# Exploring Simulation Scenarios to Mitigate Information Asymmetry Under the LGPD Perspective - Educational Scenario

## Table of Contents
1. [LGPD Ontology](#LGPD-Ontology)
1. [Scenario Structure](#Scenario-Structure)
1. [Educational Scenario Description](#Educational-Scenario-Description)
2. [Scene 1: Set Consent Term](#Scene-1:-Set-consent-term.)
3. [Scene 2: Data Subject Agrees with the Consent Term](#Scene-2:-Data-Subject-agrees-with-the-consent-term.)
4. [Scene 3: Defining the Data Subject's Rights](#Scene-3:-Defining-the-Data-Subject's-rights.)
5. [Scene 4: Data Subject's Consent Revocation](#Scene-4:-Data-Subject's-consent-revocation.)
6. [Performing explanation exercises regarding possible scenarios](#Performing-explanation-exercises-regarding-possible-scenarios)
    
    8.1 [Cause-Effect: Consent revocation not respected](#Cause-effect:-How-to-evidence-when-the-Data-Controller-did-not-respect-the-consent-revocation?)
    
    8.2 [Cause-Effect: Evidencing data leak](#Cause-effect:-How-to-get-evidences-that-the-Data-Controller-leaked-the-Data-Subject's-data?)
    
    8.3 [Cause-effect: Data breach, what to do?](#Cause-effect:-Data-breach,-what-to-do?)
    
    8.4 [Cause-Effect: Requesting data correction](#Cause-effect:-Requesting-data-correction)

    8.5 [Cause-Effect: Requesting data anonymization](#Cause-effect:-Requesting-anonymization)
    
    8.6 [Cause-effect: Data deletion](#Cause-effect:-Data-deletion)
    
    8.7 [Cause-effect: Technology unavailability](#Cause-effect:-Technology-unavailability)
    
    8.8 [Cause-effect: Inconsistent behavior](#Cause-effect:-Inconsistent-behavior)
    
    8.9 [Cause-effect: Data portability](#Cause-effect:-Data-portability)

### LGPD Ontology

This notebook aims to apply the PrOnto Ontology in the LGPD context. Initially, PrOnto was developed to map the GDPR entities and their relationships; however, as the LGPD as an intense sinergy with GDPR, we also used such an ontology to apply in the LGPD Scenarios. Therefore, the first step was evalute GDPR and LGPD to identify the main differences. The former is more normative and detailed. The latter is generalist and, as law, lets the clauses open to interpretations case by case.

The LGPD cases can present intersections with other laws in the Brazilian constitution, depending on the case, as depicted in Figure 1. 

LGPD defines: 
 - legal basis: consent is the most popular, but there are others foreseen in the law, 
 - data protection guidelines: general guidelines, 
 - applicability: there are some situations that the LGPD cannot be applied, such as when the data is anonymized,
 - concepts: LGPD qualifies personal data, sensitive personal data, data controller, among others,
 - rights and duties: LGPD sets rights and duties for data subjects, controllers and processors.

![LGPD_Structure](./img/LGPD_Structure.png "LGPD Structure")
Fig.1 - LGPD under Constitution.


[comment]: <> (In this sense, we decided to create a straight-to-the-point ontology version to highlight the essential concepts in the LGPD and their relationships. Moreover, we added the auditing concerns to this version, as depicted in the following image.)

<!-- ![LGPD_Ontology](./img/LGPD_Ontology.png "LGPD Ontology")
Fig.2 - GDPR ontology applied to LGPD.. -->

In a detailed view, Figure 2 depicts the relationships between the ontology entities, and it is important to note that the "consent term" and the "right" are the central ontology points; they have many connections with other concepts as well as the entity "dispute resolution". For instance, if the purpose limitation changes, the data controller must get a new consent term from the data subject. Hence, depending on the data subject will, he/she can disagree, and it will interrupt the data collection. Still, if the data controller does not stop collecting the data subject's personal data, it will violate its rights, and fines will be applied to the data controller.

