Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Applicant’s Arguments regarding 35 U.S.C. 103
	Regarding the 35 U.S.C. 103 rejections, the applicant’s arguments on page 8 of the 6/27/2022 of the response / amendment is included below:
Claims 1-2, 4-7, 11-13, 15-23, and 27-29 stand rejected under 35 U.S.C. @ 103 as unpatentable over U.S. Patent Publication No. 20190332807 to La Fever et al. and U.S. Patent Publication No. 20210067536 to Mylrea et al. Claims 8-10 and 24-26 stand rejected under 35 U.S.C. @ 103 as unpatentable over LaFever, Mylrea, and U.S. Patent Publication No. 20150118992 to Wyatt et al. Claims 14 and 30 stand rejected under 35 U.S.C. @ 103 as unpatentable over LaFever, Mylrea, and U.S. Patent Publication No. 20200164886 to Dutta et al. Applicant respectfully traverses the rejections. 
The Examiner on page 2 of the currently Office Actions states: 
Examiner's Note Regarding newly amended claim features. The amendments to independent claim 1 include, "extracting de-identified data from the event stream. 
The other independent claims include similar recitation. The examiner notes that this feature has multiple interpretations. One possible interpretation would be indicated by the Specification at [0200] and fig. 14 operation 1404, which describe extracting de-identified data for the purpose of tracking user actions on the de-identified data. The examiner notes that LaFever in the last sentence of [0041] teaches "tracking DDID use" and [0076] of LaFever also teaches "a module configured to track activity related to the DDIDs." 
Applicant has amended claims 1, 15, and 17 to overcome the cited art, and further recite specific features as to the "de-identified data." Specially the amendments include "wherein de- identified data includes a pseudonym and personal information of an individual is included in the events stream." Support for the amendments can be found for example at paragraphs [0146] and[0150] of the specification. 
	Claims 3-14 depend on claim 1, claim 16 depends on claim 15, and claims 18-30 depend upon claim 17, and are allowable based on their dependency on an allowable claim.



The examiner notes that cited paragraphs [0146] and [0150] of the specification (cited above by the applicant, in Applicant’s Arguments) describe replacing personal identifiable information (PII) with de-identified data (i.e., pseudonyms) in [0146] and then re-identifying the de-identified data in [0150].  The examiner notes that event streams may include both PII that is de-identified and other data that is not de-identified, which also belongs to the person.
Applicant’s arguments have been considered but are moot in view of the new ground(s) of rejection.
	
Examiner’s Note Regarding claim features
Claim 1 includes, “extracting de-identified data from the event stream.” The other independent claims include similar recitation.
The examiner notes that this feature has multiple interpretations. One possible interpretation would be indicated by the Specification at [0200] and fig. 14 operation 1404, which describe extracting de-identified data for the purpose of tracking user actions on the de-identified data. 
The examiner notes that LaFever in the last sentence of [0041] teaches “tracking DDID use” and [0076] of LaFever also teaches “a module configured to track activity related to the DDIDs.”

Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 1-2 and 4-30 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
As per claim 1, the examiner asserts that the specification does not support “extracting the de-identified data that includes the pseudonym and personal information of the individual from the event stream.” (emphasis added)  
The specification of the instant application discloses that “De-identified data can include a pseudonym associated with an individual” (specification, [0146]) (emphasis added) and that “the de-identified personal information may be decrypted or re-identified as a result of granting a requestor, such as a security administrator 868, access to de-identified personal information 878.” Thus, the specification discloses that de-identified data such as a pseudonym is associated with an individual (i.e., the individuals name or other personal data). The examiner notes that the cited references teach associating pseudonyms (i.e., DDIDs) with personal information /data (PII). 
However, the specification does not teach extracting both “pseudonym” and “personal information”, which are both included in de-identified data, from an event stream. Additionally, it would make no sense to provide an event stream with both the personal information and the pseudonym because that would defeat the purpose of using a pseudonym to obfuscate personal data.  Instead, the specification teaches de-identification of data, by substituting the pseudonym in place of the personal information, and also teaches re-identification, by decrypting or re-identifying the pseudonym as its associated personal information.
Because, the specification does not disclose extracting both the pseudonym and personal information from the event stream, amendments to the specification adding these features would be considered new matter.

Claim Rejections - 35 USC § 112
	The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.



