DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .  This Office Action is in response to the application filed on 10/28/2020. Claims 1-20 are examined.

Drawing Objections
The drawings are objected to because the label for Fig. 1 should read “100” not “102”.  Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Claim Objections
Claim 16-20 objected to because of the following informalities:  
For claims 16-20, “The program product of claim” should read “The computer program product of claim”
Appropriate correction is required.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-20 is/are rejected under 35 U.S.C. 102(a)(1) as being Anticipated by Barday (U.S. 20200050792).

Regarding claim 1,
Barday discloses: A computer-implemented method for processing ([0005] A computer-implemented method; [0005] managing the data subject access requests) privacy requests related to information privacy ([0008] a request to delete a data subject's personal data), the method comprising: receiving, by a server computing system, data related to a privacy request for personal information associated with a person ([0008] receiving, by one or more computer processors, a request from a data subject to delete the data subject's personal data from one or more computer systems of an organization), the data related to the privacy request sent by an agent of the person to a company ([0084] before processing the DSAR, confirm that the DSAR was actually submitted by the particular data subject of the DSAR (or, for example, by an individual authorized to make the DSAR on the data subject's behalf, such as a parent, guardian, power-of-attorney holder, etc.)) from a computer system associated with the agent ([0084] the system receives the DSAR via a third-party computer system), the agent acting on behalf of the person as related to the information privacy ([0084] an individual authorized to make the DSAR on the data subject's behalf) the personal information stored in one or more databases associated with the server computing system ([0008] one or more computing devices on which the data subject's personal data is stored; [0093] One or More Databases); confirming, by the server computing system, that the person authorizes the agent to act on behalf of the person as related to the information privacy ([0084] confirm that the DSAR was actually submitted by… an individual authorized to make the DSAR on the data subject's behalf); and based on successful confirmation that the person authorizes the agent, processing, by the server computing system, the privacy request on behalf of the company ([0084] if the DSAR was submitted by the particular data subject, advance the processing of the DSAR).

Regarding claim 2, 
Barday discloses: The computer-implemented method of claim 1, wherein receiving the data related to the privacy request comprises
Additionally, Barday discloses: receiving data related to a proof that the person authorizes the agent to act on behalf of the person ([0084] if the system receives the DSAR via a third-party computer system, the system may validate authentication via API secret, or by requiring a copy of one or more particular legal documents (e.g., a particular contract between two particular entities).

Regarding claim 3,
Barday discloses: The computer-implemented method of claim 2, wherein confirming that the person authorizes the agent to act on behalf of the person comprises
Additionally Barday discloses: determining, by the server computer system, validity of the data related to the proof that the person authorizes the agent ([0084] confirm that the DSAR was actually submitted by the particular data subject of the DSAR (or, for example, by an individual authorized to make the DSAR; a copy of one or more particular legal documents (e.g., a particular contract between two particular entities)).

Regrading claim 4,
Barday discloses: The computer-implemented method of claim 3, wherein determining the validity of the data related to the proof comprises 
Additionally Barday discloses: communicating, by the server computing system, with a computer system associated with the person to confirm that the person authorizes the agent ([0165] In other embodiments, the system may be configured to authenticate a request via integration with a company's employee or customer (e.g., consumer) authentication process. For example, in response to receiving a data subject access request that indicates that the data subject is an employee of the company receiving the data subject access request, the system may be configured to prompt the employee to login to the company's employee authentication system (e.g., Okta, Azure, AD, etc.) In this way, the system may be configured to authenticate the requestor based at least in part on the requestor successfully logging into the authentication system using the data subject's credentials).

Regarding claim 5, 
Barday discloses: The computer-implemented method of claim 4, wherein determining the validity of the data related to the proof comprises: 
Additionally Barday discloses: determining, by the server computing system, identification information of the agent ([0084] any suitable method may be used to confirm the identity of the entity/individual submitting the DSAR); and confirming, by the server computing system, that the identification information of the agent is consistent with identification information included in the data related to the proof ([0161] the system is configured to substantially automatically compare one or more pieces of information provided as part of the data subject access request to one or more pieces of data received from a third-party data aggregation service in order to substantially automatically verify the requestor's identity).