Even though the LGPD did not specify the data processing modalities, we decided to insert information regarding data security, access restriction, technologies applied, and sharing politics. These pieces of information are important to understand the environmental factors related to the scenario execution and explanation. 

Furthermore, there are 10 (ten) legal bases foreseen in the LGPD and we decided to start our study on Consent legal basis. We decided to use consent as a study object because it can be applied in most situations.

![LGPD_Ontology_Relationships](./img/LGPD_Ontology_Relationships.png "LGPD Ontology Relationships")
Fig.2 - LGPD Relationships.

In this sense, we developed a simulation tool to evaluate the LGPD application in a pre-set scenarios. We aim to contribute with a tool to drive data subjects and controllers to think about the requirements and consequences of sharing and using personal and sensitive data. Then, this tool will generate explanations regarding the data subjects' and controllers' behavior, their effects, and the risks. As the code is open-source, and the built scenarios are also available, the contribution is open to be used by any society member.


Moreover, the developed structure could be applied in other data regulation scenarios adapting the ontology and the rules established. We tried to document as detailed as possible to allow further reuse.

Next, we create scenarios to show samples of law's application using Prolog.

### Scenario Structure

This scenario structure was developed based on the PrOnto ontology, but some changed were made. PrOnto ontology presents many modules to describe the ontology entities in details, however it might be hard to an common people, aka citizens,  to understand what are the main concerns when sharing his/her data.

In this sense, we gather the PrOnto definitions to create our scenario sctructure, as depicted in the image below.


Our scenario presents five pillars: Agent, Action, Consent Term, Right, and DeonticOperator , which will be detailed and depicted below:
 - **Agent**: Scenarios have to define the agents, i.e., who are the Data Subjects, Data Controllers and Data Processors that will be involved and their actions.
 - **Action**: The actions are narrowed by the consent term, which defines the agents, the purpose, the data that will be used, and the time frame. Moreover, the actions are executed under a jurisdiction and entail risks, such as the risk of a data leak. Last but not least, actions are composed of steps, which are executed based on the current rights available for the agents and persisted by log registries. Moreover, the Action can be classified by types, which will help the explanation process filtering the activity log.
 - **Consent Term**: As the study object, the consent term has an important role in defining all required information to let the data subject be aware of data sharing conditions, narrow the data controller actions and context of use the data subjects information.
 - **Right**: The agents may have different rights depending on the classification, time frame and previous actions. The rights are complemented by the Deontic Operators.
 - **Deontic Operator**: The deontic concepts defines if there is an obligation, prohibition, and permission. Furthermore, PrOnto includes violation and compliance as status related to an obligation or prohibition as well.
 
All actions are persisted in an **activity log** to be used as a explanation evidence. The logs are composed of: 

<ol type="i">
  <li>action description;</li>
  <li>action type;</li>
  <li>deontic operator;</li>
  <li>action timestamp.</li>
</ol>

![Scenario_Structure](./img/Scenario_Structure.png "Scenario Structure")
Fig.3 - Scenario Structure.

Our scenarios follows the structure presented below. First, we define the scenario context and formulate basic questions regarding the data subject's rights and how the data controller can address such questions. Then, we elaborate more complex scenarios in order to explore non-trivial situations to stress the scenario context and document the evidence. We aim to create a simulation tool that data subjects and controllers can explore the possible scenarios already developed and contribute with new perspectives. The collaborative contribution can generate a solid database for exploring LGPD compliance in many different situations.

<div>
<img src="./img/Scenario_Methodology.png" width="600"/>
</div>
Fig.4 - Scenario Methodology.

### Educational Scenario Description

**Data Subject is a 17 years old person that will start having classes at XYZ University.**

The Data Subject John is a 17 years old person, and he is going to start taking classes at XYZ University. However, as John is below 18 years old, i.e., he is considered a child under Brazilian law, he needs his parents to accept the consent terms to start the academic activities.

