DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
	The amendment filed November 28 2022 has been entered. Applicant amended claims 1, 3, 10, 13, 16, and 18; and cancelled claim 9. Accordingly, claims 1-8 and 10-18 remain pending.
	Applicant’s amendment to the abstract overcomes the abstract objection of July 26 2022; therefore, the abstract objection of July 26 2022 is withdrawn.
	Applicant’s amendment to claim 3 overcomes the 35 USC 112(b) rejection of July 26 2022; accordingly, the 35 USC 112(b) rejection of July 26 2022  is withdrawn.

Response to Arguments
Applicant’s arguments on page 9, filed November 28 2022, that pertains to the amended claimed limitation of a dashboard that allows a user to accept or reject data results of individual data locations or entities as related to a data subject and the rejection(s) of claim(s) 13 and 18 under 35 USC 102 as being anticipated by Vax et al US 11238176 (hereinafter Vax) and  claim 1 under 35 USC 103 as being unpatentable over Vax et al US 11238176 in view of Avrahami et al US 20140136941 have been fully considered and are persuasive.  Therefore, the rejections have been withdrawn.  However, upon further search and consideration, a new ground(s) of rejection is made in view of Barday et al US 20190179490 (hereinafter Barday).
Applicant’s remarks, on page 9, filed November 28 2022, pertaining to the amended claimed limitation of “facilitate response to a subject rights request” being distinguishable over the prior art of record is not persuasive. Please, see column  4, lines 10-14 of Vax which reveals that the data subject received can be used by an organization to search and to comply with customer requests for deletion of their personal data. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 13-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Vax et al US 11238176 (hereinafter Vax) in view of Barday et al US 20190179490 (hereinafter Barday).

