DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This office Action is in response to Application 17145155 filed on 01/08/2021. Claims 1 and 9 are independent claims. Claims 1-16 have been examined and are pending in this application. This Office Action is made Non-Final.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 01/08/2021 and 01/08/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Specification
The disclosure is objected to because of the following informalities: The Specification does not include section “Brief Summary of Invention.” See MPEP § 608.01(a) for detail. Appropriate correction is required.

	
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-6, 9-13 and 15 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-12 of U.S. Patent No. 10,891,359. They are not patentably distinct from each other because the claims of the instant application are anticipated by the reference claims.
Claims 1-6, 9-13 and 15 are rejected on the ground of nonstatutory double patenting as being unpatentable over claim 1-12 of U.S. Patent No. 10,891,359.  Although the claims at issue are not identical, they are not patentably distinct from each other because Claims 1-6, 9-13 and 15 of the instant application are anticipated by claims 1-12 of the US Patent No. 10,891,359, respectively (refer to the comparison table below for detail).

Instant Application 17/145155
US patent No. 10,891,359
Claim 1: A computer-implemented method for use in managing personal identifying information, the method comprising: 
receiving, from a requestor, a request to remove personal identifying information (PII) for at least one individual from multiple service providers; 

determining, by the computing device, a restriction on the PII or the at least one individual applies to the request;







in response to the request, authenticating, by a computing device, the requestor; 
broadcasting, by the computing device, the request, subject to the determined restriction, to the multiple service providers, 



whereby, in response to the request, the multiple service providers remove the PII for the at least one individual from a memory associated with the multiple service providers; 
receiving, by the computing device, at least one response to the request from each of the multiple service providers,

 each response including an indication of removal of the PII of the at least one individual from the memory associated with the respective one of the multiple service providers; 
compiling, by the computing device, a reply to the request based on the at least one response from each of the multiple service providers, the reply including a confirmation of removal of the PII for the at least one individual; 

transmitting the reply to the requestor; and 
logging, by the computing device, the request from the requestor and 


the at least one response from each of the multiple service providers in an audit data structure, thereby permitting compliance with PII controls to be demonstrated.  

Claim 1: A computer-implemented method for use in managing personal identifying information, the method comprising: 

receiving, from a requestor, a request to remove personal identifying information (PII) for at least one individual, the at least one individual associated with a service;

determining, by a computing device, whether a restriction on the PII or the at least one individual applies to the request; 
in response to the request to remove the PII, transmitting a consent notification to the at least one individual for consent of the at least one individual to remove the PII;
receiving the consent of the at least one individual to the consent notification; 

in response to the request, and after receiving the consent, 

broadcasting, by the computing device, the request, subject to the determined restriction when the restriction is determined to apply to the request, to multiple service providers associated with the service, the multiple service providers being controllers of PII of the at least one individual, 
whereby in response to the request, the multiple service providers remove the PII of the at least one individual;


receiving, by the computing device, at least one response to the request, from each of the multiple service providers, 

the responses each including an acknowledgement of removal of the PII of the at least one individual from the respective one of the multiple service providers;
compiling, by the computing device, a reply to the request based on a response from each of the service providers, the reply including a confirmation of the removal of the PII;


transmitting the reply to the requestor; and 
logging, by the computing device, the request from the requestor, the broadcast of the request to the multiple service providers, and 
said at least one response from each of the service providers in an audit data structure, thereby permitting compliance with PII controls to be demonstrated.

Claim 9: A non-transitory computer-readable storage medium including executable instructions for managing personal identifying information, which when executed by at least one processor, cause the at least one processor to:

receive, from a requestor, a request to remove personal identifying information (PI) for at least one individual from multiple service providers, the multiple service providers being controllers of the PH of the at least one individual;  authenticate the requestor; 
when the requestor is authenticated, determine whether a restriction on the PII or the at least one individual applies to the request; 




broadcast the request, subject to the determined restriction, when the restricted is determined to apply to the request, to the multiple service providers;




receive at least one response to the request from each of the multiple service providers, each response including an indication of removal of the PII by the respective one of the multiple service providers; 

compile a reply to the request based on the received at least one response from each of the multiple service providers, the reply including confirmation of removal of the PII from the multiple service providers; 

transmit the reply to the requestor; and

log at least the request from the requestor and the at least one response from each of the multiple service providers in an audit data structure, thereby permitting compliance with PII controls to be demonstrated.  

