DETAILED ACTION
This office action is in response to applicant's communication filed on 05/02/2022.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The Applicant's remarks and amendments, in response to the last Office Action, have been considered with the results that follow: 
Claims 1-4, 6-7, 11, 13-18, and 20 are amended.
Claims 8 and 19 are canceled.
Claims 1-7, 9-18, and 20 are now pending in this application.
The previously raised objections to the Abstract are withdrawn in view of Applicant's amendments.
The previously raised 35 U.S.C. §101 rejections of claims are withdrawn in view of Applicant's amendments to the claims.
	
Response to Arguments
Applicant's arguments filed 05/02/2022 have been fully considered but they are moot, because a new ground(s) of rejection has been issued, in view of Applicant's amendments to the claims, and the arguments do not apply to the new combination of references being used in the current rejection. 
		With respect to arguments on page 12, the Examiner notes that while Gervais does not explicitly state that different access criteria may be used for the retention and reference tables, paras30-32 teach access criteria associated with original data store being stricter than criteria associated with test data store/retention table, and paras67-72 teach access criteria associated with reference data (mapping between original and fictional value) within data de-identification service engine being more strict than first-second data stores/retention table.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 9-12, 15, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gervais (US 2010/0042583 A1) in view of McClintock (US 9,576,147 B1), Hebert (US 2018/0004978 A1) and LaFever (US 2018/0307859 A1).

Regarding claim 1,
Gervais teaches A computing system, comprising: a dataset including a plurality of data entries, at least some of the data entries including personally identifiable information (PII); and a personal data oversight machine configured to: receive an indication that a particular data entry includes PII; *see FIG.3, paras38-42(“At 302, original data is retrieved from one or more original data sources...original data is “automatically” searched for potential personal information...“personal information” searched for at 304 might represent potential PII values...[0042]...technique might employ user defined mapping...user might indicate via a GUI display that the third field in a particular data source contains personal information” teaches receiving indication for data entries with PII), para54(“At 702, original data is received from a data store. Metadata data and/or summary data associated with the original data is analyzed to create an inventory of elements in the original data at 704, and elements in the inventory are searched for potential personal information...”)
based on contents of the data entry, classify the data entry as including one or more of a plurality of types of PII by applying one or more data classification... of a set of candidate data classification... to the data entry; *see paras22-24(“...information in the original data source 120 might include "personal information”, such as a person's name...telephone number... [0024]...Other information...might not be considered personal information”), paras39-43(“...“personal information” searched for at 304 might represent potential PII values...potential personal information is associated with a name...Social Security number...telephone number...FIG.2. In this case, data de-identification service might automatically search for field names that begin with "Name” to determine data that potentially includes personal information (e.g., Name 204)... examine a beginning of a field, an end...technique might involve automatically searching for a field length and/or a field pattern...potential three-digit area codes might be compared to a reference table to determine whether or not a field contains valid telephone numbers...automatic search performed at 304 might be based on schema information, table information, metadata...” teaches identifying PII in data entries and classifying them into a known type such as Name/telephone number/ SSN), para54(“...elements in the inventory are searched for potential personal information based on at least one character matching rule at 706...”)
based on the one or more data classification ... applied to the data entry, apply one of a set of data management tags to the data entry, the set of data management tags including deletion, ..., and anonymization tags; and *see para44(“At 306, an obfuscation method is selected from a plurality of potential obfuscation methods [teaches ‘set of data management tags’]...may be used, for example, to de-identify potentially personal information...plurality of potential obfuscation methods might include, for example, a random assignment to de-identify information in the original data source...concatenation, truncation... uniform replacement... hashing, and/or substitution of a value from a reference table...information might be deleted [teaches ‘deletion’], encoded, encrypted, randomized, scrambled, mixed, and/or shuffled [teaches ‘anonymization’]... credit card number might be first scrambled and then truncated...”), para48(“...service might remember which fields contained personal information and which obfuscation methods were used for each of those fields... automatically replace potential personal information in the updated original data with fictional data in accordance with the stored information about the selected obfuscation methods and automatic replacement...”, Here, one or more obfuscation methods from a set are selected and applied based on field type, and it’s understood that this can be stored in the form of a tag or metadata associated with field, para76(“...in some cases fictitious data might not be used at all” indirectly teaches retention data management method)
based at least in part on the data management tag applied to the data entry being an anonymization tag, apply an anonymization operation to the data entry, *see para45(“At 308, the potential personal information in the original data is automatically replaced with fictional data in accordance with the selected obfuscation method [teaches ‘anonymization operation...’ ]...FIG. 4 illustrates the use of fictional data to replace information in an original data source...”)
	where the anonymization operation includes dividing the data entry between a retention table and a reference table, such that the retention table includes a unique identifier for a user associated with the data entry and an anonymized lookup value that replaces the PII of the data entry as stored in the retention table, and the reference table associates the anonymized lookup value with the PII of the data entry, and *see para45(“...FIG. 4 illustrates the use of fictional data to replace information in an original data source 400 in accordance with some embodiments of the present invention” teaches ‘retention table’ that includes unique identifiers and anonymous lookup values for PIIs (such as “NAME_43235”). Here, it is understood that the “data source identifier” may be the user identifier, and “policy identifier” teaches unique identifier), para44(“Other types of obfuscation methods might include...substitution of a value from a reference table (e.g., “New York” is always replaced with “Chicago')”), para53(“FIG. 6 is a tabular view of a portion of a reference database 600...table defines fields 602, 604, 606 for each of the entries that specify: a reference entry identifier 602, original information 604, and fictional replacement information 606...fictional replacement information 606 might include values or character strings that are to be substituted for particular items of original information 604 (e.g., "Jerry Westfield” might always replace “John Washington”)...” teaches ‘reference table’ including the lookup value ["Jerry Westfield”] and the PII [“John Washington”])
	where...access to the reference table is restricted by second access criteria, stricter than... *see paras30-32(“...data de-identification service engine 150 might...generate a test data store 122 based on information in the original data source...test data store122 might include similar information...as the original data source 120 without including, for example, any actual PIT or PHI values...application 112 can store information into and/or retrieve information from the test data store 122 in the testing and/or development environment without violating customer expectations or governmental regulations” teaches access criteria associated with original data store being stricter than access criteria associated with retention table [“test data store”]), paras67-72(“...FIG. 14 illustrates multiple data sources...stores... data de-identification service engine 1450 may retrieve primary information from the first original data source 1420A and supplemental information from the second original data source 1420B... data de-identification service engine 1450 creates “clean' versions (without personal information) as a first data store 1422A and a second data store... data de-identification service engine 1450 may automatically replace potential personal information in the supplemental data with fictional data, wherein if a first value in the first original data source 1420A was replaced with a second value, then that same first value in the supplemental data (e.g., the second original data source 1420B) would also be replaced with that same second value. In this way, a test application can access both the first data store 1422A and the second data store 1422B and identical elements in both stores will still have identical (but fictional) values...” teaches access criteria associated with reference data (mapping between original and fictional value) stored within data de-identification service engine being more strict than retention table [“first/second data stores”]),