As to claim 13, Vax teaches an apparatus (Figure 19) comprising: a processor-based computer system (column 32, lines 40-42 disclose a data-processing apparatus and column 32, lines 45-49 disclose the data processing apparatus comprises a computer and/or multiple processors or computers)  including a memory and a processor (column 32, lines 40-42 disclose machine readable storage medium and a data-processing apparatus) , the memory having computer-readable instructions (column 32, lines 30-42 disclose the storage media has programmable instructions) that, when executed, cause the computer system (column 32, lines 52-55 disclose the computer executes instructions) to: 
receive a data subject search term provided by a human user(Figure 1, step 102 “Receive initial personal information attributes for one or more data subjects”, step 102 “Receive personal information rules”; column 5, lines 1-2 and column 5, lines 5-12 disclose the initial personal information/ information rules may be manually entered into the system by a user) to facilitate response to a subject rights request pertaining to data subject (column 4, lines 10-14 reveal that the data subject received can be used by an organization to search and to comply with customer requests for deletion of their personal data);
search a database of sensitive data entities and locations of the sensitive data entities within an organizational computer network for instances of the data subject search term provided by the human user(Figure 1, step 104 “Search identity data source for personal information, based on rules”;  the personal information includes data subject search terms; column 5, lines 57-60; column 5, lines 37-46 disclose the system may be directed to identity data sources that are known to hold personal information of data subjects…the identity data sources may include structured databases, user directories, customer relationship management systems, see also column 7, lines 27-35; column 2, lines 1-3 reveals the search is done by an organization various systems and applications); 
output a graphical representation of search results to the human user(Figure 11 shows a data profile display screen; Figure 13 shows a data mapping screen ;column 8 lines 1-5 disclose based on the search, an output of a/the data subject profile is made and is presented to a user; column 14, lines 1-6 further reveals that the scan results is presented to the user in the form of a heat map report), the graphical representation including a constellation graph depicting the data subject search term (Figure 9 shows heat map 950 display screen and a risk map 930; column 14, lines 4-9 describes a heat map that display the number of data subjects associated with personal information found in the scanned data source along with the total number of each personal information attribute type found within the data source; the display screens fall within the definition of constellation, a group or cluster of related things; column 14, lines 20-25 disclose identity lineage dashboard that allows users to visualize data attributes that are associated with data subject profiles stored in the identity graph, and connections between attributes and/or data source location)  linked to locations in which the data subject search term is stored and depicting sensitive data entities, other than the data subject search term, linked to the locations in which the data subject search term is stored (Figure 11 shows a data profile display screen; Figure 10 shows an exploration display screen ; Figure 9 shows heat map display screen: column 14, lines 4-9 describes a heat map that display the number of data subjects associated with personal information found including residencies sensitive data entities which are other data than the subject search term linked to the locations in which the data subject search term is stored; column 14, lines 20-25 disclose identity lineage dashboard that allows users to visualize data attributes that are associated with data subject profiles stored in the identity graph, and connections between attributes and/or data source locations; column 9, lines 43-50 disclose the file/collection that is linked to the data subject profile and the file/collection includes metadata associated with the found potential personal information such as data source information where the attribute is stored, location information corresponding to a location within the data source), wherein outputting the graphical representation includes displaying an interactive dashboard having the constellation graph to the human user (Figure 9 reveals a risk map  930 and heat map widget 950 ; column 17, lines 25-34 discloses the risk map is displayed to the user via a dashboard. The dashboard display data sources that have been scanned by the system to determine the location of stored information. The size of each data source representation in the heatmap is based on the amount of personal information stored in the identified data source. Column 17, lines 56-62 also reveals risk map that is shown to the user by the dashboard. The risk map provides information relating to the location of various data sources) ; and 
based on input from the human user via the interactive dashboard, add at least one depicted location or sensitive data entity(column 5, lines 45-50 reveal the user can input one or more identity data source information, such as name, location, type ) , other than the data subject search term, to a data subject profile of the data subject(column 7, lines 15-19 disclose the system may receive data source/location information from a user via manual input and this is information other than the data subject search terms, and column 7, lines 28-31 discloses personal information attributes associated with data subject profiles are added to the system by a user).
While Vax teaches the recited limitations above as well as teaches validating the personal information with the data subject via the interactive display graph (column 6, lines 31-32 reveals false positives are eliminated by validating the personal information corresponding to the data subject), Vax does not teach receive, from the human user via the interactive dashboard following output of the graphical representation, an indication of acceptance or rejection of one or more locations as being related to the data subject; based on an input from the human user.
Barday teaches  receive, from the human user (Figure 26, reference number 2650 , further described below) via the interactive dashboard following output of the graphical representation (paragraphs 151 and Figure 26 reveal that step 2650 follows the steps recited in steps 2630 and 2640, wherein paragraphs 151 and/or 155 reveal the output can be a data table or data model representation. Paragraph 40 defines a data model as a model that maps one or more relationships between a plurality of data assets utilized by a corporation or other entity), an indication of acceptance or rejection of one or more locations as being related to the data subject (Figure 26, reference number 2650 “Receive input from a user confirming or denying categorization of the one or more data elements…” and paragraph 158 reveals that a dashboard prompts a user, privacy officer, or system administrator to confirm or deny that a particular data element is associated with a particular individual from the catalog, or that the data element or attribute discovered during the scans were properly categorized. From the preceding paragraph 157, the generated catalog pertains to data flow of the data among one or more data repositories/locations).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Vax’s dashboard which can display the visual representation of the search results with Barday’s teachings of accepting or denying the data element locations as being related to the data subject to increase the confidence score of the data element (paragraph 158 of Barday), wherein the confidence score is the probability that the personal data is actually associated with a particular data subject (paragraph 147 of Barday),  and to provide improved systems that manage personal data in a manner that complies with privacy policies (paragraph 3 of Barday). 

	As to claim 14, the combination of Vax in view of Barday teaches wherein the memory has computer- readable instructions(Vax: column 32, lines 30-42 disclose the storage media has programmable instructions) that, when executed, cause the computer system to output the data subject profile(Vax: Figure 1, step 106 “Create identity graph profile for one or more data subjects with correlated personal information”; column 4, lines 56-58 disclose creating data subject profiles).

As to claim 15, the combination of Vax in view of Barday teaches wherein the memory is a non-volatile memory device (Vax: column 33, lines 39-40 disclose the computer readable media include all forms of nonvolatile memory).

