DETAILED ACTION
	This Office Action is in response to the Amendment filed on 07/29/2022.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments with respect to claims 1, 9, 13 have been considered but are moot in view of the new ground(s) of rejection below.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 4-9, 12-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Stern et al. (US 2019/0392162 A1-hereinafter Stern.)
Regarding claim 1, Stern discloses a computer implemented method of managing consent for sharing data, the method comprising: 
storing data sharing preferences for a data subject in relation to data held by a plurality of data controllers (at least figure 1, element 150, [0016], the verification system storing consents for user personal data held by a plurality of IoT devices), the data sharing preferences comprising: 
requestor type sharing preferences comprising: 
a first organization categorized under a first organization type (at least [0011]-[0012][0024], i.e.: doctor/medical office); 
a second organization categorized under a second organization type (at least [0011][0032]-[0033], i.e.: coach/physical therapist/fitness organization); 
a first organization type data sharing preference indicating a preference of whether to share data with the first organization type (at least [0016][0028] [0032]-[0033], i.e.: a consent verification for permitting medical office to access personal data of user); and 
a second organization type data sharing preference indicating a preference of whether to share data with the second organization type (at least [0016][0028][0032]-[0033], a consent verification for permitting coach/ physical therapist/fitness organization to access personal data of user); and 
data type sharing preferences (at least [0028][0032], i.e.: data such as mile time and how far a user can run can be shared with a coach/physical therapist/fitness organization, while data such blood pressure and heart rate can be shared with doctor/medical office); 
receiving a data share request from a requestor to obtain personal data relating to the data subject and held by one or more of the data controllers (at least [0016][0028], a request to access personal data of user is received), the data share request comprising: 
a requestor identification portion comprising a type of organization the requestor is categorized into (at least [0028], request includes identification of doctor/medical office or coach/physical therapist/fitness organization); and 
a data type identification portion (at least [0028], data type (i.e.: blood pressure measurements)); 
comparing the data share request to the data sharing preferences of the data subject (at least [0016][0029], the request is compared to consent verification); and
for each of the one or more data controllers: 
instructing the one or more data controllers to share the personal data with the requestor, or rejecting the data share request, in dependence on the comparison of the data share request to the data sharing preferences (at least [0016][0029]-[0030], if consent verification permits access, then IoT is instructed to send personal data of the user to requestor, otherwise, IoT does not send the personal data of the user.)
Stern does not explicitly disclose data share request purpose preferences, a data share request purpose and the comparing the data share request to the data sharing preferences comprising: comparing the type of organization in the requestor identification portion to at least one of the first organization type data sharing preference and the second organization type data sharing preference; comparing the data share request purpose with the data share request purpose preferences; and comparing the data type identification portion to the data type sharing preferences.
However, Stern discloses in an example where information such as how far a user ran and his mile time as part of a marathon training can be shared to a coach/physical therapist/fitness organization (at least [0032].) It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to specify a reason/purpose for the sharing and requesting of this information to minimize the chances of personal data of the user being misused.
Stern also discloses when a request for user personal data is received, the request is compared to a consent verification to make sure the request is within the scope of consent verification (at least [0013].) The consent verification dictates what specific data can be shared and to whom the specific data is shared with, while the request in Stern includes at least an ID of the requestor, type of data requesting (at least [0028].) As such, it is obvious that when the request is compared to the consent verification, the data type being requested and the requestor ID are being compared to make sure they are within the scope of the consent verification.  
As discussed above, the reason/purpose of the sharing and requesting is not explicitly disclosed by Stern. However, it would have been obvious to one of ordinary skill in the art before the filing date of claimed invention to explicitly include this step when comparing the request to the consent verification to enhance the method of management of data sharing while also minimizing the chances of personal data of the user being misused.

Regarding claim 4, Stern discloses the method according to claim 1.  wherein the data sharing preferences are stored at a data consent manager that does not store personal data (at least figure 2, element 240, [0016][0025][0029], permission data store that stores consents but not user personal data.)

Regarding claim 5, Stern discloses the method according to claim 4. Stern also discloses the data consent manager is independent and external to the data controllers (at least figures 1 & 2, elements 150, 240, i.e.: verification system is independent and external to the IoTs.)

Regarding claim 6, Stern discloses the method according to claim 1. Stern also discloses providing the data subject with a user interface for editing their data sharing preferences in relation to more than one data controller ([0028], an interface is provided to user to allow the user to specify his/her specific sharing permission of the personal data.)

Regarding claim 57, Stern discloses the method of claim 6.  Stern also discloses  the user interface automatically selects data sharing preferences based on criteria that are set by the data subject (at least [0016][0030][0034], i.e.: the interface automatically displays/selects personal data to be shared with a specific third party’s name as set by the user.)  

Regarding claim 8, Stern discloses the method of claim 7. Stern also discloses  the automatic setting of data sharing preferences includes categorization at least one of: 10data types (at least [0034], types of personal data that be shared.)

Claim 9 is rejected for the same rationale as claim 1 above.
Claim 12 is rejected for the same rationale as claim 4 above.
Claim 13 is rejected for the same rationale as claims 1 & 9 above. In addition, Stern also discloses a user interface that is to receive data sharing preferences from a data subject (at least [0028][0046], interface that receives user’s preferences to share the user’s  personal data.)

Regarding claim 14, Stern discloses the data consent manager of claim 13. Stern also discloses the data sharing preferences identify whether consent is provided for the data requestor to use the requested data for each of a plurality of purposes (at least [0033], i.e.: sharing permission identifies consent provided to coach and physical  to therapist to use for a plurality of purposes.)  

Regarding claim 2015, Stern discloses the data consent manager of claim 13. Stern also discloses the processor is further programmed to: 
determine whether the data subject consents to sharing the requested data with the data requestor for one or more purposes specified in the request (at least [0033], i.e.: the user consents to share information such as heart rate, blood pressure data to doctor).  
Claim 16 is rejected for the same rationale as claim 7 above.
Claim 19 is rejected for the same rationale as claims 4 & 12 above.
Claim 20 is rejected for the same rationale as claim 20 above.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to PHY ANH TRAN VU whose telephone number is (571)270-7317. The examiner can normally be reached Monday-Friday 7 am-1 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Taghi T Arani can be reached on (571) 272-3787. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/PHY ANH T VU/           Primary Examiner, Art Unit 2438