Claims 1-2 and 4-30 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as failing to set forth the subject matter which the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the applicant regards as the invention. 
As per claim 1, the specification of the instant application discloses that “De-identified data can include a pseudonym associated with an individual” (specification, [0146]) (emphasis added) and that “the de-identified personal information may be decrypted or re-identified as a result of granting a requestor, such as a security administrator 868, access to de-identified personal information 878.” Thus, the specification discloses that de-identified data such as a pseudonym is associated with an individual (i.e., the individuals name or other personal data). The examiner notes that the cited references teach associating pseudonyms (i.e., DDIDs) with personal data / PII,  
However, claim 1 recites, “extracting the de-identified data that includes the pseudonym and personal information of the individual from the event stream.” (emphasis added) 
The examiner asserts that the specification does not teach extracting both “pseudonym” and “personal information”, which are both included in de-identified data, from an event stream. Instead the specification teaches extracting personal information / data from an event stream and replacing it with a pseudonym (i.e., de-identification) (specification [0033]) and then re-identifying the de-identified (i.e., pseudonym) (specification [0046-47]).
Additionally, it would make no sense to extract both personal information and an associated pseudonym from an event stream, because it would make no sense to provide an event stream with both the personal information and the associated pseudonym because that would defeat the purpose of using a pseudonym to obfuscate personal information. Pseudonyms are used to replace the personal information.  Instead, the specification teaches de-identification of data, by substituting / replacing the personal information with the pseudonym, and also teaches re-identification, by decrypting or re-identifying the pseudonym to its associated personal information.
The examiner will instead interpret the claims as reciting “extracting the de-identified data that includes the pseudonym 
Independent claims 15 and 17 are similarly rejected.
Claims 2, 4-14, 15, and 18-30 are rejected as being dependent upon claims 1, 15, and 17.
Claims 1, 15, and 17 all recite “wherein the identified data is included in the event stream.” (emphasis added)  There is insufficient antecedent basis for this limitation in the claim. Appropriate correction or explanation is required.
Claims 2, 4-14, 16, and 18-30 are rejected as being dependent upon claims 1, 15, and 17.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 4-7, 11-13, 15-23, and 27-29  are rejected under 35 U.S.C. 103 as being unpatentable over U.S. 2019/0332807 to LaFever et al. (hereinafter referred to as “LaFever”), in view of U.S. 2021/0067536 to Mylrea et al (hereinafter referred to as “Mylrea”), and further in view of US 2021/0026985 to Rind et al. (hereinafter Rind).
Regarding claim 1, LaFever teaches,
A computer-implementable method for managing re-identification of de-identified data utilizing a distributed ledger, 
LaFever teaches re-identification of de-identified data. (LaFever, [0589-631]) 
Specifically, LaFever describes a BigPrivacy system that de-identifies data ([0598], lines 2-3) LaFever also describes the use of re-identification keys to restore R-DDIDs. LaFever, [0600] lines 4-5) LaFever in [0619-620] describes, “Enforcing Centralized BigPrivacy Controls in De-Centralized Systems” (emphasis added) (see [0619] line 1) where the decentralized systems of the BigPrivacy controls include a “distributed ledger technologies” (see [0620] lines 4-6).
comprising:
de-identifying an event stream of one or more events associated with an individual, 
wherein the de-identified data includes a pseudonym and personal information of an individual, 
LaFever teaches de-identifying data. (LaFever, [0201-208])
The examiner interprets the “event stream” is a series of data that, where at least some of the data is to be replaced by de-identifiers or pseudonyms. As indicated by the applicant’s specification [0165-166], an event stream of information includes a person’s name, company name, dates / temporal identifiers, and locations. 
LaFever in [0201-204] teaches extracting data, such as social security numbers and zip codes (“personal information of an individual”) and replacing the data with dynamically changing de-identification data (DDIDs) (“pseudonym”). LaFever also teaches a two way mapping between data (“personal information”) and de-identifiers (DDIDs) (“pseudonym”) that enables encryption (de-identification) and decryption (re-identification) of de-identified data / pseudonyms. (LaFever, [0207-208]) 
wherein the identified data is included in the event stream;
The examiner interprets this feature as being the personal data in the event stream that is later replaced by pseudonyms / de-identifiers or other data that is not later de-identified. (See above discussion, LaFever, [0210-204], extracting social security numbers and replacing with DDIDs.)


extracting the de-identified data that includes the pseudonym 
The examiner interprets the above features as corresponding to extracting the de-identified (pseudonym) from the event stream, where the pseudonym that is extracted is associated with personal data. (see rejection under 112(b) above)
LaFever teaches streamed data that has been de-identified. (LaFever, [0204]) LaFever in [0205-208] teaches that the de-identifier (pseudonym) is mapped to data, such as personal data (“de-identified data that includes the pseudonym and personal information of the individual”). LaFever also describes the re-identification operation, which re-identifies the de-identified data / pseudonyms. (LaFever, [0598-631])
See also examiner’s note above, regarding this feature.
performing a re-identification operation on the de-identified data; and 
LaFever in [0598-601] describes a re-identification of data in the BigPrivacy system being performed using a JITI key (i.e., re-identification key).
storing a record of the re-identification operation 
LaFever in [0505] states, “JITI facilitates compliance with and auditability against established privacy policies by enabling the mathematical, statistical and/or actuarial measurement and monitoring of data use.” Thus, the Examiner asserts that the JITI process used in re-identification also monitors the use of the data that has been re-identified using JITI, for audit purposes, and must inherently store the monitored data. (See also, LaFever, [0356]) Thus, LaFever teaches “storing of a record of re-identification operation” using the access log module 54.
LaFever fails to teach,
However, Mylrea teaches,
storing a record …. in the distributed ledger. (emphasis added)
Mylrea teaches the use of a distributed ledger that tracks changes to the data in the distributed ledger, where the changes are stored in the ledger itself.  Mylrea [0034] states, “The cryptographic signature may identify the entity that initiated generation of the record. A record may include a timestamp for the record, and may further include a unique identifier for a grid asset associated with the record or the record set 104a-n. Each record in a record set 104a-n may store updated or additional data (or both) compared to the previous record in the record set. In this way, the record set 104a-n may act as an auditable history of its stored data.” (emphasis added)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of LaFever, which teaches de-identification of data and the storage of that de-identified data in a distributed ledger that includes the tracking of using /accessing of data for security auditing purposes, with Mylrea, which teaches the use of a distributed ledger to store the tracked data associated with accessing of data and changes to data. One of ordinary skill in the art would have been motivated to perform such an addition to provide Mylrea’s capability to use a distributed ledger that tracks changes to the data in the distributed ledger, where the tracking is stored in the ledger itself.
LaFever and Mylrea do not teach,
However, Rind teaches,
storing the de-identified data that includes the pseudonym and personal information of the individual in the distributed ledger, … 
The applicant has interpreted this feature in accordance with the specification at [0222] which teaches that the re-identification key of the pseudonym is stored in a blockchain.
LaFever teaches the use of a pseudonym / de-identifier (“de-identified data”)  and also teaches storing a mapping of the personal data and the pseudonyms. (LaFever, [0205-208])
However, Rind teaches an index that maps pseudonymous identifiers (“pseudonym”) of users to encrypted records with personally identifiable information (PII) (“personal information of the individual”) of the user may, where the index may be stored in a blockchain (“storing the de-identified data … in the distributed ledger”). (Rind, second sentence [0022]) (emphasis added in bold)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of LaFever, which teaches de-identification of data and the storage of that de-identified data in a distributed ledger that includes the tracking of using /accessing of data for security auditing purposes,  with Rind, which teaches an index that maps pseudonymous identifiers (e.g. DDIDs) of users to encrypted records with personally identifiable information (PII) of the user may, where the index may be stored in a blockchain.  One of ordinary skill in the art would have been motivated to perform such an addition to provide LaFever with Rind’s capability of utilizing a blockchain to store the index of the mapping between pseudonyms and PII.