As to claim 16, the combination of Vax in view of Barday teaches wherein the memory has computer- readable instructions (Vax: column 32, lines 30-42 disclose the storage media has programmable instructions) that, when executed, cause the computer system to: receive a selection from the human user of a location depicted in the constellation graph via the interactive dashboard (Vax: Figure 10 shows an exploration display screen and column 19, lines 55-57 disclose a user can make a selection on the location of the screen/dashboard of the details link); and in response to the received selection, display at least a portion of a file showing the data subject search term, or a sensitive data entity other than the data subject search term, in context within the file (Vax: Figure 10, reference number 1036 and column 19, lines 55-57 disclose upon selection from the user of the details link, a link opens that provides listed personal information records/sensitive data from the search).

As to claim 17, the combination of Vax in view of Barday teaches wherein the database of sensitive data entities and locations of the sensitive data entities within the organizational computer network (Vax: column 2, lines 1-3 reveals the search of sensitive data entities and the location(s) is done by the organization various systems and applications) is a database of personal identifying information and locations of the personal identifying information within the organizational computer network(Vax: column 9, lines 43-50 disclose the file/collection/database includes metadata associated with the found potential personal information and includes data source information where the attribute is stored, location information corresponding to a location within the data source where the attribute is stored, scan ID, etc.).

As to claim 18, Vax teaches a non-transitory computer-readable medium encoded with instructions (column 32, lines 30-42 disclose the  non-transitory storage media has programmable instructions) that, when executed by a processor of a computer system, cause the computer system(column 32, lines 52-55 disclose the computer executes instructions)  to: 
receive a data subject search term provided by a human user(Figure 1, step 102 “Receive initial personal information attributes for one or more data subjects”, step 102 “Receive personal information rules”; column 5, lines 5-12 and column 5, lines 1-2 disclose the initial personal information and information rules may be manually entered into the system by a user), to facilitate response to a subject rights request pertaining to data subject (column 4, lines 10-14 reveal that the data subject received can be used by an organization to search and to comply with customer requests for deletion of their personal data); 
search a database of sensitive data entities and locations of the sensitive data entities within an organizational computer network for instances of the data subject search term provided by the human user(Figure 1, step 104 “Search identify data source for personal information, based on rules”;  column 5, lines 57-60; column 5, lines 37-46 disclose the system may be directed to identity data sources that are known to hold personal information of data subjects…the identity data sources may include structured databases, user directories, customer relationship management systems, see also column 7, lines 27-35; column 2, lines 1-3 reveals the search is done by organization various systems and applications); 
output a graphical representation of search results to the human user(Figure 11 shows a data profile display screen; Figure 13 shows a data mapping screen ;column 8 lines 1-5 disclose based on the search, an output of a/the data subject profile is made and is presented to a user; column 14, lines 1-6 further reveals that the scan results is presented to the user in the form of a heat map report), the graphical representation including a constellation graph depicting the data subject Page 32 of 3421014-002 search term(Figure 9 shows heat map display screen: column 14, lines 4-9 describes a heat map that display the number of data subjects associated with personal information found in the scanned data source along with the total number of each personal information attribute type found within the data source; the display screens fall within the definition of constellation, a group or cluster of related things; column 14, lines 20-25 disclose identity lineage dashboard that allows users to visualize data attributes that are associated with data subject profiles stored in the identity graph, and connections between attributes and/or data source location)  linked to locations in which the data subject search term is stored and depicting sensitive data entities, other than the