**General Consent Term**
Therefore, the University has to get John's personal data and request the consent term acceptance to his parents. John has to inform the following data:
 - Full Name - used to identify the person
 - Address - used to keep communication by mail
 - Email - used to keep communication by the internet
 - Gender - used to create University's reports <Choose as many as you like: Male, Female, Non-binary, Transgender, Intersex, I prefer not to say>
 - Birth - used to decide if the student is a person that can respond by their acts or if his/her parents have to sign on behalf of the student, i.e., if the student is below 18 years old (in Brazil).
 - Personal Identification Number - used to check the person's identity
 - Educational Transcripts - used to prove that the student has the minimum requirements to become the University's student.
 - Mother's Name - used to request legal action while the student is below 18 years old
 - Father's Name - used to request legal action while the student is below 18 years old
 
Therefore, from Wednesday, May 26, 2021 1:21:00 PM to Thursday, November 25, 2021 1:21:00 PM, when the student become above 18 years old, the student's parents will be the legal persons who will respond on his behalf. The University will share the student's data following the government guidelines, but it will not share any information with unauthorized third parties. The University's professors will be able to get all the discipline scores when the student subscribe to their new disciplines. The professors are able to request such information when creating the discipline, if needed and justified. Also, the University will apply cryptographic algorithms and access politics to avoid data breaches and unauthorized access. The personal and sensitive data will be stored in a private cloud where the University has complete control of applied technologies.

To do so, the University, i.e., the Data Controller, must send the consent term to John and his parents, i.e., the Data Subject. The consent term must present all the information defined in the LGPD art. 9.


Best practices:
 - The University should require a new student acceptance regarding the consent term when he/she changes from below 18 years old to above years old, i.e., when the student becomes an adult legally.
 - When the student becomes an adult legally, the University should communicate to his/her parents, notifying that they are no longer the legal student's legal representative.
 - XYZ University should not request any data without a justification.


**Semestral Consent Term Best Practices**

Each semester, the University should require the student's consent to remember that the data might be shared with the university professors to which the student has subscribed. Moreover, the University's professor should be able to:
 - Require the student course information in the consent term.
 - Set the student's transcripts as required information to subscribe to their classes.
   - If a professor request the transcripts, he/she has to inform why this information will be collected.


Agents
 - Data Subject - John
 - Data Controller and processor - University XYZ

Action
 - Defined in the consent term.
 - Risk: data breach - impact: medium; even though there is no religion, ethic, and political opinion data, the student's transcripts may generate discrimination actions to the data subject.
    - Risk analysis definition: Low: when there is no sensitive data requisition; Medium: there are no sensitive data foreseen in the LGPD, but there are data that may generate discrimination actions to the data subject; High: There is at least one sensitive data foreseen in the LGPD shared with the data controller.
 - Juristiction: Brazilian Law
 
Consent Term
 - As the scenario description has all the required information for a consent term, it will be considered as the consent term on this occasion.
 - As John is under 18 years old, his parents should accept the consent term on his behalf; hence, it will be considered as a proxy consent.

Right
 - After the Data Subject's parents decide to agree with the consent terms, the data subject will have all the LGPD foreseen rights. The Data Subject should require their rights using his parents as a proxy.
 - The consent revocation:
     - should not impact the other rights;
     - may implies in the student impediment if a professor required the transcipt as a indispensable information;
     - may prevent the student to contribute in a work group (for instance if the professor needs the student course name information to prepare any specific material, the student that revoke the consent should not be able to participate in the group generation)
 
 
Deontic Operator
 - The Data Subject has the permission to call for any action related to his rights
 - The Data Controller is obligated to abide by the Data Subject solicitations, except when the law says the opposite.
 - The Data Controller is prohibited from using the personal data collected under other circumstances than the ones that are in the consent term
 - Violation and compliance will be explored in the extended scenarios in the end of this notebook



However, suddenly the Data Subject decided to revoke his consent before the classes had started.
The following figure depicts this macro scenario process.