	Gervais does not expressly teach “…applying one or more data classification tags of a set of candidate data classification tags ...based on the one or more data classification tags...apply one of a set of data management tags...the set of data management tags including deletion, retention, and anonymization tags; ...where access to the retention table is restricted by first access criteria, and access to the reference table is restricted by second access criteria, stricter than the first access criteria.”
	However, McClintock teaches … applying one or more data classification tags of a set of candidate data classification tags *see FIGS3,9, col5.L16-33(“tagging logic 112 may perform operations to determine a type tag 118 corresponding to a data type of the unencrypted data...type tag 118 [teaches ‘data classification tag’] may indicate that the data 120 includes a user name...user address...”), col9.L25-65(“FIG. 3 depicts an example 300 of applying a type tag 118 to the data 120...tagging logic 112...may determine a type tag 118 that describes the data type for the data 120...type tag 118 may be a text description of the data type, such as "email", "user name", "password", or "address". The type tag 118 may be one of an enumerated list of possible type tags 118 that each map to or otherwise correspond with a data type [teaches ‘set of candidate data classification tags’]”), col15.L28-col16.L12(“FIG. 9 depicts a flow diagram 900 of a process for determining a type tag 118 describing a data type of the data 120...At 910, the type tag 118 corresponding to the data type is determined. At 912, the tagged data 116 is generated to include the type tag 118 and the data 120”)
...based on the one or more data classification tags applied to the data entry, apply one of a set of data management tags... ...based at least in part on the data management tag applied to the data entry being an anonymization tag, apply an anonymization operation... *see FIGS.4,8, col2.L18-43(“...executable code that is configured to apply data usage policies [teaches ‘data management tag’] based on the type tag of the data [teaches ‘data classification tag’]...policy may indicate that data tagged as an email address may be passed to an application programming interface (API) that writes the data to a file on disk...a policy may indicate that data tagged as a credit card number or other payment instrument information may be written to a file or stored in a data storage system after the data has been redacted or obfuscated to prevent unauthorized use [policy examples teach ‘set of data management tags’]”), col6.L60-col7.L65 (“...action control logic 122 may access a file or other data structure that includes the policy information 124...type tag 118 may indicate that the data 120 is public,...or critical personally identifiable information (PII)...policy information 124 may include policies that indicate the action(s) 126 that may be performed on data 120 of various sensitivities.”), col10.L57-col11.L30 (“... result(s) 404 may also include allowing the action 126, but modifying the data 120 to filter, remove, obfuscate, or otherwise alter a portion of the data 120...” teaches data management/anonymization operations based on data classification/management tags), col14.L55-col15.L27(“...At 808, the action control logic 122 may perform one or more operations corresponding to the result(s) 404 of a policy 402 for the type tag 118 and the action(s) 126....”)
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of McClintock and enable Gervais to apply data classification and management tags, followed by data management/anonymization operation based on the tags, as doing so would enable implementing policies to obfuscate/redact/ prevent unauthorized use of private data (McClintock, col2.L18-29).