Claim 7: A non-transitory computer-readable storage media including executable instructions for managing personal identifying information, which when executed by at least one processor, cause the at least one processor to: 

receive, from a requestor, a request to remove personal identifying information (PII) for at least one individual, the at least one individual associated with at least one service; 
determine whether a restriction on the PII or the at least one individual applies to the request; 
in response to the request, transmit a consent notification to the at least one individual for consent to remove the PII; and 
receive the consent of the at least one individual; 
after receipt of the consent, 

broadcast the request, subject to the determined restriction, to at least one service provider of the at least one service, the at least one service provider being a controller of PII of the at least one individual, whereby in response to the request the at least one service provider removes the PII of the at least one individual; 
receive at least one response to the request, from the at least one service provider of the at least one service, including an acknowledgement of removal of the PII of the at least one individual from the at least one service provider; 

compile a reply to the request based on the received at least one response, the reply including a confirmation of the removal of the PII; 



transmit the reply to the requestor; and 
log the request from the requestor, the broadcast of the request to the at least one service provider, and said at least one response from the at least one service provider in an audit data structure for demonstrating compliance with PII controls.



Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-3, 5, 7-12, 14 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Tiku et al. (“Tiku,” US 20180329940, filed on 05/12/2017) in view of Lacey et al. (“Lacey,” US 20170140174, published on 05/18/2017)
Regarding Claim 1; 
Tiku discloses a computer-implemented method for use in managing personal identifying information, the method comprising (abstract: a data deletion system trigger and orchestrate data deletion of data across various data stores): 
receiving, from a requestor, a request to remove personal identifying information (PII) for at least one individual from multiple service providers (par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party);
broadcasting, by the computing device, the request, to the multiple service providers (par 0040; fig. 2; broadcast a deletion message containing the unique identifier. Broadcasting the deletion message include writing the deletion message to a messaging queue. The deletion message may trigger a purge of data associated with the unique identifier by a subscribing entity such as, for example, an application or third party), 
whereby, in response to the request, the multiple service providers remove the PII for the at least one individual from a memory associated with the multiple service providers (par 0003; data collected and stored in a central repository in association with individuals [] for example, a financial institution may collect data associated with account holders in conjunction with their accounts; par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party);
receiving, by the computing device, at least one response to the request from each of the multiple service providers (par 0016; the data deletion utility publish pre deletion and deletion messages to applications to notify applications of upcoming deletions and trigger the actual deletion; par 0044; the data deletion trigger utility send delete messages to the data stores, account SORs, applications in response to receiving the accounts for deletion),
each response including an indication of removal of the PII of the at least one individual from the memory associated with the respective one of the multiple service providers (par 0016; the data deletion utility identify legal holds and other deletion exclusions to ensure the correct data is deleted. The data deletion utility publish pre deletion and deletion messages to applications to notify applications of upcoming deletions and trigger the actual deletion; par 0044; the data deletion trigger utility may send deletion messages to all data stores, account SORs, applications, in response to identifying accounts for deletion [] the data deletion trigger utility send delete messages to the data stores, account SORs, applications in response to receiving the accounts for deletion. The data deletion trigger utility may also confirm compliance);
compiling, by the computing device, a reply to the request based on the at least one response from each of the multiple service providers, the reply including a confirmation of removal of the PII for the at least one individual (par 0027; compliance validation include reconciliation processes run periodically to confirm records have been deleted. Compliance validation complete onboarding for subscribing SORs, applications, and/or third parties. Compliance validation thus ensure PII is deleted in response to deletion file and/or deletion file being published to the appropriate entities);
transmitting the reply to the requestor (par 0027; compliance validation thus ensure PII is deleted in response to deletion file and/or deletion file being published to the appropriate entities; par 0037; consume messages in response to successful deletions); and 
logging, by the computing device, the request from the requestor and the at least one response from each of the multiple service providers in an audit data structure, thereby permitting compliance with PII controls to be demonstrated (par 0025; data deletion trigger utility audit and verify the third parties delete and/or mask data as expected by reviewing the account lists for identifiers associated with accounts that should be deleted; par 0037; the deletion messages are published to subscribing entities. In response to receiving a deletion message, subscribing entities perform a purge by scanning a message queue for a deletion message, purging PII data by deleting and/or masking the PII data identified by the deletion message, and reporting; par 0045; since the systems of record sent the deletion messages downstream, the data deletion trigger utility audit the downstream systems to ensure the subscribing systems are meeting the requirements).
Tiku discloses broadcasting, by the computing device, the request to the multiple service providers, as recited above, but do not explicitly disclose in response to the request, authenticating, by a computing device, the requestor; determining, by the computing device, a restriction on the PII or the at least one individual applies to the request; subject to the determined restriction.
However, in an analogous art, Lacey discloses authorization to release person information system/method that includes:
in response to the request, authenticating, by a computing device, the requestor; (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized); 
determining, by the computing device, a restriction on the PII or the at least one individual applies to the request; (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles); 
subject to the determined restriction (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Lacey with the method/system of Tiku to include in response to the request, authenticating, by a computing device, the requestor; determining, by the computing device, a restriction on the PII or the at least one individual applies to the request; subject to the determined restriction. One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