Regarding claim 6, 
Barday discloses: The method of claim 5, based on successfully confirming the validity of the data related to the proof, further comprising: 
Additionally, Barday discloses: associating, by the server computing system, the person with the data related to the proof; storing, by the server computing system, the data related to the proof in the one or more databases associated with the server computing system ([0168] In various embodiments, the system is configured to maintain a database of the identified one or more sources (e.g., in computer memory)); and using, by the server computing, the data related to the proof to process a subsequent privacy request received from the agent on behalf of the person ([0168] in response to receiving a new data subject access request, cross reference the request with the blacklist to determine if the requestor is on the blacklist or is making the request from a blacklisted source).

Regarding claim 7,
Barday discloses: The computer-implemented method of claim 6, wherein processing the privacy request on behalf of the company comprises: 
Additionally Barday discloses: searching, by the server computing system, the one or more databases using a first identifier included in the data related to the privacy request to identify a second identifier related to the first identifier, the first and second identifiers associated with the person; verifying, by the server computing system, identity of the person using at least the second identifier; and based on successfully verifying the identity of the person ([0160] verify that the requestor is the data subject by prompting the requestor to answer one or more knowledge-based authentication questions (e.g., out-of-wallet questions). In particular embodiments, the system is configured to utilize one or more third-party services as a source of such questions (e.g., any of the suitable third-party sources discussed immediately above). The system may use third-party data from the one or more third-party sources to generate one or more questions. These one or more questions may include questions that a data subject should know an answer to without knowing the question ahead of time (e.g., one or more previous addresses, a parent or spouse name and/or maiden name, etc.)): generating, by the server computing system, a notification indicating that the data related to the privacy request is accepted ([0179] results of a data subject access request, provided in one or more messages confirming receipt); and searching, by the server computing system, the one or more databases for the personal information of the person based on one or more of the first identifier and the second identifier ([0008] identifying, by one or more computer processors, one or more computing devices on which the data subject's personal data is stored). 

Regarding claim 8,
Barday discloses: A system for processing ([0005] A computer-implemented method; [0005] managing the data subject access requests) privacy requests related to information privacy ([0008] a request to delete a data subject's personal data) comprising: one or more processors; and a non-transitory computer readable medium storing a plurality of instructions, which when executed, cause the one or more processors of a server computing system to: receive, data related to a privacy request for personal information associated with a person ([0008] receiving, by one or more computer processors, a request from a data subject to delete the data subject's personal data from one or more computer systems of an organization), the data related to the privacy request sent by an agent of the person to a company ([0084] before processing the DSAR, confirm that the DSAR was actually submitted by the particular data subject of the DSAR (or, for example, by an individual authorized to make the DSAR on the data subject's behalf, such as a parent, guardian, power-of-attorney holder, etc.)) from a computer system associated with the agent ([0084] the system receives the DSAR via a third-party computer system), the agent acting on behalf of the person as related to the information privacy ([0084] an individual authorized to make the DSAR on the data subject's behalf) the personal information stored in one or more databases associated with the server computing system ([0008] one or more computing devices on which the data subject's personal data is stored; [0093] One or More Databases); confirming, by the server computing system, that the person authorizes the agent to act on behalf of the person as related to the information privacy ([0084] confirm that the DSAR was actually submitted by… an individual authorized to make the DSAR on the data subject's behalf); and based on successful confirmation that the person authorizes the agent, processing, by the server computing system, the privacy request on behalf of the company ([0084] if the DSAR was submitted by the particular data subject, advance the processing of the DSAR).

Regarding claim 9, 
Barday discloses: The system of claim 8, wherein the instructions to receive the data related to the privacy request comprises
Additionally, Barday discloses: receiving data related to a proof that the person authorizes the agent to act on behalf of the person ([0084] if the system receives the DSAR via a third-party computer system, the system may validate authentication via API secret, or by requiring a copy of one or more particular legal documents (e.g., a particular contract between two particular entities).

Regarding claim 10,
Barday discloses: The system of claim 9, wherein the instructions confirm that the person authorizes the agent to act on behalf of the person comprises
Additionally Barday discloses: instructions to determine the validity of the data related to the proof that the person authorizes the agent ([0084] confirm that the DSAR was actually submitted by the particular data subject of the DSAR (or, for example, by an individual authorized to make the DSAR; a copy of one or more particular legal documents (e.g., a particular contract between two particular entities)).