Regarding claim 2, LaFever, Mylrea, and Rind teach,
The method of claim 1, wherein the distributed ledger is a block chain. 
LaFever at the end of [0620] discusses blockchains being part of the “distributed ledger technologies” of the BigPrivacy system.  The last sentences of [0621] state, “The words “Distributed Ledger Technology” or “DLT” are used herein to refer to a data storage element comprising a consensus of replicated, shared, and/or synchronized digital data, e.g., which may be geographically spread across multiple sites, countries, or institutions. With DLL there is typically no central administrator or centralized data storage. Examples of the use of DLTs include: blockchains, cryptocurrencies, smart contracts, and even decentralized file storage.” (emphasis added) Also, [0621-623] of LaFever further discusses blockchains. 
Similarly, Mylrea also teaches a distributed ledger that includes a block chain. The Abstract of Mylrea states, “A cybersecurity distributed ledger is provided herein for managing, tracking, auditing, and securing assets in a power infrastructure. The cybersecurity distributed ledger may include a blockchain, and may combine with smart contract or smart negotiation technology, such as in a permissioned proof of authority blockchain.” (emphasis added) Blockchain use in the distributed ledger is also described in at least [0027] of Mylrea.  

Regarding claim 4, LaFever, Mylrea, and Rind teach, 
The method of claim 1, wherein the record of the re-identification operation is associated with the pseudonym.  
LaFever in the last sentence of [0035] describes a system that tracks, logs, and records functions of the system.  LaFever in [0035] states, “embodiments of the present invention may enable a Data Subject or other controlling entity to send to one or more desired third parties only those data attributes (which the system knows relate to the Data Subject by virtue of the tracking/logging/recording functions of the system) that specifically pertain to a specific action, activity, process or trait.” (emphasis added) In [0037] LaFever states, “Indices used to resolve dereferencing may, without limitation, include keys, schema translation tables, anonymous identifiers, pseudonymous identifiers, tokens or other representations.”  (emphasis added) The Examiner interprets the use of pseudonyms as being information that is tracked by the system.  
Additionally, LaFever in [0356] states, “An access log module 54 that may include collecting and storing information to enable post-incident forensic analysis in the event of system error and/or misused.”  Thus, LaFever teaches “storing of a record of re-identification operation” using the access log module 54, which may include the storing of de-identifying information such as pseudonyms.
As discussed in the rejection of claim 1, Mylrea teaches recording information the above features related to tracking the progress of information, as described above with regards to [0034] of Mylrea.

Regarding claim 5, LaFever, Mylrea, and Rind teach, 
The method of claim 1, further comprising storing a re-identification key associated with the pseudonym in the distributed ledger.  
The Examiner has interpreted this feature as corresponding to a storing of the key in the distribution ledger, where a pseudonym is then used to obfuscate the contents of the ledger, including the key. LaFever describes DDIDs that are stored in distributed ledgers. For example, LaFever in [0019-20] further states, “… Embodiments of the present invention may even be employed in decentralized networks built on blockchain or other distributed ledger technologies that require immutability and auditability of record over time. [0020] As compared to existing systems, wherein electronic data may be readily accessible for use (e.g., collecting, processing, copying, analyzing, combining, modifying or disseminating, etc.), storing and/or erasing with few effective controls over the data, embodiments of the present invention may use temporally unique, dynamically changing de-identifiers (“DDIDs”)—each associated with a subject, e.g., a person, place, or thing (e.g., an event, document, contract, or “smart contract”), to which data directly or indirectly pertains or relates (a “Data Subject”) … “ (emphasis added)
	Moreover, LaFever teaches, “storing a re-identification key associated with the pseudonym in the distributed ledger” because LaFever teaches the DDDI using a pseudonym that obscures a primary key, where the Examiner interprets the primary key as corresponding to “a re-identification key.” For example, LaFever in [0193] states, “A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait (e.g. a ZIP code), and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait (e.g. the fact that some encoded value was a ZIP code). [0194] DDIDs may additionally protect data if there is no discernable, inherent, nor computable relationship between their content and the values (cleartext) to which they refer. Additionally, the association between any given DDID and its cleartext value may not be exposed outside the Circle of Trust (CoT). Unlike static identifiers, an obscured value or key need not have the same associated DDID when used in a different context, for a different purpose, or at a different time.” (emphasis added)

Regarding claim 6, LaFever, Mylrea, and Rind teach, 
The method of claim 5, wherein the re-identification operation uses the re-identification key to re-identify the de-identified data. 
LaFever in [0600] describes the creation of a re-identification key (e.g., JITI key) that is used to restore data. LaFever in [0601] describes the JITI key being used to re-identify the data. Also, LaFever in [0658] states, “For those BAPs with which a Data Subject has a strong relationship of trust, the Data Subject can have, e.g., a “Trusted Advertising” button, enabling the trusted merchant with access to select obscuring key association information to share desired detailed cleartext information with another business entity. In preferred embodiments, information available to and receivable by a trusted business entity, e.g., via a “Trusted Advertising” button, is made available only to that trusted business entity, and is made in accordance with specific instructions received by a BAP from the Data Subject.” (emphasis added) Thus, the re-identification operation is a level of trust that exposes information such as user names or other sensitive information that can be used to identify a user, however, without the re-identification operation, a non-trusted client may still have access to data and be allowed to perform generalized research without the ability to identify a particular user.

Regarding claim 7, LaFever, Mylrea, and Rind teach, 
The method of claim 1, wherein the record of the re-identification operation comprises a purpose for performing the re-identification operation. 
Mylrea teaches storing and updating of records of signed data clusters for the purpose of auditing. The Examiner interprets tracking the updating of signed clusters, which are later re-identified, as recording the purpose (e.g., auditing, tracking of changes) of an earlier signed cluster.  Mylrea at [0133-134] states, “… In this process, the vendor 503 updates the signed data cluster (e.g. creates a new signed data cluster) with all previous signed data clusters as part of it and finally, signs it with a new unique signature (similar process as at 508) in the BCAP 502. [0134] At 512, final steps of grid asset procurement may be performed. The signed data cluster is updated with all the information associated with the physical (or digital) grid asset. The signed data cluster may contain information per NERC CIP 13 requirements. Finally, the grid asset is sent 512b to the utility 501, as well as the signed data clusters 512a. The utility 501, at any given time, can independently verify the information associated with the grid asset and its authenticity all the way to the principle component level through the signed data clusters. The utility 501 may choose to create a new signed data cluster that holds all the previous signed data clusters with other information such as downstream connections, etc. This signed data cluster can be used by NERC for auditing purposes and standard compliance checks.” (emphasis added)) Thus, the Examiner interprets the storing of the information as having a purpose of auditing.
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to  combine the features of LaFever with the features of Mylrea to track signed data clusters for the purpose of auditing in order to better track / record operations that occur with regard to a distributed ledger so that an auditor can investigate previous operations. One of ordinary skill in the art would have been motivated to perform such an addition to provide the ability to track the reason / purpose for performing a re-identification operation that unmasks potentially sensitive data.