Regarding Claim 2; 
The combination of Tiku and Lacey disclose the computer-implemented method of claim 1, 
	Lacey discloses wherein determining the restriction applies includes identifying a restriction on the PII based on the at least one individual from a restricted use management data structure (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

Regarding Claim 3; 
The combination of Tiku and Lacey disclose the computer-implemented method of claim 1, 
	Tiku discloses wherein the requestor is a third party service provider for at least one service associated with the at least one individual (Tiku: par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party); 
Lacey further discloses wherein determining whether the restriction applies includes identifying at least one restriction on the PII based on the third party service provider and the at least one individual (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

Regarding Claim 5;
	The combination of Tiku and Lacey disclose the computer-implemented method of claim 3, 
	Tiku discloses wherein broadcasting the request (Tiku: par 0016; the data deletion utility may publish pre-deletion and deletion messages to applications to notify applications of upcoming deletions and trigger the actual deletion), further includes broadcasting the request to the third party service provider (Tiku: par 0014; the data deletion system may then propagate delete messages across the SORs, applications, third parties, cloud storage systems, data stores, and/or big data systems to trigger deletion of certain data (e.g., personally identifiable information (PII)) across some or all markets); 
Lacey further discloses subject to the determined restriction (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

Regarding Claim 7; 
The combination of Tiku and Lacey disclose the computer-implemented method of claim 1, further comprising: 
Lacey discloses in response to receiving the request to remove the PII for the at least one individual, transmitting a consent notification to the at least one individual for consent of the at least one individual to remove the PII (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized); and receiving the consent of the at least one individual to the consent notification, prior to the request (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).
Tiku further discloses receiving the request to remove the PII (Tiku: par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion); broadcasting the request (Tiku: par 0040; broadcast a deletion message containing the unique identifier. Broadcasting the deletion message include writing the deletion message to a messaging queue. The deletion message may trigger a purge of data associated with the unique identifier by a subscribing entity such as, for example, an application or third party), 

Regarding Claim 8; 
The combination of Tiku and Lacey disclose the computer-implemented method of claim 1, 
Tiku discloses logging, by the computing device, and the broadcasting of the request in the audit data structure (Tiku: par 0025; data deletion trigger utility audit and verify the third parties delete and/or mask data as expected by reviewing the account lists for identifiers associated with accounts that should be deleted; par 0037; the deletion messages are published to subscribing entities. In response to receiving a deletion message, subscribing entities perform a purge by scanning a message queue for a deletion message, purging PII data by deleting and/or masking the PII data identified by the deletion message, and reporting; par 0040; broadcast a deletion message containing the unique identifier. Broadcasting the deletion message include writing the deletion message to a messaging queue. The deletion message may trigger a purge of data associated with the unique identifier by a subscribing entity such as, for example, an application or third party; par 0045; since the systems of record sent the deletion messages downstream, the data deletion trigger utility audit the downstream systems to ensure the subscribing systems are meeting the requirements).
Lacey further discloses authentication of the requestor (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).