![Scenario2_Process](./img/Scenario2_Process.png "Process 2")
Fig.5 - Macro Scenario Process.

Moreover, other four cause-effect scenarios were explored in order to show some possibilities regarding to the data subject's rights. 

The goal is to creating a scenario with Prolog to explore the facts in different time range and some cause-effect scenarios. This notebook tries to keep general facts that could occurr in any domain. Specific domain facts were not exploered.
 
*PS-1: The timestamp is used to provide the time spectrum. The following tool was used to convert human time to timestamp and the other way around. https://www.epochconverter.com/ - 180 days is equivalent to add the value 15811200 in the timestamp*

*PS-2: To help the usage of timestamp, we considered the following association.*
- *Wednesday, May 26, 2021 1:21:00 PM = 1622035260*
- *Friday, November 26, 2021 1:07:55 PM = 1637846460*
- *Saturday, June 26, 2021 1:07:55 PM = 1624712875*

 
 ---------

### Scene 1: Set consent term.

The first step is the consent setup. The consent must have all information described in the LGPD Art. 9. The following method receives all the required information.

**General information (Data Subject, Data Controller, Personal and Sensitive Data)**

The **Data Subject John** allows the **Data Controller University XYZ** to access, store, and process his **transcripts** and **personal information** in order to **improve the class dynamics**, **allowing professors to design the class activities better**. 

**Data Controller collection, processing, and storing guidelines**

Such information will be shared with the university's employees under strict governance policies that guarantee that only the information required to execute their functions will be shared. The employees will respond to any unauthorized data access, leak, or other activities that may expose or cause any loss to the data subject. **The transcripts will be available to professors to whom the data subject had subscribed.** None information will be publicly available without a previous consent acceptance.

**Processing and storing time**

The personal and sensitive data will be available, stored, and processed while the data subject has an active registration number in the university. **A new consent term will be required in two situations:**
 - in a new term, .i.e., when the data subject has to subscribe to a new discipline, and
 - when the data subject finished its course

**Consent expiration date**
Therefore, this **consent term is valid for one term**, and must be renewed by term. In Brazil, each term is represented by a semester, i.e., six months.

Last but not least, if the data subject is not an adult, i.e., if the data subject is under eighteen years old in Brazil, the data subject must be represented by one of his/her parents, or a person legally in charge. This representation will be automatically changed when the data subject becomes considered as an adult.

**Security measures**
University XYZ will apply **cryptographic algorithms** and **access politics** to avoid data breaches and unauthorized access. The personal and sensitive data will be **stored in a private cloud** where University XYZ has complete control of applied technologies. 

**Third-party data sharing**
The Data Controller is not allowed to **share** the Data Subject data, except for cases that the government requires such data.

**Contact information**
To make any request, please use the Data Controller communication channel by **email lgpd@univerisyxyz.br**.


PS: The Data Controllers must inform in any case if they are processing the personal data if requested.


In [1]:
% Description: This function defines a consent term including all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form 
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact
%   iv. Cryptography Algoritm
%    x. Access Politics
%   xi. Storage Platform


createConsentTerm(DC,DS,PData,SData,Purpose,
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                CA, AP, SP) :-

                assertz(dataSubject(DS)),
                assertz(dataController(DC)),
                assertz(personalData(DS,PData)),
                assertz(sensitiveData(DS, SData)),
                assertz(purpose(DC,DS,Purpose)),
                assertz(specificPurpose(DC,DS,Purpose,SpecificPurpose)),
                assertz(form(DC,DS,Purpose,SpecificPurpose,Form)),
                assertz(timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength)),
                assertz(thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,
                                                    TimeLength,ThirdPartyPurpose)),
                assertz(channelToProvideInformation(DC,DS,Channel,DCContact)),
                assertz(criptographyAlgoritm(CA)),
                assertz(accessPolitics(AP)),
                assertz(storagePlatform(SP)).