Regarding claim 11, LaFever, Mylrea, and Rind teach, 
The method of claim 1, wherein the step of performing the re-identification operation is initiated by a security administrator, and 
LaFever describes an administrator having access to compartmentalized data of students in order to produce studies.  LaFever also describes a Circle of Trust CoT, which is a circle of users that are allowed access to JITI keys (i.e., re-identification key as described in [0600] of LaFever) that may be used to re-identify the most protected personal data that has been de-identified to protect the personal information, such as user name, mother’s maiden name, social security numbers, ect. (See LaFever in [0193-195]) Thus, LaFever teaches, “the step of performing the re-identification operation is initiated by a” member of the CoT.
Further in [0019] of LaFever the distributed ledger is described as having “auditability.” Moreover, LaFever in [0050] states, “[0053] In another example, an access log module may be provided, wherein the access log module can collect and store information to enable post-incident forensic analysis in the event of a system or privacy server error and/or misuse.” The access log module has the capability of tracking those who access the different portions of the distributed ledger, including the members of the CoT who have access to the JITI keys that are used for re-identification. In [0163] of LaFever, the CoT includes the ability to store trackers to the Data Subject and store a list of queries.
Thus, the Examiner asserts that the access log module is used to track the actions of the re-identification by members of the CoT, who have a higher level of privilege than the normal users. Thus, members of the CoT, with their higher level of privilege, correspond to “security administrator.”
wherein the record of the re-identification operation comprises contact details of the security administrator.
Additionally, LaFever in [0167] states, “A CoT is composed of one or more Trusted Parties, each of which may offer one or more independent data storage facilities, as well as secure means to segment and transmit sensitive data to these data stores.” Thus, the members of the circle of trust are known and their locations are known because they are storing data, so the locations (i.e., internet addresses) corresponds to the “contact details” of claim 11.)

Regarding claim 12, LaFever, Mylrea, and Rind teach, 
The method of claim 1, further comprising storing a re-identification key associated with the entity in the distributed ledger.
LaFever teaches JITI keys that are referred to as keys that are used to access the de-identified data, as described above.  However, LaFever also describes storing the keys within the Circle of Trust CoT, that is also described above.  For example, LaFever in [0165] states, “Dynamic Anonymity overcomes these shortcomings by employing dynamically changing and re-assignable DDIDs, storing the resulting DDID associations and obscuring keys within Circles of Trust, and providing a unique interaction model enabling participation between and among Data Subjects and Trusted Parties/third-party participants.” (emphasis added) Thus, the obscured keys are stored within the DDIDs, as described above, obscured information is stored within the DDIDs that are stored within the distributed ledger.

Regarding claim 13, LaFever, Mylrea, and Rind teach, 
The method of claim 12, wherein the re-identification operation uses the re-identification key to re-identify the de-identified data.  
LaFever teaches giving access to the obscured / obfuscated (primary) key in order to share cleartext information (i.e., non-obscured information) with trusted individuals (i.e., “Circle of Trust” discussed above in [0194]). For example, LaFever in [0658] states, “For those BAPs with which a Data Subject has a strong relationship of trust, the Data Subject can have, e.g., a “Trusted Advertising” button, enabling the trusted merchant with access to select obscuring key association information to share desired detailed cleartext information with another business entity. In preferred embodiments, information available to and receivable by a trusted business entity, e.g., via a “Trusted Advertising” button, is made available only to that trusted business entity, and is made in accordance with specific instructions received by a BAP from the Data Subject.” (emphasis added) Thus, the re-identification operation is a level of trust that exposes information such as user names or other sensitive information that can be used to identify a user, however, without the re-identification operation, a non-trusted client may still have access to data and be allowed to perform generalized research without the ability to identify a particular user.