Regrading claim 11,
Barday discloses: The system of claim 10, wherein the instructions to determine the validity of the data related to the proof comprises.
Additionally Barday discloses: instructions to communicate with a computer system associated with the person to confirm that the person authorizes the agent ([0165] In other embodiments, the system may be configured to authenticate a request via integration with a company's employee or customer (e.g., consumer) authentication process. For example, in response to receiving a data subject access request that indicates that the data subject is an employee of the company receiving the data subject access request, the system may be configured to prompt the employee to login to the company's employee authentication system (e.g., Okta, Azure, AD, etc.) In this way, the system may be configured to authenticate the requestor based at least in part on the requestor successfully logging into the authentication system using the data subject's credentials).

Regarding claim 12, 
Barday discloses: The system of claim 11, wherein the instructions to determine the validity of the data related to the proof comprises; 
Additionally Barday discloses: instructions to: determine identification information of the agent ([0084] any suitable method may be used to confirm the identity of the entity/individual submitting the DSAR); and confirming that the identification information of the agent is consistent with identification information included in the data related to the proof. ([0161] the system is configured to substantially automatically compare one or more pieces of information provided as part of the data subject access request to one or more pieces of data received from a third-party data aggregation service in order to substantially automatically verify the requestor's identity).

Regarding claim 13, 
Barday discloses: The system of claim 12, based on successfully confirming the validity of the data related to the proof, further comprising
Additionally, Barday discloses: instructions to: associate the person with the data related to the proof; store the data related to the proof in the one or more databases associated with the server computing system ([0168] In various embodiments, the system is configured to maintain a database of the identified one or more sources (e.g., in computer memory)); and use the data related to the proof to process a subsequent privacy request received from the agent on behalf of the person ([0168] in response to receiving a new data subject access request, cross reference the request with the blacklist to determine if the requestor is on the blacklist or is making the request from a blacklisted source).

Regarding claim 14,-26-
Barday discloses: The system of claim 13, wherein the instructions to process the privacy request on behalf of the company comprises instructions to:
Additionally Barday discloses: Attorney Docket No.: DATAP003search the one or more databases using a first identifier included in the data related to the privacy request to identify a second identifier related to the first identifier, the first and second identifiers associated with the person; verify identity of the person using at least the second identifier; and based on successfully verifying the identity of the person ([0160] verify that the requestor is the data subject by prompting the requestor to answer one or more knowledge-based authentication questions (e.g., out-of-wallet questions). In particular embodiments, the system is configured to utilize one or more third-party services as a source of such questions (e.g., any of the suitable third-party sources discussed immediately above). The system may use third-party data from the one or more third-party sources to generate one or more questions. These one or more questions may include questions that a data subject should know an answer to without knowing the question ahead of time (e.g., one or more previous addresses, a parent or spouse name and/or maiden name, etc.)): generate a notification indicating that the data related to the privacy request is accepted ([0179] results of a data subject access request, provided in one or more messages confirming receipt); and search the one or more databases for the personal information of the person based on one or more of the first identifier and the second identifier ([0008] identifying, by one or more computer processors, one or more computing devices on which the data subject's personal data is stored). 

Regarding claim 15,
Barday discloses: A computer program product for processing ([0005] A computer-implemented method; [0005] managing the data subject access requests) privacy requests ([0008] a request to delete a data subject's personal data) comprising computer-readable program code to be executed by one or more processors when retrieved from a non-transitory computer-readable medium, the program code including instructions to: receive, data related to a privacy request for personal information associated with a person ([0008] receiving, by one or more computer processors, a request from a data subject to delete the data subject's personal data from one or more computer systems of an organization), the data related to the privacy request sent by an agent of the person to a company ([0084] before processing the DSAR, confirm that the DSAR was actually submitted by the particular data subject of the DSAR (or, for example, by an individual authorized to make the DSAR on the data subject's behalf, such as a parent, guardian, power-of-attorney holder, etc.)) from a computer system associated with the agent ([0084] the system receives the DSAR via a third-party computer system), the agent acting on behalf of the person as related to the information privacy ([0084] an individual authorized to make the DSAR on the data subject's behalf) the personal information stored in one or more databases associated with the server computing system ([0008] one or more computing devices on which the data subject's personal data is stored; [0093] One or More Databases); confirming, by the server computing system, that the person authorizes the agent to act on behalf of the person as related to the information privacy ([0084] confirm that the DSAR was actually submitted by… an individual authorized to make the DSAR on the data subject's behalf); and based on successful confirmation that the person authorizes the agent, processing, by the server computing system, the privacy request on behalf of the company ([0084] if the DSAR was submitted by the particular data subject, advance the processing of the DSAR).