Hebert teaches ...the set of data management tags including deletion, retention, and anonymization tags; *see para62(“Table 10 presents a set of techniques for anonymization of data, which may be applied over the data in the current example 1. The techniques presented in Table 8 include a "none" technique [teaches ‘retention’ data management tag, under the broadest reasonable interpretation of the term ‘tag’], which defined no anonymization of the data. The techniques further include a "deletion" technique [teaches ‘deletion’ tag], which defined that an exclusion of a data field from the data is performed to achieve anonymization. The "none" technique have a score of 100, since according to such a technique no data is deleted and all data remains the same-therefore, the risk of re-identification is not reduced... The techniques also include pseudonymization, and binning. For example, the pseudonymization technique defines a procedure by which the most identifying fields from the data are replaced by one or more artificial identifiers, or "pseudonyms"” [teaches ‘anonymization’ tag])
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of Hebert and enable Gervais to incorporate set of data management tags including deletion, retention, and anonymization tags, as doing so would enable anonymizing data based on the chosen analytics goal (Hebert, paras22-23).

		LaFever teaches ...retention table includes a unique identifier for a user associated with the data entry and an anonymized lookup value that replaces the PII of the data entry as stored in the retention table, and the reference table associates the anonymized lookup value with the PII of the data entry, and where access to the retention table is restricted by first access criteria, and access to the reference table is restricted by second access criteria, stricter than the first access criteria. *see para138-139(“...Cleartext primary keys may be used internally within a Circle of Trust ("CoT") such as shown in FIG. 1C-1 to identify Data Subjects ...Dynamic Anonymity uses dynamically changing and re-assignable compound keys outside of a Circle of Trust which may be comprised of: (i) a DDID...Information regarding this association may not be made available outside of the Circle of Trust [teaches ‘reference data’ with ‘anonymized lookup value’ has stricter access criteria]...”), paras159-167: “...Storing resulting DDID associations/obscuring keys within a Circles of Trust...”), FIG.1D, paras409-418(“...CoT Trusted Party provides a DDID for the Data Subject” teaches reference data, “...sets of periodically-changing information (one for GPS data, one for blood pressure levels), each consisting of DDIDs, offsets (to obscure blood pressure level data and geographic position), and encryption keys...” teaches retention data), FIG.1E, paras425-440(“...Trusted Party contacts healthcare-related data stores to find individuals who are between 20-30 years old with STDs...healthcare-related data stores (which store diagnoses by DDIDs rather than by identifiable keys [teaches ‘retention data’]) find matching records...Trusted Party then resolves these DDIDs to unveil identified individuals... Trusted Party filters that list by those whose privacy/anonymity policies allow this particular kind of query [teaches ‘reference data’ stored by TP, has stricter access criteria”), FIG.1F, FIG.1G: paras455-463(“...After the physician selects a range of time to view, the viewer application requests the relevant DDIDs and offsets...Trusted Party validates the physician's access to this information (checking the patient's privacy/anonymity policy rules [teaches access criteria for reference data]) and then returns the DDIDs and offset...viewer application then contacts its own corporate website, requests the blood pressure data corresponding to those DDIDs, receives the result, applies the offsets, and renders the blood pressure levels as a graph...note that the permission to view the blood pressure data is enforced within the Circle of Trust [teaches access criteria for retention data]..."), FIG.1Y, paras578-581(“...FIG. lY-1, the system may also establish a persistent mapping in a data store for future use (Step 4). The system then accesses the user-specified de-identified data and JITI key, reverses the de-identification mappings per the data contained in the JITI key, and finally may return the requested re-identified data to the user or another authorized destination configured by the user (Step 5)...Multiple users may be permitted to re-identify different sets of R-DDIDs and A-DDIDs based on the access rights they have to the underlying data elements”), paras686-87(“...At step 5, keys necessary to understand the association(s) between the one or more DDIDs and the obscured sensitive data elements are securely stored in a Circle of Trust (CoT). At step 6, keys necessary to understand the association(s) between the one or more DDIDs and the obscured sensitive data elements that are securely stored in a Circle of Trust (CoT) are made available only to authorized parties [teaches stricter access criteria]...”)
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of LaFever and enable Gervais to associate different access criteria with retention and reference tables, where access criteria for reference table is stricter than the retention table, as doing so would foster safer data-related collection, use, research and/or analysis while meeting stringent privacy, anonymity and security criteria (LaFever, para48).