Regarding claim 15, LaFever, Mylrea, and Rind teach, 
A computer-implementable method for managing privacy in a cybersecurity system comprising: 
LaFever in [0018-19] describes a security system that works with a distributed ledger that is distributed over different sites on a network.
identification of de-identified data utilizing a distributed ledger, comprising:
LaFever teaches de-identifying data using blockchains. (LaFever, last sentence [0019] and first third of [0020]) LaFever also teaches re-identifying the de-identified data. (LaFever, [0598-631])
de-identifying an event stream of one or more events associated with an individual; 
wherein de-identified data includes a pseudonym and personal information of an individual, 
LaFever teaches de-identifying data. (LaFever, [0201-208])
The examiner interprets the “event stream” is a series of data that, where at least some of the data is to be replaced by de-identifiers or pseudonyms. As indicated by the applicant’s specification [0165-166], an event stream of information includes a person’s name, company name, dates / temporal identifiers, and locations. 
LaFever in [0201-204] teaches extracting data, such as social security numbers and zip codes (“personal information of an individual”) and replacing the data with dynamically changing de-identification data (DDIDs) (“pseudonym”). LaFever also teaches a two way mapping between data (“personal information”) and de-identifiers (DDIDs) (“pseudonym”) that enables encryption (de-identification) and decryption (re-identification) of de-identified data / pseudonyms. (LaFever, [0207-208]) 
wherein the identified data is included in the event stream;
The examiner interprets this feature as being the personal data in the event stream that is later replaced by pseudonyms / de-identifiers or other data that is not later de-identified. (See above discussion, LaFever, [0210-204], extracting social security numbers and replacing with DDIDs.)
extracting the de-identified data that includes the pseudonym 
The examiner interprets the above features as corresponding to extracting the de-identified (pseudonym) from the event stream, where the pseudonym that is extracted is associated with personal data. (see rejection under 112(b) above)
LaFever teaches streamed data that has been de-identified. (LaFever, [0204]) LaFever in [0205-208] teaches that the de-identifier (pseudonym) is mapped to data, such as personal data (“de-identified data that includes the pseudonym and personal information of the individual”). LaFever also describes the re-identification operation, which re-identifies the de-identified data / pseudonyms. (LaFever, [0598-631])
See also examiner’s note above, regarding this feature.
performing a re-identification operation on the de-identified data; and 
LaFever in [0598-601] describes a re-identification of data in the BigPrivacy system being performed using a JITI key (i.e., re-identification key).
storing a record of the re-identification operation    
LaFever in [0505] states, “JITI facilitates compliance with and auditability against established privacy policies by enabling the mathematical, statistical and/or actuarial measurement and monitoring of data use.” Thus, the Examiner asserts that the JITI process used in re-identification also monitors the use of the data that has been re-identified using JITI, for audit purposes, and must inherently store the monitored data. (See also, LaFever, [0356]) Thus, LaFever teaches “storing of a record of re-identification operation” using the access log module 54.
	LaFever fails to teach, 
However, Mylrea teaches,
storing …. in the distributed ledger. (emphasis added)
Mylrea teaches the use of a distributed ledger that tracks changes to the data in the distributed ledger, where the changes are stored in the ledger itself.  Mylrea [0034] states, “The cryptographic signature may identify the entity that initiated generation of the record. A record may include a timestamp for the record, and may further include a unique identifier for a grid asset associated with the record or the record set 104a-n. Each record in a record set 104a-n may store updated or additional data (or both) compared to the previous record in the record set. In this way, the record set 104a-n may act as an auditable history of its stored data.” (emphasis added)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of LaFever, which teaches de-identification of data and the storage of that de-identified data in a distributed ledger that includes the tracking of using /accessing of data for security auditing purposes, with Mylrea, which teaches the use of a distributed ledger to store the tracked using /accessing of data and changes to data. One of ordinary skill in the art would have been motivated to perform such an addition to provide Mylrea’s capability to use a distributed ledger that tracks changes to the data in the distributed ledger, where the tracking is stored in the ledger itself.
LaFever and Mylrea do not teach,
However, Rind teaches,
storing de-identified data, that includes the pseudonym and personal information of the individual in the distributed ledger;
The applicant has interpreted this feature in accordance with the specification at [0222] which teaches that the re-identification key of the pseudonym is stored in a blockchain.
LaFever teaches the use of a pseudonym / de-identifier (“de-identified data”)  and also teaches storing a mapping of the personal data and the pseudonyms. (LaFever, [0205-208])
However, Rind teaches an index that maps pseudonymous identifiers (“pseudonym”) of users to encrypted records with personally identifiable information (PII) (“personal information of the individual”) of the user may, where the index may be stored in a blockchain (“storing the de-identified data … in the distributed ledger”). (Rind, second sentence [0022]) (emphasis added in bold)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of LaFever, which teaches de-identification of data and the storage of that de-identified data in a distributed ledger that includes the tracking of using /accessing of data for security auditing purposes,  with Rind, which teaches an index that maps pseudonymous identifiers (e.g. DDIDs) of users to encrypted records with personally identifiable information (PII) of the user may, where the index may be stored in a blockchain.  One of ordinary skill in the art would have been motivated to perform such an addition to provide LaFever with Rind’s capability of utilizing a blockchain to store the index of the mapping between pseudonyms and PII.

Regarding claim 16, LaFever, Mylrea, and Rind teach, 
wherein a trigger to the security analysis, the cybersecurity system further performs a reidentification operation, 
LaFever states, “[0247] .. And when it is possible to pass the time associated with the data to be encoded, the time could be “sanity-checked” against the local system clock: skew within a small window (smaller than the DDID reuse buffer) could be tolerated, whereas larger differences would trigger an error report.”  The Examiner interprets the triggering of the error report to correspond to “trigger to the security analysis.” Also, LaFever in [0490-491] describes a triggering incident being used as the basis to perform a re-identification. “[0490] In the example embodiment reflected in FIG. 1L, data is resident in an emergency response database in a dynamic DDID obfuscated state such that identifying information is not discernable or re-identifiable until such time as necessary association keys (AKs) and/or replacement keys (RKs) are provided when an appropriate triggering incident occurs.” (emphasis added))
wherein a record of the reidentification operation is stored in the cloud using the distributed ledger. 
See rejection of claim 15 above regarding LaFever in [0505], [0356], [0339], and [0393]. (See also Mylrea in [0034])