Regarding Claim 9; 
Tiku a non-transitory computer-readable storage medium including executable instructions for managing personal identifying information, which when executed by at least one processor, cause the at least one processor to (abstract: a data deletion system trigger and orchestrate data deletion of data across various data stores; par 0071; the control logic, when executed by the processor, causes the processor to perform the functions): 
receive, from a requestor, a request to remove personal identifying information (PII) for at least one individual from multiple service providers, the multiple service providers being controllers of the PII of the at least one individual (par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party);
broadcast the request, to the multiple service providers (par 0040; fig. 2; broadcast a deletion message containing the unique identifier. Broadcasting the deletion message include writing the deletion message to a messaging queue. The deletion message may trigger a purge of data associated with the unique identifier by a subscribing entity such as, for example, an application or third party);
receive at least one response to the request from each of the multiple service providers, each response including an indication of removal of the PII by the respective one of the multiple service providers (par 0003; data collected and stored in a central repository in association with individuals [] for example, a financial institution may collect data associated with account holders in conjunction with their accounts; par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party);
compile a reply to the request based on the received at least one response from each of the multiple service providers, the reply including confirmation of removal of the PII from the multiple service providers (par 0027; compliance validation include reconciliation processes run periodically to confirm records have been deleted. Compliance validation complete onboarding for subscribing SORs, applications, and/or third parties. Compliance validation thus ensure PII is deleted in response to deletion file and/or deletion file being published to the appropriate entities);
transmit the reply to the requestor (par 0027; compliance validation thus ensure PII is deleted in response to deletion file and/or deletion file being published to the appropriate entities; par 0037; consume messages in response to successful deletions);  and 
log at least the request from the requestor and the at least one response from each of the multiple service providers in an audit data structure, thereby permitting compliance with PII controls to be demonstrated (par 0025; data deletion trigger utility audit and verify the third parties delete and/or mask data as expected by reviewing the account lists for identifiers associated with accounts that should be deleted; par 0037; the deletion messages are published to subscribing entities. In response to receiving a deletion message, subscribing entities perform a purge by scanning a message queue for a deletion message, purging PII data by deleting and/or masking the PII data identified by the deletion message, and reporting; par 0045; since the systems of record sent the deletion messages downstream, the data deletion trigger utility audit the downstream systems to ensure the subscribing systems are meeting the requirements).
Tiku discloses broadcast the request, to the multiple service providers recited above, but do not explicitly disclose authenticate the requestor; when the requestor is authenticated, determine whether a restriction on the PII or the at least one individual applies to the request; subject to the determined restriction, when the restricted is determined to apply to the request.
However, in an analogous art, Lacey discloses authorization to release person information system/method that includes:
authenticate the requestor (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized); 
when the requestor is authenticated, determine whether a restriction on the PII or the at least one individual applies to the request (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized; par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles); 
subject to the determined restriction, when the restricted is determined to apply to the request (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Lacey with the method/system of Tiku to include authenticate the requestor; when the requestor is authenticated, determine whether a restriction on the PII or the at least one individual applies to the request; subject to the determined restriction, when the restricted is determined to apply to the request. One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

Regarding Claim 10; 
The combination of Tiku and Lacey disclose the non-transitory computer-readable storage medium of claim 9, 
Tiku further discloses wherein the at least one individual is associated with a plurality of services, and wherein the multiple service providers are each associated with one or more of the plurality of services (Tiku: par 0003; a financial institution may collect data associated with account holders in conjunction with their accounts; par 0057; phrases and terms similar to "financial institution" or "transaction account issuer" may include any entity that offers transaction account services. Although often referred to as a "financial institution," the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party issuers under contract with financial institutions).