Regarding claim 2,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 2 above.
Gervais as modified by Hebert further teaches The computing system of claim 1, where the personal data oversight machine is further configured to apply one of a deletion operation, a retention operation, or a second anonymization operation to a second data entry based on a data management tag applied to the second data entry. *see Gervais, paras44-48(“At 306, an obfuscation method is selected from a plurality of potential obfuscation methods... information might be deleted, encoded, encrypted, randomized, scrambled [teaches deletion & anonymization]... At 308, the potential personal information in the original data is automatically replaced with fictional data in accordance with the selected obfuscation method [teaches ‘anonymization operation’]...FIG. 4 illustrates the use of fictional data to replace information in an original data source...”), Hebert, para62(“Table 10 presents a set of techniques for anonymization of data, which may be applied over the data in the current example 1. The techniques presented in Table 8 include a "none" technique [teaches ‘retention’], which defined no anonymization of the data...a "deletion" technique, which defined that an exclusion of a data field from the data is performed to achieve anonymization... pseudonymization technique defines a procedure by which the most identifying fields from the data are replaced by one or more artificial identifiers [teaches ‘anonymization’]), para87(“At 440, at least one of the anonymization techniques is determined to be applied over the data set. In some example, a combination of anonymization techniques may be applied over the data set. At 445, based on the determined at least one anonymization technique, the data set is anonymized [teaches ‘data management operation’]”)

Regarding claim 9,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 1 above.
	Gervais further teaches The computing system of claim 1, where the personal data oversight machine is further configured to scan data entries in the dataset and automatically identify which data entities include PII. *see para38(“At 302, original data is retrieved from one or more original data sources...At 304, the original data is “automatically searched for potential personal information. As used herein, the term “automatically indicates that at least some part of a step associated with a process or service is performed with little or no human intervention...”), para54(“At 702, original data is received from a data store. Metadata data and/or summary data associated with the original data is analyzed to create an inventory of elements in the original data at 704, and elements in the inventory are searched for potential personal information...”)

Regarding claim 10,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 9 above.
	Gervais further teaches The computing system of claim 9, where the personal data oversight machine is further configured to verify that each data entry including PII has one or more data classification tags and a data management tag. *see paras47-51(“automatic replacement performed at 308 includes creating database “scripts” to be used during a database refresh process...script might be embedded such that it may be repeatedly executed as appropriate (e.g., on a periodic basis... [0048]...service might remember which fields contained personal information and which obfuscation methods were used for each of those fields. In this way, the server can later retrieve updated original data from the data source, and then automatically replace potential personal information in the updated original data with fictional data in accordance with the stored information about the selected obfuscation methods and automatic replacement... [0051] ...fictional data may be verified at 310 after it is placed in a test data store. For example, a user might select a “Verify” icon via a GUI display to execute a verification process on the fictional data (e.g., to ensure that the data is formatted in an appropriate way and/or that personal information has not been mistakenly included in a test data store)”, Here, when database scripts are executed periodically or when user verifies, obfuscation/de-identification of data is being “refreshed/ repeated...as appropriate”- this teaches that fields [‘data classification’], assigned obfuscation method [‘data management tag’] are reviewed/verified in the process)