Regarding claim 17, LaFever, Mylrea, and Rind teach, 
A system comprising:
a processor;  
LaFever in fig. 27 includes processor 2740 linked to a memory 2720 and a communication bus 2770.  LaFever in [1005] states, “Example 197 is a system comprising: a communication interface for sending data over a network; a memory having, stored therein, computer program code and one or more distributed ledgers capable of recording data records.” (emphasis added)
a data bus  coupled to the processor; and
LaFever in fig. 27 includes processor 2740 linked to a communication bus 2770 (i.e., “data bus”).
a non-transitory, computer-readable storage medium (LaFever in fig. 27 includes processor 2740 linked to a memory 2720) embodying computer program code for managing re-identification of de-identified data utilizing a distributed ledger, … 
LaFever’s Abstract states, “Systems, computer-readable media, and methods for improving data privacy/anonymity and data value, wherein data related to a data subject can be used and stored, while minimizing re-identification risk by unauthorized parties and enabling data related to the data subject to be disclosed to an authorized party by granting access only to the data relevant to that authorized party's purpose, time period, place and/or other criterion via the obfuscation of specific data values.” (emphasis added) LaFever in [0019-20] further states, “… Embodiments of the present invention may even be employed in decentralized networks built on blockchain or other distributed ledger technologies that require immutability and auditability of record over time. [0020] As compared to existing systems, wherein electronic data may be readily accessible for use (e.g., collecting, processing, copying, analyzing, combining, modifying or disseminating, etc.), storing and/or erasing with few effective controls over the data, embodiments of the present invention may use temporally unique, dynamically changing de-identifiers (“DDIDs”)—each associated with a subject, e.g., a person, place, or thing (e.g., an event, document, contract, or “smart contract”), to which data directly or indirectly pertains or relates (a “Data Subject”) … “ (emphasis added)) 
… the non-transitory, computer-readable storage medium being coupled to the data bus, the computer program code interacting with a plurality of computer operations and comprising instructions executable by the processor and configured for: 
LaFever in fig. 27 includes processor 2740 linked to a memory 2720, communication bus 2770.
de-identifying an event stream of one or more events associated with an individual, 
wherein de-identified data includes a pseudonym and personal information of an individual, 
LaFever teaches de-identifying data. (LaFever, [0201-208])
The examiner interprets the “event stream” is a series of data that, where at least some of the data is to be replaced by de-identifiers or pseudonyms. As indicated by the applicant’s specification [0165-166], an event stream of information includes a person’s name, company name, dates / temporal identifiers, and locations. 
LaFever in [0201-204] teaches extracting data, such as social security numbers and zip codes (“personal information of an individual”) and replacing the data with dynamically changing de-identification data (DDIDs) (“pseudonym”). LaFever also teaches a two way mapping between data (“personal information”) and de-identifiers (DDIDs) (“pseudonym”) that enables encryption (de-identification) and decryption (re-identification) of de-identified data / pseudonyms. (LaFever, [0207-208]) 
wherein the identified data is included in the event stream; 
The examiner interprets this feature as being the personal data in the event stream that is later replaced by pseudonyms / de-identifiers or other data that is not later de-identified. (See above discussion, LaFever, [0210-204], extracting social security numbers and replacing with DDIDs.)\
extracting the de-identified data that includes the pseudonym 
The examiner interprets the above features as corresponding to extracting the de-identified (pseudonym) from the event stream, where the pseudonym that is extracted is associated with personal data. (see rejection under 112(b) above)
LaFever teaches streamed data that has been de-identified. (LaFever, [0204]) LaFever in [0205-208] teaches that the de-identifier (pseudonym) is mapped to data, such as personal data (“de-identified data that includes the pseudonym and personal information of the individual”). LaFever also describes the re-identification operation, which re-identifies the de-identified data / pseudonyms. (LaFever, [0598-631])
See also examiner’s note above, regarding this feature.
performing a re-identification operation on the de-identified data; and 
LaFever in [0598-601] describes a re-identification of data in the BigPrivacy system being performed using a JITI key (i.e., re-identification key).
storing a record of the re-identification operation … 
LaFever in [0505] states, “JITI facilitates compliance with and auditability against established privacy policies by enabling the mathematical, statistical and/or actuarial measurement and monitoring of data use.” Thus, the Examiner asserts that the JITI process used in re-identification also monitors the use of the data that has been re-identified using JITI, for audit purposes, and must inherently store the monitored data. Moreover, LaFever in [0356] which describes figure 1A, describes an access log module that stores information to allow for forensic analysis. LaFever in [0356] states, “An access log module 54 that may include collecting and storing information to enable post-incident forensic analysis in the event of system error and/or misused.”  Thus, LaFever teaches “storing of a record of re-identification operation” using the access log module 54.
	LaFever fails to teach, 
However, Mylrea teaches,
storing a record …. in the distributed ledger. (emphasis added)
Mylrea teaches the use of a distributed ledger that tracks changes to the data in the distributed ledger, where the changes are stored in the ledger itself.  Mylrea [0034] states, “The cryptographic signature may identify the entity that initiated generation of the record. A record may include a timestamp for the record, and may further include a unique identifier for a grid asset associated with the record or the record set 104a-n. Each record in a record set 104a-n may store updated or additional data (or both) compared to the previous record in the record set. In this way, the record set 104a-n may act as an auditable history of its stored data.” (emphasis added)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of LaFever, which teaches de-identification of data and the storage of that de-identified data in a distributed ledger that includes the tracking of using /accessing of data for security auditing purposes, with Mylrea, which teaches the use of a distributed ledger to store the tracked using /accessing of data and changes to data. One of ordinary skill in the art would have been motivated to perform such an addition to provide Mylrea’s capability to use a distributed ledger that tracks changes to the data in the distributed ledger, where the tracking is stored in the ledger itself.
LaFever and Mylrea do not teach,
However, Rind teaches,
storing the de-identified data that includes the pseudonym and personal information of the individual in the distributed ledger, 
The applicant has interpreted this feature in accordance with the specification at [0222] which teaches that the re-identification key of the pseudonym is stored in a blockchain.
LaFever teaches the use of a pseudonym / de-identifier (“de-identified data”)  and also teaches storing a mapping of the personal data and the pseudonyms. (LaFever, [0205-208])
However, Rind teaches an index that maps pseudonymous identifiers (“pseudonym”) of users to encrypted records with personally identifiable information (PII) (“personal information of the individual”) of the user may, where the index may be stored in a blockchain (“storing the de-identified data … in the distributed ledger”). (Rind, second sentence [0022]) (emphasis added in bold)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to combine the teachings of LaFever, which teaches de-identification of data and the storage of that de-identified data in a distributed ledger that includes the tracking of using /accessing of data for security auditing purposes,  with Rind, which teaches an index that maps pseudonymous identifiers (e.g. DDIDs) of users to encrypted records with personally identifiable information (PII) of the user may, where the index may be stored in a blockchain.  One of ordinary skill in the art would have been motivated to perform such an addition to provide LaFever with Rind’s capability of utilizing a blockchain to store the index of the mapping between pseudonyms and PII.

Regarding claim 18, LaFever, Mylrea, and Rind teach, 
wherein the distributed ledger is a block chain.
Claim 18 is rejected under 35 U.S.C. 103 for substantially similar reasons as claim 2, because the recitation of claim 18 is the same as claim 2.