data subject search term, linked to the locations in which the data subject search term is stored(Figure 11 shows a data profile display screen; Figure 10 shows an exploration display screen ; Figure 9 shows heat map display screen: column 14, lines 4-9 describes a heat map that display the number of data subjects associated with personal information found including residencies sensitive data entities which is other data than the subject search term linked to the locations in which the data subject search term is stored; column 14, lines 20-25 disclose identity lineage dashboard that allows users to visualize data attributes that are associated with data subject profiles stored in the identity graph, and connections between attributes and/or data source locations; column 9, lines 43-50 disclose the file/collection that is linked to the data subject profile and the file/collection includes metadata associated with the found potential personal information such as data source information where the attribute is stored, location information corresponding to a location within the data source), wherein outputting the graphical representation includes displaying an interactive dashboard having the constellation graph to the human user (Figure 9 reveals a risk map  930 and heat map widget 950 ; column 17, lines 25-34 discloses the risk map is displayed to the user via a dashboard. The dashboard display data sources that have been scanned by the system to determine the location of stored information. The size of each data source representation in the heatmap is based on the amount of personal information stored in the identified data source. Column 17, lines 56-62 also reveals a risk map that is shown to the user by the dashboard. The risk map provides information relating to the location of various data sources); and 
based on input from the human user, add at least one depicted location or sensitive data entity(column 5, lines 45-50 reveal the user can input one or more identity data source information, such as name, location, type ), other than the data subject search term, to a data subject profile of the data subject(column 7, lines 15-19 disclose the system may receive data source information other than the search term from a user via manual input, and column 7, lines 28-31 discloses personal information attributes associated with data subject profiles added to the system by a user).
While Vax teaches the recited limitations above as well as teaches  validating the personal information with the data subject via the interactive display graph (column 6, lines 31-32 reveals false positives are eliminated by validating the personal information corresponding to the data subject), Vax does not teach receive, from the human user via the interactive dashboard following output of the graphical representation, an indication of acceptance or rejection of one or more locations as being related to the data subject; based on an input from the human user.
Barday teaches  receive, from the human user (Figure 26, reference number 2650 , further described below) via the interactive dashboard following output of the graphical representation (paragraphs 151 and Figure 26 reveal that step 2650 follows the steps recited in steps 2630 and 2640, wherein paragraphs 151 and/or 155 reveal the output can be a data table or data model representation. Paragraph 40 defines a data model as a model that maps one or more relationships between a plurality of data assets utilized by a corporation or other entity), an indication of acceptance or rejection of one or more locations as being related to the data subject (Figure 26, reference number 2650 “Receive input from a user confirming or denying categorization of the one or more data elements…” and paragraph 158 reveals that a dashboard prompts a user, privacy officer, or system administrator to confirm or deny a particular data element is associated with a particular individual from the catalog, or that the data element or attribute discovered during the scans were properly categorized. From the preceding paragraph 157, the generated catalog pertains to data flow of the data among one or more data repositories/locations).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Vax’s dashboard displaying the visual representation of the search results with Barday’s teachings of accepting or denying the locations as being related to the data subject to increase the confidence score of the data element (paragraph 158 of Barday), wherein the confidence score is the probability that the personal data is actually associated with a particular data subject (paragraph 147 of Barday),  and to provide improved systems that manage personal data in a manner that complies with privacy policies (paragraph 3 of Barday). 