Regarding claim 11,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 1 above.
	Gervais further teaches The computing system of claim 1, where the personal data oversight machine is further configured to, after a predetermined interval has elapsed, query a source of the data entry to verify that the anonymization operation was performed.*see paras47-51(“automatic replacement performed at 308 includes creating database “scripts” to be used during a database refresh process...script might be embedded such that it may be repeatedly executed as appropriate (e.g., on a periodic basis... [0048]...service might remember which fields contained personal information and which obfuscation methods were used for each of those fields... [0051]...fictional data may be verified at 310 after it is placed in a test data store. For example, a user might select a “Verify” icon via a GUI display to execute a verification process on the fictional data (e.g., to ensure that the data is formatted in an appropriate way and/or that personal information has not been mistakenly included in a test data store)”, Here, when database scripts are executed periodically or when user verifies, obfuscation/de-identification of data is being “refreshed/ repeated...as appropriate”- this teaches that data is being verified in the process to check if obfuscation/anonymization was done

Regarding claim 12,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 1 above.
	Gervais further teaches The computing system of claim 1, where the set of candidate data classification tags includes one or more of a real-name tag, an email address tag, a phone number tag, a financial information tag, a geographic location tag, an IP address tag, and a social security number tag. *see para39(“By way of example only, the potential “personal information' searched for at 304 might represent potential PII values...According to some embodiments, the potential personal information is associated with a name (e.g., of a person or company), a Social Security number, an address, a date of birth or death, a telephone number, or email address. Other types of personal information might be associated with financial information....” teaches potential PII values, read on ‘data classification tags’ listed in the claim) 

Regarding claim 15,
		Claim 15 recites substantially the same claim limitations as claim 1, and is rejected for the same reasons.

Regarding claim 20,
		Claim 20 recites substantially the same claim limitations as claims 1 and 12, and is rejected for similar reasons. 

Claims 3, 13-14 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Gervais in view of McClintock, Hebert, LaFever and Marelas (US 10,380,098 B1)

Regarding claim 3,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 2 above.
	Gervais further teaches The computing system of claim 2, where the second anonymization operation includes hashing the second data entry... *see para44(“At 306, an obfuscation method is selected from a plurality of potential obfuscation methods... may be used, for example, to de-identify potentially personal information...plurality of potential obfuscation methods might include, for example, a random assignment to de-identify information in the original data source...hashing [teaches ‘anonymization ...includes hashing...’]...encoded, encrypted, randomized...”),
	However, Gervais does not teach ...hashing the second data entry with a random salt that is deleted after a predetermined interval. 
	Marelas teaches ...hashing the second data entry with a random salt that is deleted after a predetermined interval. *see C12.L26-477(“...commonality of retention period can be reflected by the use of an additional salt that is applied to all the data/backups in the data set that have the same retention period. The additional salt can be applied even if the data sets sharing the same retention period, and/or other common characteristic(s), are associated with different respective users...additional salt is appended to the user salt 772 to form a 'user salt+monthly retention salt' 774. The appending of the additional salt to the user salt 772 can be performed before, or after, the user salt 722 is associated with the file object(s) 770...the combination of the salts 774 and file object(s) 770 can then be hashed...” teaches hashing data with a random salt, that is deleted after a ‘predetermined interval’, which is monthly here)
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of Marelas and enable Gervais to incorporate hashing with a random salt that is deleted after an interval, as doing so would enable salting content based on shared common properties, such as an expiration period (Marelas, C12.L18-25).