Regarding claim 19, LaFever, Mylrea, and Rind teach, 
wherein the de-identified data further comprises a pseudonym associated with the entity individual.
LaFever in [0638] further discusses the BigPrivacy techniques, and then LaFever in [0639-640] discusses “Data Protection by Design and by Default” which includes “pseudonymizing personal data” at the end of [0640] of LaFever.  LaFever describes the use of pseudonyms as a temporally bounded de-identifiers for the data subject or a value in the data subject (e.g., “John Smith”, zip code). LaFever states, “[0193] Dynamic De-Identifiers (DDIDs) [0193] A dynamic de-identifier DDID is a temporally-bounded pseudonym which both refers to and obscures the value of (i) a primary key referencing a Data Subject, action, activity, process and/or trait, (ii) the value of an attribute of that Data Subject, action, activity, process and/or trait (e.g. a ZIP code), and/or (iii) the kind or type of data being associated with the Data Subject, action, activity, process and/or trait (e.g. the fact that some encoded value was a ZIP code)..”
Additionally, the Examiner asserts that the use of pseudonymizing is taught throughout LaFever. For example, LaFever’s “field of invention” at [0004] of LaFever teaches the use of pseudonymizing, as evidenced above in the response to applicant’s arguments.

Regarding claim 20, LaFever, Mylrea, and Rind teach, 
wherein the record of the re-identification operation is associated with the pseudonym.
Claim 20 is rejected under 35 U.S.C. 103 for substantially similar reasons as claim 4, because the recitation of claim 20 is the same as claim 4.

Regarding claim 21, LaFever, Mylrea, and Rind teach, 
further comprising storing a re-identification key associated with the pseudonym in the distributed ledger.
Claim 21 is rejected under 35 U.S.C. 103 for substantially similar reasons as claim 5, because the recitation of claim 21 is the same as claim 5.

Regarding claim 22, LaFever, Mylrea, and Rind teach,
wherein the re-identification operation uses the re-identification key to re-identify the de-identified data. 
LaFever teaches giving access to the obscured / obfuscated (primary) key in order to share cleartext information (i.e., non-obscured information) with trusted individuals (i.e., “Circle of Trust” discussed above in [0194]). For example, LaFever in [0658] states, “For those BAPs with which a Data Subject has a strong relationship of trust, the Data Subject can have, e.g., a “Trusted Advertising” button, enabling the trusted merchant with access to select obscuring key association information to share desired detailed cleartext information with another business entity. In preferred embodiments, information available to and receivable by a trusted business entity, e.g., via a “Trusted Advertising” button, is made available only to that trusted business entity, and is made in accordance with specific instructions received by a BAP from the Data Subject.” (emphasis added) Thus, the re-identification operation is a level of trust that exposes information such as user names or other sensitive information that can be used to identify a user, however, without the re-identification operation, a non-trusted client may still have access to data and be allowed to perform generalized research without the ability to identify a particular user.

Regarding claim 23, LaFever, Mylrea, and Rind teach, 
wherein the record of the re-identification operation comprises a purpose for performing the re-identification operation.
Claim 23 is rejected under 35 U.S.C. 103 for substantially similar reasons as claim 7, because the recitation of claim 22 is the same as claim 7.

Regarding claim 27, LaFever, Mylrea, and Rind teach, 
wherein the step of performing the re-identification operation is initiated by a security administrator, and
wherein the record of the re-identification operation comprises contact details of the security administrator.
Claim 27 is rejected under 35 U.S.C. 103 for substantially similar reasons as claim 11, because the recitation of claim 26 is the same as claim 11.

Regarding claim 28, LaFever, Mylrea, and Rind teach, 
further comprising storing a re-identification key associated with the entity in the distributed ledger.
Claim 28 is rejected under 35 U.S.C. 103 for substantially similar reasons as claim 12, because the recitation of claim 27 is the same as claim 12.

Regarding claim 29, LaFever, Mylrea, and Rind teach, 
wherein the re-identification operation uses the re-identification key to re-identify the de-identified data.
Claim 29 is rejected under 35 U.S.C. 103 for substantially similar reasons as claim 13, because the recitation of claim 29 is the same as claim 13.

Claims 8-10 and 24-26 are rejected under 35 U.S.C. 103 as being unpatentable over LaFever in view of Mylrea, in further view of U.S. 2015/0118992 to Wyatt et al. (hereinafter “Wyatt”). 

Regarding claim 8, 
LaFever, Mylrea, and Rind teach,
The method of claim 1,
LaFever, Mylrea, and Rind fail to teach,
However, Wyatt teaches,
wherein the record of the re-identification operation comprises a description of categories of data subjects of the de-identified data. (emphasis added)
While LaFever teaches a re-identification operation of de-identified data, as discussed above, LaFever and Mylrea fail to teach the above emphasized features of claim 8.
Wyatt teaches the tracking of information that is accessed by a user by category. For example, Wyatt in [0076] states, “But it would not be normal for most applications to access a large number of contacts on the electronic device or all of the contacts on the electronic device. Recording the frequency of access to categories of personal data is used to prepare personal data access reports and may be used to develop policies on a per application basis regarding how much personal data may be accessed per application.” (emphasis added) The Examiner also points out that LaFever teaches storing other related data (i.e., categories of Wyatt) in the DDIDs, as evidenced below. LaFever in [0393] states, “Privacy servers and associated databases may store information pertaining to TDRs, time periods/stamps, DDIDs, attributes, attribute combinations, Data Subjects, related parties, associated profiles and other related information.” (emphasis added) Thus, the categories of personal data tracked by Wyatt could be stored in the privacy server of LaFever.
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to have modified LaFever and Mylrea to incorporate the teachings of Wyatt to include the storage of specific category data, taught by Wyatt, in the DDIDs (of LaFever) that store other related data in order to store specific categories of data. One of ordinary skill in the art would have been motivated to make this modification to use LaFever and Mylrea for tracking, and to specifically track the categories of data subjects in order to perform better audit tracking.    
While Wyatt is not directed to distributed ledgers Wyatt is directed to databases in general and includes the above discussed features of paragraph [0076] which track a user’s access to categories of personal data, which can be used for the auditing performed in LaFever and Mylrea. 