Claim(s) 1-8 and 10-12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Vax et al US 11238176 (hereinafter Vax) in view of Avrahami et al US 20140136941 (hereinafter Avrahami) in further view of Barday et al US 20190179490 (hereinafter Barday).

As to claim 1, Vax teaches a computer-implemented method (Figures 1 and 2 ) comprising: 
receiving a specific item of personal identifying information (PII) of a data subject (Figure 1, step 102 “Receive initial personal information attributes for one or more data subjects”, step 102 “Receive personal information rules”; column 5, lines 5-12); 
using the received specific item of PII of the data subject, searching a database of PII held by an organization for instances of the specific item of PII of the data subject (Figure 1, step 104 “Search identify data source for personal information, based on rules”, the rules are the received specific item of PII; see also column 5, lines 57-60; column 2, lines 1-3 reveals the search is done by an organization various systems and applications), wherein the database of PII identifies storage locations in which PII is held within an organizational computer network (column 5, lines 37-46 disclose the system may be directed to identity data sources that are known to hold personal information of data subjects…the identity data sources may include structured databases, user directories, customer relationship management systems);
 	determining a first storage location within the organizational computer network of an instance of the specific item of PII of the data subject found during the searching of the database of PII (column 7, lines  14-15 and 20-24 disclose determining/discovering by the system a primary data source(s); column 5, lines 62-66 disclose the system may create a finding list of information such as the personal information attribute, the data source in which the attribute was found, the location where the attribute is located within the data source); 
searching the database of PII to find additional PII held at the first storage location (column 7, lines 32-35 and 40-47 disclose the system may search the primary data sources for additional personal information based on the personal information attribute rules”); 
associating a specific item of additional PII held at the first storage location with the data subject (column 6, lines 1-4 disclose that once the system has searched the identity data source, the system may attempt to correlate each of the findings to a data subject; see also column 7 lines 58-60; column 8, lines 19-20 disclose the system may update the personal information rules, including attribute definition rules; Figure 2 step 206 “Correlate found personal information to data subjects”); 
using the specific item of additional PII held at the first storage location , searching the database of PII for instances of the specific item of additional PII held at the first storage location (column 8, lines 27-40 disclose the rules, the specific item, may be updated, and the update information, specific item is used to search for personal information that belongs to any new data subject; see also column 7, lines 27-35); 
determining a second storage location within the organizational computer network of an instance of the specific item of additional PII held at the first storage location (column 7, lines 14-15 and 20-24 disclose the system determines secondary data sources; column 5, lines 62-66 disclose the system may create a finding list of information such as the personal information attribute, the data source in which the attribute was found, the location where the attribute is located within the data source); 
searching the database of PII to find additional PII held at the second storage location(column 7, lines 28-35 disclose the system may search secondary data sources for personal information attributes that have been previously associated with data subject profiles… the system may also search secondary data sources for additional personal information based on the personal information attribute rules); 
associating a specific item of additional PII held at the second storage location with the data subject(column 6, lines 1-4 disclose that once the system has searched the identity data source, the system may attempt to correlate each of the findings to a data subject; see also column 7 lines 58-60; column 8, lines 19-20 disclose the system may update the personal information rules, including attribute definition rules; Figure 2 step 206 “Correlate found personal information to data subjects”); and
 preparing a data subject profile including: the received specific item of PII of the data subject(Figure 1, step 106 “Create identity graph profile for one or more data subjects with correlated personal information” wherein the personal information includes the received specific item of PII of the data subject), the specific item of additional PII held at the first storage location (column 4, lines 56-58 disclose creating data subject profiles; column 6, lines 8-26 disclose the system creates identity graph data subject profile for any number of data subjects which includes the data subject, pointers to personal information attributes, which are the specific item of additional PII at a data source) and associated with the data subject, and the specific item of additional PII held at the second storage location and associated with the data subject (column 4, lines 56-58 disclose creating data subject profiles; column 6, lines 8-26 disclose the system creates identity graph data subject profile for any number of data subjects which also includes the correlated personal information, the associated data subject, and specific item of additional PII, from the primary and secondary data sources).
Vax does not teach associating a specific item of additional PII held at the first storage location with the data subject, wherein the specific item of additional PII held at the first storage location is different than the received specific item of PII of the data subject; using the specific item of additional PII held at the first storage location and associated with the data subject, searching the database of PII for instances of the specific item of additional PII held at the first storage location; associating a specific item of additional PII held at the second storage location with the data subject, wherein the specific item of additional PII held at the Page 28 of 3421014-002 second storage location is different than the specific item of additional PII held at the first storage location and the received specific item of PII of the data subject.