Regarding claim 13,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 1 above.
	Gervais does not expressly teach The computing system of claim 1, where applying the retention data management tag includes defining a retention period during which a retained data entry should be retained. 
	However, Hebert and Marelas teach ...where applying the retention data management tag includes defining a retention period during which a retained data entry should be retained. *see Hebert, para62(“Table 10 presents a set of techniques for anonymization of data, which may be applied over the data in the current example 1. The techniques presented in Table 8 include a "none" technique [teaches ‘retention’ data management tag, under the broadest reasonable interpretation of the term ‘tag’], which defined no anonymization of the data”), Marelas, C11.L37-42(“...every piece of data that is written to the storage has an implied expiration period. This is the period in which the data should be retained in the storage system before it is no longer required...”), C12.L26-477(“...involves deduplicated backups that are targeted for tiering to the cloud, the deduplicated backups are part of the same data set and have the same retention period... commonality of retention period can be reflected by the use of an additional salt that is applied to all the data/backups in the data set that have the same retention period ...”); It is understood that a retention period, as taught by Marelas, can be associated with content that were tagged with “none” anonymization technique, as taught by Hebert)
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of Hebert and Marelas and enable Gervais to incorporate retention periods for content associated with retention tag, as doing so would enable knowing how long data should be retained in the storage system before it is no longer required and can be deleted, and the vacated space reclaimed for use deleted (Marelas, C11).

Regarding claim 14,
	Gervais as modified by McClintock, Hebert, LaFever and Marelas teaches all the claimed limitations as set forth in the rejection of claim 13 above.
	Gervais and Marelas further teach The computing system of claim 13, where the personal data oversight machine is further configured to, after the retention period has elapsed, reapply one of the set of data management tags to the retained data entry. *see Marelas, C11.L37-42, C12.L26-477(teaches ‘retention period’) and Gervais, paras47-51(“automatic replacement performed at 308 includes creating database “scripts” to be used during a database refresh process...script might be embedded such that it may be repeatedly executed as appropriate (e.g., on a periodic basis [teaches obfuscation/replacement ‘period’]... [0048]...service might remember which fields contained personal information and which obfuscation methods were used for each of those fields. In this way, the server can later retrieve updated original data from the data source, and then automatically replace potential personal information in the updated original data with fictional data in accordance with the stored information about the selected obfuscation methods and automatic replacement... [0051]...fictional data may be verified at 310 after it is placed in a test data store. For example, a user might select a “Verify” icon via a GUI display to execute a verification process on the fictional data (e.g., to ensure that the data is formatted in an appropriate way and/or that personal information has not been mistakenly included in a test data store)”, Here, when database scripts are executed periodically or when user verifies, obfuscation/de-identification of data is being “refreshed/ repeated...as appropriate”- this teaches that fields and assigned obfuscation method [‘data management tag’] are reviewed/repeated after period elapses)

Regarding claim 16,
		Claim 16 recites substantially the same claim limitations as claims 2 and 3, and is rejected for the same reasons.

Claims 4-5 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gervais in view of McClintock, Hebert, LaFever, Marelas and Chan (US 2002/0087890 A1)

Regarding claim 4,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 2 above.
	Gervais further teaches The computing system of claim 2, where the second anonymization operation includes hashing the second data entry... *see para44(“At 306, an obfuscation method is selected from a plurality of potential obfuscation methods... may be used, for example, to de-identify potentially personal information...plurality of potential obfuscation methods might include, for example, a random assignment to de-identify information in the original data source...hashing [teaches ‘anonymization ...includes hashing...’]...encoded, encrypted, randomized...”),
However, Gervais does not teach ... with a user-specific salt stored in a lookup table.
Marelas teaches ... with a user-specific salt... *see C3.L23-56(“...user level content salting is employed in which each user is assigned a unique system-wide marker, which may be referred to herein as a salt, that persists as long as the user exists in the system. Each time that user connects to the system, the salt assigned to that user is obtained and the salt is then associated with any data generated by that user... Once the salt has been associated with the user data, the combination of the user data and the salt is used to generate a hash. Because this hash includes the user specific salt, the hash of the data+salt combination is also specific to that user. The salt can then be recorded both against the namespace of the user object that includes the data that was hashed, and against the hash itself” teaches hashing data with a user-specific salt and recording/storing the salt, possibly in a table)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of Marelas and enable Gervais to incorporate hashing with a user-specific salt, as doing so would enable identifying duplicate data generated by the same user (Marelas, C12).

Chan teaches ...salt stored in a lookup table. *see FIGS.2,6-7, para16(“...a salt value is retrieved for the specific application if it exists in table entry 200... RNG 205 generates a salt value that is entered in table entry 200 that is associated with the specific application”), para21(“...operation 620 queries table entry 200 and searches for an application name and associated salt. If a salt does not exist for a selected application, operation 630 generates a salt for the selected application. After a salt is generated, in one embodiment operation 635 stores salt in table entry 200...” teaches salt being stored in a lookup table)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of Chan and enable Gervais to support storing salt in a lookup table, as doing so would enable generating an application specific password that is a hash of password, identification and salt value (Chan, para17).