Regarding claim 9, 
LaFever, Mylrea, and Rind teach,
The method of claim 1,
LaFever, Mylrea, and Rind fail to teach,
However, Wyatt teaches,
wherein the record of the re-identification operation comprises a description of personal data contained in the de-identified data. (emphasis added)
While LaFever teaches a re-identification operation of de-identified data, as discussed above, LaFever and Mylrea fail to teach the above emphasized features of claim 8.
Wyatt teaches the above features by describing the tracking of information that is accessed by a user, where the information is personal information. For example, Wyatt in [0076] states, “But it would not be normal for most applications to access a large number of contacts on the electronic device or all of the contacts on the electronic device. Recording the frequency of access to categories of personal data is used to prepare personal data access reports and may be used to develop policies on a per application basis regarding how much personal data may be accessed per application.” (emphasis added) The Examiner also points out that LaFever teaches storing other related data (i.e., categories of Wyatt) in the DDIDs, as evidenced below.
LaFever in [0393] states, “Privacy servers and associated databases may store information pertaining to TDRs, time periods/stamps, DDIDs, attributes, attribute combinations, Data Subjects, related parties, associated profiles and other related information.” (emphasis added) Thus, the categories of personal data tracked by Wyatt could be stored in the privacy server of LaFever.
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to have modified LaFever and Mylrea to incorporate the teachings of Wyatt to incorporate the recording of the frequency of access to personal data. One of ordinary skill in the art would have been motivated to make this modification so that both LaFever and Mylrea could be used to record information related to personal data (i.e., frequency of access to personal data) for better auditing tracking.    
While Wyatt is not directed to distributed ledgers Wyatt is directed to databases in general and includes the above discussed features of paragraph [0076] which track a user’s access to categories of personal data, which can be used for the auditing performed in LaFever and Mylrea. 

Regarding claim 10, 
LaFever, Mylrea, and Rind teach,
The method of claim 1,
LaFever, Mylrea, and Rind fail to teach,
However, Wyatt teaches,
wherein the record of the re-identification operation comprises a date and a time of the re-identification operation. (emphasis added)
While LaFever teaches a re-identification operation of de-identified data, as discussed above, LaFever and Mylrea fail to teach the above emphasized features of claim 8.
Wyatt teaches the above features by describing the tracking of personal information over a time frame. Thus, the accesses to the personal information, which are similar to the re-identification” taught by LaFever, are tracked over a time frame.  
For example, Wyatt in [0070] states, “For example, the monitored personal data access report 900 may be generated based on a particular time frame. Each detected access of personal data by an application during the time frame may be recorded and a plurality of the instances of detected access may be aggregated to form the personal data access report 900 for the time frame.” (emphasis added)
LaFever in [0393] states, “Privacy servers and associated databases may store information pertaining to TDRs, time periods/stamps, DDIDs, attributes, attribute combinations, Data Subjects, related parties, associated profiles and other related information.” (emphasis added) Thus, the time frames tracked by Wyatt could be stored in the privacy server of LaFever.
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to  have modified LaFever and Mylrea to incorporate the teachings of Wyatt to incorporate the recording of the time frame when personal data is accessed. One of ordinary skill in the art would have been motivated to make this modification so that LaFever and Mylrea could track the time that the tracked personal data is accessed for the purpose of better audit tracking.   
While Wyatt is not directed to distributed ledgers Wyatt is directed to databases in general and includes the above discussed features of paragraph [0076] which track a user’s access to categories of personal data, which can be used for the auditing performed in LaFever and Mylrea. 

Regarding claim 24,
LaFever, Mylrea, Rind, and Wyatt teaches,
The system of claim 17, wherein the record of the re-identification operation comprises a description of categories of data subjects of the de-identified data.
Claim 24 is rejected for substantially the same reasons given for claim 8, because the recitation of claim 24 is the same as claim 8.

Regarding claim 25, 
LaFever, Mylrea, Rind, and Wyatt teaches,
The system of claim 17, wherein the record of the re-identification operation comprises a description of personal data contained in the de-identified data.
Claim 25 is rejected for substantially the same reasons given for claim 9, because the recitation of claim 25 is the same as claim 9.

Regarding claim 26, 
LaFever, Mylrea, Rind, and Wyatt teaches,
The system of claim 17, wherein the record of the re-identification operation comprises a date and a time of the re-identification operation.
Claim 26 is rejected for substantially the same reasons given for claim 10, because the recitation of claim 26 is the same as claim 10.

Claims 14 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over LaFever, in view of Mylrea, and further in view of U.S. 2020/0164886 A1 to Dutta et al. (hereinafter “Dutta”). 

Regarding claim 14, 
LaFever, Mylrea, and Rind teach,
The method of claim 1,
LaFever, Mylrea, and Rind fail to teach,
However, Dutta teaches,
wherein the record includes a pointer to a second record in a database external to the distributed ledger, the second record containing details of the re-identification operation.
However, Dutta teaches the above recitation, because Dutta states, “[0048] When two records are linked, the first record provides a reference and/or a pointer to the second record. The reference and/or the pointer may be the shared attribute, which directs an entity to another record on a different distributed ledger.” (emphasis added) Further, LaFever and Mylrea together teach a record of a re-identification being stored in a distributed ledger.  
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to have modified LaFever and Mylrea to incorporate the teachings of Dutta to incorporate the features of Dutta’s first and second records whose relationship can be partially determined by a pointer, with the teachings of the record of a re-identification operation being stored in a distributed ledger, as taught by LaFever and Mylrea. One of ordinary skill in the art would have been motivated to make this modification in order to store the records of the re-identification in an external database that is external to the distributed ledger that stores the de-identified data that has been re-identified.
Additionally, LaFever, Mylrea, and Dutta are all considered to be analogous to the claimed invention because they are in the same field of distributed ledgers and block chains that used identifiers (i.e., de-identifiers).

Regarding claim 30, 
LaFever, Mylrea, Rind, and Dutta teaches,
The system of claim 17, wherein the record includes a pointer to a second record in a database external to the distributed ledger, the second record containing details of the re-identification operation.   
Claim 30 is rejected for substantially the same reasons given for claim 14, because the recitation of claim 30 is the same as claim 14.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRIAN WILLIAM AVERY whose telephone number is (571)272-3942.  The examiner can normally be reached on 9AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on (571)272-3739.  
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/B.W.A./

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495