Avrahami teaches searching a database of PII for instances of the specific item of PII (paragraph 30 discloses PII may be gathered from one or more database records, based on  specific item for name); searching the database of PII to find additional PII (paragraph 30 discloses when the name is searched, a database record containing the name might also contain birth date and/or telephone number); associating a specific item of additional PII held at the first storage location with the data subject (paragraph 30 discloses associating the specific item of birth date or telephone number with the name PII at the first location, that is associated with an individual ), wherein the specific item of additional PII held at the first storage location is different than the received specific item of PII of the data subject (paragraph 30 discloses the name specific item is different from the birth date or telephone number); using the specific item of additional PII held at the first storage location, searching the database of PII for instances of the specific item of additional PII held at the first storage location and associated with the data subject  (paragraph 30 discloses the case identifier will search to find additional birthdate or telephone number data from the first database record that is associated with an individual);searching the database of PII to find additional PII held at the second storage location (paragraph 30 discloses the identifier may then use the telephone number found in the first data source as a linking basis to find additional PII in another/second data source, data record);
associating a specific item of additional PII held at the second storage location with the data subject (paragraph 30 discloses the specific item of telephone number is associated with additional PII held at the second data source and is associated with the name PII), wherein the specific item of additional PII held at the Page 28 of 3421014-002 second storage location is different than the specific item of additional PII held at the first storage location and the received specific item of PII of the data subject (paragraph 30 , wherein telephone number is the specific item of additional PII held at the second storage, which differ from birthdate, the specific item of additional PII held at the first storage location, which differ from name, the received specific item of PII of the data subject).
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Vax’s method of searching personal information with Avrahami’s method of utilizing different specific items of additional PIIs to provide a set of predefined rules that readily identify sensitive information at different data source locations (paragraph 2 of Avrahami).
	The combination of Vax in view of Avrahami does not teach and wherein associating the specific item of additional PII held a the first storage location with the data subject includes: displaying multiple items of additional PII held at the first storage location in an interactive dashboard, the multiple items of additional PII held at the first storage location including the specific item of additional PII held at the first storage location; allowing a human user to indicate, via the interactive dashboard, acceptance or rejection of individual items of the multiple items of additional PII as being associated with the data subject; and  based on the human user indicating acceptance of the specific item of additional PII held at the first storage location, associating the specific item of additional PII held at the first storage location with the data subject.
Barday teaches and wherein associating the specific item of additional PII held a the first storage location with the data subject (paragraph 150 reveals that in response to discovering one or more pieces of  personal information in a particular storage location, identify one or more associations between the discovered pieces of personal information with the data subject/individual, see also paragraph 153) includes: displaying multiple items of additional PII held at the first storage location in an interactive dashboard, the multiple items of additional PII held at the first storage location including the specific item of additional PII held at the first storage location(paragraph 155 reveals the output from the scan and the association are displayed as a data model representation. Paragraphs 40 and 102 define a data model/map as a model that maps one or more relationships between a plurality of data assets utilized by a corporation or other entity); allowing a human user to indicate, via the interactive dashboard, acceptance or rejection of individual items of the multiple items of additional PII as being associated with the data subject(Figure 26, reference number 2650 “Receive input from a user confirming or denying categorization of the one or more data elements…” and paragraph 158-159 reveal that a dashboard prompts a user, privacy officer, or system administrator to confirm or deny a particular data element is associated with a particular individual from the catalog, or that the data element or attribute discovered during the scans were properly categorized. From the preceding paragraph 157, the generated catalog pertains to data flow of the data among one or more data repositories/locations) ; and  based on the human user indicating acceptance of the specific item of additional PII held at the first storage location, associating the specific item of additional PII held at the first storage location with the data subject (paragraph 158-159 reveal that upon confirmation of the PII data element, the system associates the specific data element at the storage location with the data subject/individual by updating/increasing the confidence score).
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Vax’s dashboard displaying the visual representation of the search results with Barday’s teachings of accepting or denying the locations as being related to the data subject to increase the confidence score of the data element (paragraph 158 of Barday), wherein the confidence score is the probability that the personal data is actually associated with a particular data subject (paragraph 147 of Barday),  and to provide improved systems that manage personal data in a manner that complies with privacy policies (paragraph 3 of Barday). 