Regarding Claim 11; 
The combination of Tiku and Lacey disclose the non-transitory computer-readable storage medium of claim 10, 
Tiku discloses wherein the requestor is a third party service provider for one or more of the plurality of services associated with the at least one individual (Tiku: par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party);
	Lacey further discloses wherein the executable instructions, when executed by the at least one processor, cause the at least one processor, in connection with determining whether the restriction applies to the request, to determine whether the restriction applies further based at least in part on the third party service provider (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

 Regarding Claim 12; 
The combination of Tiku and Lacey disclose the non-transitory computer-readable storage medium of claim 9, 
Lacey disclose wherein the executable instructions, when executed by the at least one processor, further cause the at least one processor to identify, from a restricted use management data structure, the restriction on the PII based on the at least one individual, prior to determining whether the restriction applies to the request (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user [] determines whether the user has permitted the requested PII to be shared with the requesting entity [] with an entity, subject to any rules and/or restrictions imposed by the hub server, the profile-based PII gateway, and/or any restrictions associated with the user's context profiles).
 One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

Regarding Claim 14; 
The combination of Tiku and Lacey disclose the non-transitory computer-readable storage medium of claim 9, 
Tiku discloses wherein the executable instructions, when executed by the at least one processor, further cause the at least one processor to log an requestor and the broadcast of the request to the multiple service providers in the audit data structure (Tiku: par 0025; data deletion trigger utility audit and verify the third parties delete and/or mask data as expected by reviewing the account lists for identifiers associated with accounts that should be deleted; par 0037; the deletion messages are published to subscribing entities. In response to receiving a deletion message, subscribing entities perform a purge by scanning a message queue for a deletion message, purging PII data by deleting and/or masking the PII data identified by the deletion message, and reporting; par 0040; broadcast a deletion message containing the unique identifier. Broadcasting the deletion message include writing the deletion message to a messaging queue. The deletion message may trigger a purge of data associated with the unique identifier by a subscribing entity such as, for example, an application or third party; par 0045; since the systems of record sent the deletion messages downstream, the data deletion trigger utility audit the downstream systems to ensure the subscribing systems are meeting the requirements).
Lacey further discloses authentication of the requestor (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).

Regarding Claim 16; 
The combination of Tiku and Lacey disclose the non-transitory computer-readable storage medium of claim 9, 
Lacey discloses wherein the executable instructions, when executed by the at least one processor, cause the at least one processor to: in response to the request, transmit a consent notification to the at least one individual for consent related to the PII (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized); and receive the consent of the at least one individual, prior to the request (Lacey: par 0288; the bank or the customer can request [] in response to a request, the server will validate the identity of the request against that on the certificate, and if a match is made, the certificate is then sent to the bank or customer [] the certificate can then be used as auditable proof that the customer acknowledged that the transaction was valid and or authorized).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).
Tiku further discloses broadcasting the request (Tiku: par 0040; broadcast a deletion message containing the unique identifier. Broadcasting the deletion message include writing the deletion message to a messaging queue. The deletion message may trigger a purge of data associated with the unique identifier by a subscribing entity such as, for example, an application or third party).

Claims 4, 6, 13 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Tiku et al. (US 20180329940) in view of Lacey et al. (US 20170140174) and further in view of Brush et al. (“Brush,” US 20130232552, published 02/27/2014)

Regarding Claim 4; 
The combination of Tiku and Lacey disclose the computer-implemented method of claim 3, 
Tiku further discloses wherein the at least one individual includes multiple individuals (Tiku: par 0017; phrases and terms similar to "internal data" and "PII" may include any identifying or sensitive data related to an individual, merchant, vendor, small business, corporation, or other entity).  
The combination of Tiku and Lacey all the limitations as recited above, but does not explicitly disclose wherein the request further includes a request to return the PII.
However, in an analogous art, Brush discloses Context Sharing with Privacy that includes: 
wherein the request further includes a request to return the PII (Brush: par 0011; steps that may be taken by a remote context sharing service to return context-related information in response to a peek request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Brush with the method/system of Tiku and Lacey to include wherein the request further includes a request to return available PII. One would have been motivated to towards a technology by which a computing device user may share context-related information with other recipient machines (Brush: abstract).

