location for the personal data, the data could be stored at third-party source).
Same motivation as claim 1.
As per claim 3, the combination of Roundtree, Cherry, and Chathoth disclose the method of Claim 1.  Roundtree further discloses wherein processing the data subject access request according to the computer-implemented workflow comprises completing the data subject access request on an expedited basis (Roundtree: See Fig. 9, #246, the requestor can enter the deadline to receive the personal information (i.e. completing the data subject access request), thus the Examiner asserts this could be an expedited basis a few days, since the requestor sets the date).
As per claim 5, the combination of Roundtree, Cherry, and Chathoth disclose the method of Claim 1.  Cherry further discloses wherein executing the authentication methodology to verify the identity of the data subject access requestor comprises (Cherry: para. 0041, authentication methodology (i.e. permissions credential and task associated with the it, to verify the identity of the requestor, the system performs sequences of workflow events to verify that the sender is trusted): prompting the data subject access requestor to log in to an authentication system for an entity storing the personal data using credentials of the data subject access requestor (Cherry: para. 0030, the sender log in using credentials); and responsive to the data subject access requestor successfully logging in to the authentication system, verifying the identity of the data subject access requestor (Cherry: para. 0030, 0041, sender is successfully logged in, verifying the identity of the sender based on the tasks being performed of the workflow).
Same motivation as claim 1 above.

As per claim 8, Roundtree discloses a system comprising:
a non-transitory computer-readable medium storing instructions (Roundtree: para. 0040, #102 memory); and
a processing device communicatively coupled to the non-transitory computer-readable medium, wherein, the processing device is configured to execute the instructions and thereby perform operations comprising (Roundtree: para. 0040, #112 processor (i.e. processing device)):
providing a graphical user interface for display on a computing device, the graphical user interface configured to receive a data subject access request (Roundtree: para. 0020-0021, 0040-0041,  See Fig. 1, receiving, by the system server #10 (i.e. computing device has display that provides receives the request);
receiving, via the graphical user interface, the data subject access request from a data subject access requestor to perform an action with regard to personal data (Roundtree: para. 0020-0021, See Fig. 1, receiving, by the system server #10 (i.e. which has a display with a GUI), a data subject access request from a #12 requestor (i.e. data subject access requestor) to perform an action (i.e. provide/access) with regard to personal data #38 associated with the data subject access requestor #12);
determining a type of the data subject access request, determining, based on the type, a computer-implemented workflow for processing the data subject access request (Roundtree: para. 0050, 0058, See Fig. 6 #174 (i.e. workflow) determining, by a system server based on type (i.e. type, purpose of request), a particular protocol/ system criteria/technique/ or strategy (i.e. computer-implemented workflow) for processing the data subject access request (i.e. request for personal information of target person)).
Roundtree does not explicitly disclose the type comprising at least one of: (1) a request to delete the personal data, (2) a request to provide the personal data, (3) a request to opt out of having the personal data processed, or (4) a request to update the personal data; wherein the computer-implemented workflow identifies an authentication methodology used to verify an identity of the data subject access requestor; wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor; and responsive to verifying the identity of the data subject access requestor, processing the data subject access request according to the computer-implemented workflow.
However, analogous art of Cherry discloses the type comprising at least one of: (1) a request to delete the personal data, (2) a request to provide the personal data, (3) a request to opt out of having the personal data processed, or (4) a request to update the personal data (Cherry: para. 0010, 0030, 0043, as claimed only one of these types needs to be disclosed “at least one of, followed by “or”, Cherry discloses a request to update the personal data (i.e. requesting update of the file); wherein the computer-implemented workflow identifies an authentication methodology used to verify an identity of the data subject access requestor; upon determining the authentication methodology, executing the authentication methodology to verify the identity of the data subject requestor (Cherry: para. 0031-0033, 0041, 0052, transmitting a permission credential such as fingerprint/geolocation, so that authentication can take place, the receiver verifies the identity by performing authentication/authentication methodology)); and responsive to verifying the identity of the data subject access requestor, processing the data subject access request according to the computer-implemented workflow (Cherry: para. 0041, 0052, responsive to verifying the identity of the requestor (i.e. sender), the request of the file is processed).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include the type comprising at least one of: (1) a request to delete the personal data, (2) a request to provide the personal data, (3) a request to opt out of having the personal data processed, or (4) a request to update the personal data; wherein the computer-implemented workflow identifies an authentication methodology used to verify an identity of the data subject access requestor; executing the authentication methodology to verify the identity of the data access requestor; and responsive to verifying the identity of the data subject access requestor, processing the data subject access request according to the computer-implemented workflow of Cherry with Roundtree’s system, the motivation is that this is a security measure that ensures that  the sender is trusted by following certain sequences of workflow events (Cherry: para. 0041).
Roundtree and Cherry do not disclose or suggest wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor.
Chathoth discloses wherein executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor (Chathoth: para. 0037-0042, declarative request, interacting with a client to collect information (i.e. authentication information).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include executing the authentication methodology involves interacting with the data subject requestor to collect information from the data subject requestor to verify the identity of the data subject requestor of Chathoth with the Roundtree and Cherry, the motivation is that this is an efficient method that requires enforcement in order to validate credentials, using a policies (Chathoth: para. 0037).
As per claims 9-10, rejected under similar basis as claims 2-3 respectively.
As per claim 12, rejected under similar basis as claims 5.
As per claim 15, rejected under similar scope as claim 1.
As per claim 16, Roundtree, Cherry, and Chathoth disclose the non-transitory computer-readable medium of Claim 15.  Cherry further discloses wherein the authentication methodology specifies how many different types of authentication information are required to verify the identity of the data subject access requestor (Cherry: para. 0041, authentication methodology specifies how many type of authentication, uses the sequences of the workflow to determine if a sender (i.e. requestor) is less or trusted, depending on if the sender is less trusted, additional authentication is required, thus multiple types).
Same motivation as claim 15.
As per claim 17, the combination of Roundtree, Cherry, and Chathoth disclose the non-transitory computer-readable medium of Claim 15.  Roundtree further discloses wherein the personal data has been obtained from the data subject and stored on a data asset of an entity receiving the data subject access request (Roundtree: para. 0060-0061, personal data has been obtained and stored on a data asset (i.e. database) of an entity (i.e. system server) receiving the request).
As per claim 19, rejected under similar basis as claim 9.
As per claim 20, rejected under similar basis as claim 3.