Regarding claim 16, 
Barday discloses: The program product of claim 15, wherein the instructions to receive the data related to the privacy request comprises
Additionally, Barday discloses: receiving data related to a proof that the person authorizes the agent to act on behalf of the person ([0084] if the system receives the DSAR via a third-party computer system, the system may validate authentication via API secret, or by requiring a copy of one or more particular legal documents (e.g., a particular contract between two particular entities).

Regarding claim 17,
Barday discloses: The program product of claim 16, wherein the instructions confirm that the person authorizes the agent to act on behalf of the person comprises
Additionally Barday discloses: instructions to determine the validity of the data related to the proof that the person authorizes the agent ([0084] confirm that the DSAR was actually submitted by the particular data subject of the DSAR (or, for example, by an individual authorized to make the DSAR; a copy of one or more particular legal documents (e.g., a particular contract between two particular entities)).

Regrading claim 18,
Barday discloses: The program product of claim 17, wherein the instructions to determine the validity of the data related to the proof comprises.
Additionally Barday discloses: instructions to communicate with a computer system associated with the person to confirm that the person authorizes the agent ([0165] In other embodiments, the system may be configured to authenticate a request via integration with a company's employee or customer (e.g., consumer) authentication process. For example, in response to receiving a data subject access request that indicates that the data subject is an employee of the company receiving the data subject access request, the system may be configured to prompt the employee to login to the company's employee authentication system (e.g., Okta, Azure, AD, etc.) In this way, the system may be configured to authenticate the requestor based at least in part on the requestor successfully logging into the authentication system using the data subject's credentials).

Regarding claim 19, 
Barday discloses: The program product of claim 18, wherein the instructions to determine the validity of the data related to the proof comprises; 
Additionally Barday discloses: instructions to: determine identification information of the agent ([0084] any suitable method may be used to confirm the identity of the entity/individual submitting the DSAR); and confirming that the identification information of the agent is consistent with identification information included in the data related to the proof. ([0161] the system is configured to substantially automatically compare one or more pieces of information provided as part of the data subject access request to one or more pieces of data received from a third-party data aggregation service in order to substantially automatically verify the requestor's identity).

Regarding claim 20, 
Barday discloses: The program product of claim 16, based on successfully confirming the validity of the data related to the proof, further comprising
Additionally, Barday discloses: instructions to: associate the person with the data related to the proof; store the data related to the proof in the one or more databases associated with the server computing system ([0168] In various embodiments, the system is configured to maintain a database of the identified one or more sources (e.g., in computer memory)); and use the data related to the proof to process a subsequent privacy request received from the agent on behalf of the person ([0168] in response to receiving a new data subject access request, cross reference the request with the blacklist to determine if the requestor is on the blacklist or is making the request from a blacklisted source).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's
disclosure.
Barday 6/8/2018 (US 20180373890) teaches validation of 3rd party access requests.
Hammad 4/10/2012 (US 20120259782) teaches generation of tokens for entity authentication.
Kim 5/2/2017 (US 20170324586) teaches generation of identifiers for user identification.
Steiner 9/30/2013 (US 20150095968) teaches Authentication based on type of user.
Dabbs 8/31/2020 (US 20220067130) teaches data access verification.
Hockey 4/15/2019 (US 20190318122) teaches 3rd party data access control.
Singh 7/11/2017 (US 20180183803) teaches database access control for multiple users.
Naujok 12/18/2020 (US 20210204116) teaches third party identity access and authorization for databases.
Coyle 3/28/2014 (US 9483535) teaches a method for expanding possible identifiers used for searching databases.


Any inquiry concerning this communication or earlier communications from the examiner
should be directed to THOMAS A CARNES whose telephone number is (571)272-4378. The examiner can
normally be reached Monday-Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a
USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use
the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor,
Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where
this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from
Patent Center. Unpublished application information in Patent Center is available to registered users. To
file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit
https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and
https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional
questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like
assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or
571-272-1000.
/T.A.C./
Examiner, Art Unit 2436

/MOHAMMAD W REZA/Primary Examiner, Art Unit 2436