	As to claim 2, the combination of Vax in view of Avrahami and Barday teaches wherein receiving the specific item of PII of the data subject includes receiving the specific item of PII of the data subject with a subject rights request initiated by a person (Vax: column 5, lines 1-10 disclose the initial personal information rules may be manually entered into the system by a user; column 25, lines 39-47 disclose subject right requests of data initiated by the user).

As to claim 3, the combination of Vax in view of Avrahami and Barday teaches comprising validating an identity of the person who initiated the subject rights request(Vax: column 25, lines 39-4 disclose for the subject rights request, the user have to input access credentials such as username and password, and thus the identity of the person is validated).

As to claim 4, the combination of Vax in view of Avrahami and Barday teaches wherein receiving the specific item of PII of the data subject includes receiving one or more items that, individually or collectively, uniquely identify the data subject(Vax: column 5, line 9 recites the specific item of PII, which is the personal information rules/attributes, includes unique identifier).

As to claim 5, the combination of Vax in view of Avrahami and Barday teaches  wherein receiving the specific item of PII of the data subject includes receiving one or more of a social identifier or biometric identifier of the data subject (Vax: column 5, lines 8-12 disclose  the personal information rules/attributes includes social identifier such as social security number and phone number).

As to claim 6, the combination of Vax in view of Avrahami and Barday teaches  wherein receiving the specific item of PII of the data subject includes receiving at least one social identifier that includes one or more of: a name(Vax: Figure 10 shows an exploration display screen which shows PII of full name), address(Vax: Figure 10 shows an exploration display screen which shows PII of zip code, and claim 8 reveals PII can be an address), phone number(Vax: column 5, lines 8-12 disclose  the personal information rules/attributes includes social identifier such as phone number), date of birth(Vax: claim 8 reveals the PII record includes date of birth), license number(Vax: Figure 10 shows an exploration display screen which shows PII of license number), passport number(Vax: Figure 10 shows an exploration display screen which shows PII of passport number), credit card number(Vax: Figure 10 shows an exploration display screen which shows PII of credit card number), account number(Vax: column 5, lines 8-12 disclose  the personal information rules/attributes includes social identifier such as social security number), social security number(Vax: column 5, lines 8-12 disclose  the personal information rules/attributes includes social identifier such as social security number), password (Vax: column 25, lines 44-45 reveal the PII specific item rule scanned includes password), or e-mail address(Vax: claim 8 discloses the PII can be an email address).

As to claim 7, the combination of Vax in view of Avrahami and Barday teaches comprising creating the database of PII (Vax: column 6, lines 1-2, column 7, lines 53-57, and column 9, lines 40-43  disclose creating a personal information finding file or collection which is a database).

As to claim 8, the combination of Vax in view of Avrahami and Barday teaches wherein creating the database of PII includes discovering PII held within the organizational computer network (Vax: column 6, lines 1-2, column 7, lines 53-57, and column 9, lines 40-43  disclose creating a personal information finding file or collection and column 2, lines 1-3 reveal the PII is held within the organization various systems and applications) and creating a searchable database in which each item of discovered PII is mapped to a storage location at which that item of discovered PII is stored (Vax: column 9, lines 43-50 disclose the file/collection includes metadata associated with the found potential personal information such as data source information where the attribute is stored, location information corresponding to a location within the data source where the attribute is stored, scan ID, etc.) .

As to claim 10, the combination of Vax in view of Avrahami and Barday teaches comprising displaying at least a portion of a file to show the specific item of additional PII in context within the file (Vax: Figure 10, reference number 1036 and column 19, lines 55-57 disclose a link which a user selects is opened, and the link provides listed personal information records).

As to claim 11 the combination of Vax in view of Avrahami and Barday  teaches wherein associating the specific item of additional PII held at the second storage location with the data subject includes(Vax: column 7, lines 29-30 disclose searching secondary data source location, and specific item/rules and PII associated with the second storage location): presenting the specific item of additional PII held at the second storage location to the human user(Vax: column 7, lines 29-30 disclose searching secondary data source location, and column 8 lines 1-5 disclose based on the search, the data subject profile, which is presented to a human user, is updated; column 14, lines 1-6 further reveals that the scan results is presented to the user); and in response to input from the human user, associating the specific item of additional PII held at the second storage location with the data subject(Vax: column 9, lines 52-56 disclose correlation of the findings is based on user-configuration; column 14, lines 20-31 disclose the system provides an identity lineage dashboard to allow users to visualize data attributes that are associated with data subject profiles, where a list of root object is displayed to the user for input/selection).

	As to claim 12, the combination of Vax in view of Avrahami and Barday teaches wherein preparing the data subject profile includes creating a new data subject profile or updating a previous data subject profile (Vax: column 6, lines 49-53 disclose creating and/or updating the data subject profile for an identity graph).



Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to FELICIA FARROW whose telephone number is (571)272-1856. The examiner can normally be reached M - F 7:30--5:30pm (EST).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571)272-4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/F.F/Examiner, Art Unit 2437  

/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437