Claims 4, 11 are rejected under 35 U.S.C. 103 as being unpatentable over Roundtree et al. (2002/0004736) in view of Cherry et al. (2017/0070495), and in view of Chathoth (2016/0285871) further in view of Reeves (9,202,026).
As per claim 4, the combination of Roundtree, Cherry, and Chathoth discloses the method of Claim 1.  Cherry further discloses wherein executing the authentication methodology to verify the identity of the data subject access requestor (Cherry: para. 0041, authentication methodology (i.e. permissions credential and task associated, to verify the identity of the requestor, the system performs sequences of workflow events to verify that the sender is trusted).
Roundtree, Cherry, and Chathoth does not explicitly disclose requiring the data subject access requestor to transmit a copy of at least one of an identification document for the data subject access requestor or a particular legal document.  
However, analogous in the art of Reeves discloses requiring the data subject access requestor to transmit a copy of at least one of an identification document for the data subject access requestor or a particular legal document (Reeves: col. 3, lines 8-18, copy of a particular legal document (i.e. government issued document).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include requiring the data subject access requestor to transmit a copy of at least one of an identification document for the data subject access requestor or a particular legal document of Reeves with the combination of Roundtree, Cherry, and Chathoth, the motivation is that this method reduces the occurrence of identity theft due to obtaining a particular legal document and then using the document as proof of identity (Reeves: col. 4, lines 17-21).
As per claim 11, rejected under similar basis as claim 4 above.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Roundtree et al. (2002/0004736) in view of Cherry et al. (2017/0070495),  in view of Chathoth (2016/0285871) and further in view of Hathaway et al. (9,152,818).
As per claim 7, Roundtree, Cherry, and Chathoth disclose the method of Claim 1.
Cherry further discloses wherein executing the authentication methodology to verify the identity of the data subject access requestor comprises (Cherry: para. 0041, authentication methodology (i.e. permissions credential and task associated with the it, to verify the identity of the requestor, the system performs sequences of workflow events to verify that the sender is trusted).
Roundtree, Cherry, and Chathoth explicitly disclose generating, based on information received via a third-party data aggregation system, a threshold identity confirmation question; prompting the data subject access requestor to provide a response to the threshold identity confirmation question; and comparing the response to the information received via the third-party data aggregation system to verify the identity of the data subject access requestor.
However, analogous art of Hathaway discloses generating, based on information received via a third-party data aggregation system, a threshold identity confirmation question (Hathaway: col. 2, lines 17-25,and col. 3, lines 48-55, generating, based on information received via a third party aggregation system (i.e. personal information source), a threshold identity confirmation question (i.e. KBA question)); prompting the data subject access requestor to provide a response to the threshold identity confirmation question (Hathaway: col. 5, lines 63-67, col. 6, lines 1-3, prompting the data requestor to provide a response to KBA question); and comparing the response to the information received via the third-party data aggregation system to verify the identity of the data subject access requestor (Hathaway: col. 8, lines 40-51, comparing the response to information received by the personal information source to verify identity of the consumer (i.e. requestor)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include generating, based on information received via a third-party data aggregation system, a threshold identity confirmation question; prompting the data subject access requestor to provide a response to the threshold identity confirmation question; and comparing the response to the information received via the third-party data aggregation system to verify the identity of the data subject access requestor of Hathaway with Roundtree Cherry, and Chathoth, the motivation is that this method is an efficient security measure that protects against identity theft (Hathaway: col. 3, lines 28-30).
As per claim 14, rejected under similar basis as claim 7.

Claim 18 is rejected under 35 U.S.C. 103 as being unpatentable over Roundtree et al. (2002/0004736) in view of Cherry et al. (2017/0070495), in view of Chathoth (2016/0285871)and further in view of Chochois et al. (2009/0206988).
As per claim 18, the combination of Roundtree, Cherry, and Chathoth disclose the non-transitory computer-readable medium of Claim 15.  
Roundtree, Cherry, and Chathoth do not explicitly disclose wherein the data subject access requestor is the data subject.
However, analogous art of Chochois discloses wherein the data subject access requestor is the data subject (Chochois: para. 0016-0017, the subject access requestor is the data subject (i.e. subject (i.e. same user that is request access to the data in the safe)).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to include wherein the data subject access requestor is the data subject of Chochois with the system of Roundtree, Cherry, and Chathoth, the motivation is that a request to access the data of the requestor insures that the user will be able to access their own data safely, thus this is an efficient method that has the benefit of securely accessing data (Chochois: para. 0015-0016).

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JENISE E JACKSON whose telephone number is (571)272-3791. The examiner can normally be reached M-F 8:00am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




5/13/2022
/J.E.J/Examiner, Art Unit 2439                                                                                                                                                                                                        /CHRISTOPHER J BROWN/Primary Examiner, Art Unit 2439