In [2]:
% This is a function call that defines a consent term with the informed params

?- createConsentTerm(universityXYZ,'John','john@mail.com','transcripts','improve_class_dynamics',
                'design_class_activities',
                'statistic_analysis',
                15811200,
                'none',
                'e-mail',
                'lgpd@universityxyz.br',
                'SHA256',
                'Authorized employees can access the data only',
                'University XYZ private cloud').

true.

In [3]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject('John'),dataController(universityXYZ)).
?- assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Observe','Permission',1622035260)).

true.

 ---------

### Scene 2: Data Subject agrees with the consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller. If so, the program will set that the consent term is ok, i.e., it has all the required information.

In [4]:
% Description: This function verifies if a consent term includes all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form 
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

checkConsentTerm(dataController(DC),
                dataSubject(DS),
                purpose(DC,Purpose),
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                Date) :-
    (
        form(DC,DS,Purpose,SpecificPurpose,Form),
        timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
        thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
        channelToProvideInformation(DC,DS,Channel,DCContact),
        purpose(DC,DS,Purpose),
        specificPurpose(DC,DS,Purpose,SpecificPurpose),
        assertz(consentTermStatus(dataController(DC),dataSubject(DS),status('Valid'))),
        assertz(log('Data Subject verified the consent term and it was ok','Observe','Obligation',Date))
    ).



In [5]:
% This is a function call returns true if the consent term is ok, or false if not.

?- checkConsentTerm(dataController(universityXYZ),
                        dataSubject('John'),
                        purpose(universityXYZ,'improve_class_dynamics'),
                        'design_class_activities',
                        'statistic_analysis',
                        15811200,
                        'none',
                        'e-mail',
                        'lgpd@universityxyz.br',
                        1622035260).

true.

So, if the consent term is ok, the Data Subject can inform that he/she agrees with the consent term.

Hence, the Data Controller can collect, store and process the Data Subject's data.

In [6]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Request Format (Direct/Expresso or Proxy/Tacito)
%   iv. Personal Data
%    v. Sensitive Data
%   vi. Start Date - Timestamp
%   vi. End Date - Timestamp

setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                requestFormat(RF,DS,PLC),
                                personalData(DS,PData),
                                sensitiveData(DS,SData),
                                startDate(StartTS),
                                endDate(EndTS)) :-
    consentTermStatus(dataController(DC),dataSubject(DS),status('Valid')),
    
    assertz(origin(id(ID),dataSubject(DS),dataController(DC),requestFormat(RF,DS,PLC))),
    assertz(requestFormat(RF,DS,PLC)),
    
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC),startDate(TS),endDate(TS))),
    assertz(log('Data Subject agrees with consent term','Comunicate','Compliance',StartTS)),

    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can collect the Data Subject information','Observe','Permission',StartTS)),
    
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can store the Data Subject information','Observe','Permission',StartTS)),
        
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can process the Data Subject information','Observe','Permission',StartTS)).



In [7]:
% This is a function call returns true in case of success.

?- setThatdsAgreeWithConsentTerms(id(10),
                                dataSubject('John'),
                                dataController(universityXYZ),
                                requestFormat('Proxy','John','Mary'),
                                personalData('John','john@mail.com'),
                                sensitiveData('John','transcripts'),
                                startDate(1622035260),
                                endDate(EndDate)), EndDate is 1622035260+15811200.

EndDate = 1637846460 .

Now, the Data Controller can collect, store and process the Data Subject's data.

In [8]:
?- dcIsCollectingDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1622035260),endDate(1637846460)),
                        
dcIsProcessingDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1622035260),endDate(1637846460)),
                    
dcIsStoringDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1622035260),endDate(1637846460)).

true.