Regarding Claim 6;  
The combination of Tiku and Lacey disclose the computer-implemented method of claim 1, 
Lacey further discloses wherein the at least one response to the request, from each of the multiple service providers, further includes PII and metadata related to the PII (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user, it must confirm with the hub server whether it is authorized to do so at that time. In response to receiving such a request, the profile-based PII gateway determines the user's active context profile, and then determines whether the user has permitted the requested PII to be shared with the requesting entity when that particular context profile is active; par 0309; regarding the consent included in the consent request via a capture feature of the widget. The digital representation may include code and metadata associated with the consent request).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).
	The combination of Tiku and Lacey disclose all the limitations as recited above, but does not explicitly disclose wherein the request further includes a request to return the PII. 
However, in an analogous art, Brush discloses Context Sharing with Privacy that includes: 
wherein the request further includes a request to return the PII (Brush: par 0011; steps that may be taken by a remote context sharing service to return context-related information in response to a peek request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Brush with the method/system of Tiku and Lacey to include wherein the request further includes a request to return the PII. One would have been motivated to towards a technology by which a computing device user may share context-related information with other recipient machines (Brush: abstract).

Regarding Claim 13; 
The combination of Tiku and Lacey disclose the non-transitory computer-readable storage medium of claim 9, 
Tiku discloses wherein the at least one individual includes multiple individuals (Tiku par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party);and wherein the requestor includes one of the multiple service providers (Tiku par 0019; in response to a client closing an account [] an individual or entity requesting deletion, or other criteria resulting in data deletion; par 0057; the financial institution may represent any type of bank, lender or other type of account issuing institution, such as credit card companies, card sponsoring companies, or third party).  
The combination of Tiku and Lacey disclose all the limitations as recited above, but does not explicitly disclose wherein the request further includes a request to return available PII.
However, in an analogous art, Brush discloses Context Sharing with Privacy that includes: 
wherein the request further includes a request to return available PII (Brush: par 0011; steps that may be taken by a remote context sharing service to return context-related information in response to a peek request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Brush with the method/system of Tiku and Lacey to include wherein the request further includes a request to return available PII. One would have been motivated to towards a technology by which a computing device user may share context-related information with other recipient machines (Brush: abstract).

Regarding Claim 15; 
The combination of Tiku and Lacey disclose the non-transitory computer-readable storage medium of claim 9, 
Lacey further discloses wherein the at least one response to the request from each of the multiple service providers further includes PII and metadata related to the PII (Lacey: par 0057; requesting entity wishes to access and/or use PII of a particular user, it must confirm with the hub server whether it is authorized to do so at that time. In response to receiving such a request, the profile-based PII gateway determines the user's active context profile, and then determines whether the user has permitted the requested PII to be shared with the requesting entity when that particular context profile is active; par 0309; regarding the consent included in the consent request via a capture feature of the widget. The digital representation may include code and metadata associated with the consent request).
One would have been motivated to a consent request for requesting authorization to release the personal information associated with the user to the third party and transmitting the consent request to a client device (Lacey: abstract).
	The combination of Tiku and Lacey disclose all the limitations as recited above, but does not explicitly disclose wherein the request further includes a request to return available PII.
However, in an analogous art, Brush discloses Context Sharing with Privacy that includes: 
wherein the request further includes a request to return the PII (Brush: par 0011; steps that may be taken by a remote context sharing service to return context-related information in response to a peek request).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Brush with the method/system of Tiku and Lacey to include wherein the request further includes a request to return available PII. One would have been motivated to towards a technology by which a computing device user may share context-related information with other recipient machines (Brush: abstract).


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/C.W./Examiner, Art Unit 2439    


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439