Regarding claim 5,
	Gervais as modified by McClintock, Hebert, LaFever, Marelas and Chan teaches all the claimed limitations as set forth in the rejection of claim 4 above.
	Marelas further teaches The computing system of claim 4, where the personal data oversight machine is further configured to, after receiving a request to delete personal data associated with the user, delete the user-specific salt. *see C3.L23-56(“...user level content salting is employed in which each user is assigned a unique system-wide marker, which may be referred to herein as a salt, that persists as long as the user exists in the system...” teaches user-specific salt deleted when corresponding user data is deleted from the system)

Regarding claim 17,
		Claim 17 recites substantially the same claim limitations as claims 2 and 4, and is rejected for the same reasons.

Claims 6 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gervais in view of McClintock, Hebert, LaFever, and Chan. 

Regarding claim 6,
	Gervais as modified by McClintock, Hebert and LaFever teaches all the claimed limitations as set forth in the rejection of claim 2 above.
	Gervais does not expressly teach The computing system of claim 2, where the second anonymization operation includes hashing the second data entry with a service-specific salt stored in a lookup table. 
	However, Chan teaches ... where the second anonymization operation includes hashing the second data entry with a service-specific salt stored in a lookup table. *see FIGS.2,6-7, paras16-17(“...a salt value is retrieved for the specific application if it exists in table entry 200... RNG 205 generates a salt value that is entered in table entry 200 that is associated with the specific application... Client password generator 110 uses the strong password or passphrase, user identification and salt value to generate an application specific password that is a hash of the strong password or passphrase, user identification and salt value”), para21(“...Operation 650 generates an application specific password that is a hash of the user identification, strong password or passphrase and salt that is associated for the specified application...” teaches hashing using application/service-specific salt stored in a lookup table)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of Chan and enable Gervais to support hashing using application-specific salt in a lookup table, as doing so would enable generating an application specific password that is a hash of password, identification and salt (Chan, para17).

Regarding claim 18,
		Claim 18 recites substantially the same claim limitations as claims 2 and 6, and is rejected for the same reasons.
 
Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Gervais in view of McClintock, Hebert, LaFever, Chan and Mahaffey (US 2011/0047033 A1)

Regarding claim 7,
	Gervais as modified by McClintock, Hebert, LaFever and Chan teaches all the claimed limitations as set forth in the rejection of claim 6 above.
	Gervais does not expressly teach The computing system of claim 6, where the personal data oversight machine is further configured to, after receiving a request to delete personal data of a user associated with the second data entry, delete the service-specific salt and generate a new service-specific salt. 
	However, Mahaffey teaches ...after receiving a request to delete personal data of a user associated with the second data entry, delete the service-specific salt and generate a new service-specific salt. *see para111(“...server hashes the password with the verification salt and compares it to the expected verification hash result 1604. If the password is correct, the server hashes the password with the “challenge’ salt to build the authentication credential...password is discarded after the authentication credential is generated...server only temporarily stores the authentication credential while it is sending commands to the device and receiving status from the device corresponding to the secured remote access commands. After the credential is not needed for specific commands requested by the user, it is discarded. After any commands are completed, the software on the mobile device may send a new “challenge’ salt to the server 1611 to prevent the server from using the previous authentication credential again. After receiving the new 'challenge’ salt, the server discards the old “challenge’ salt 1612...” teaches service-specific salt (challenge token/verification salt for remote access/commands) being discarded and new salt being generated after data associated with user (authentication credential) is discarded)
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Gervais to incorporate the teachings of Mahaffey and enable Gervais to delete the service-specific salt and generate a new service-specific salt after receiving a request to delete personal data of a user associated with the data entry, as doing so would enable preventing attacks where previously used credentials are used (Mahaffey, para111).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure
Emam (“Protecting Privacy Using k-Anonymity”, 2008) discusses and evaluates various anonymization and re-identification scenarios and metrics.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANUGEETHA KUNJITHAPATHAM whose telephone number is (408)918-7510. The examiner can normally be reached M-F 9-5 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Aleksandr Kerzhner can be reached on (571) 270-1760. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/A.K./Examiner, Art Unit 2165                                                                                                                                                                                                        
/ALEKSANDR KERZHNER/Supervisory Patent Examiner, Art Unit 2165