---------

### Scene 3: Defining the Data Subject's rights.

According to the LGPD Art. 18, when the Data Subject is sharing data with a Data Controller, he/she has the following rights:
1. Data Acess
2. Data Copy
3. Data Correction
4. Data Anonymization
5. Data Portability
6. Data Deletion
7. Information regarding the data sharing with a third party
8. Request consent revocation.

In [9]:
% Description: This function sets all Data Subject right's foreseed in the LGPD.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

setDSRights(dataSubject(DS),dataController(DC),startDate(StartTS)) :-
    assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
    assertz(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject can now have all foressen rights','Observe','Permission',StartTS)).



In [10]:
% This is a function call returns true if all Data Subject's right was associated to him/her.

?- setDSRights(dataSubject('John'),dataController(universityXYZ),startDate(1622035260)).

true.

 ---------

### Scene 4: Data Subject's consent revocation.

As mentioned in the scenario's description, the Data Subject decides to revoke his/her consent.
The Data Subject considered that the purpose limitation is not adequate. 

Moreover, as the Data Subject is under 18 years old, a legal person in charge must send the revocation request on his/her behalf.

Once performed, the action of requesting the consent revocation cannot be executed again, and the Data Controller is forbidden to still collecting the Data Subject's data.

In [11]:
% Description: This function creates a request by a legal person in charge on the Data Subject's behalf. 
% This function receives the params:
%   i. Legal Person in Charge
%  ii. Data Suject
% iii. Request

lpcRequest(legalPersonInCharge(LPC),dataSubject(DS),request).



In [12]:
lpcRequest(legalPersonInCharge('Mary'),dataSubject('John'),'Request consent revocation').



In [13]:
?- dsRight(requestConsentRevocation,dataSubject('John'),dataController(universityXYZ)).

true.

In [14]:
% Description: This function revoke the Data Controller's action of collecting the Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Data Controller
%  iv. Personal Data
%   v. Sensitive Data

setDSRevokeConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    personalData(DS,PData),
                    sensitiveData(DS,SData),
                    now(Date),
                    startDate(StartTS),
                    endDate(EndTS)                    
                    ) :-
    
    requestFormat('Direct',DS,'null'),                
    not(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject tried to revoke his/her consent, but fail','Observe','Prohibition',Date));
    
    requestFormat('Direct',DS,'null'),   
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject requested to the Data Controller to revoke his/her consent','Comunicate','Permission',Date)),
    
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot collect the Data Subject information','Comunicate','Prohibition',Date)),
    
    retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot process the Data Subject information','Comunicate','Prohibition',Date)),
    
    retract(consentTermStatus(dataController(DC),dataSubject(DS),status('Valid'))),
    assertz(consentTermStatus(dataController(DC),dataSubject(DS),status('Invalid'))),
    assertz(log('From now, consent is not valid to be used by the data controller','Observe','Prohibition',Date)).

    



In [15]:
% Description: This function require the legal person in charge to revoke the Data Controller's action of collecting the Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Legal Person in Charge
%  iv. Data Controller
%   v. Personal Data
%  vi. Sensitive Data

setDSRevokeProxyConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    legalPersonInCharge(LPC),
                    personalData(DS,PData),
                    sensitiveData(DS,SData),
                    now(Date),
                    startDate(StartTS),
                    endDate(EndTS)                    
                    ) :-
    
    not(requestFormat('Direct',DS,'null')),
    not(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject tried to revoke his/her consent, but fail','Observe','Prohibition',Date));
    
    not(requestFormat('Direct',DS,'null')),
    lpcRequest(legalPersonInCharge(LPC),dataSubject(DS),'Request consent revocation'),
    assertz(log('This is not a Direct consent, so a Legal Person in Charge must to request the consent revocation','Comunicate','Obligation',Date)),
    
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject requested to the Data Controller to revoke his/her consent','Comunicate','Permission',Date)),
    
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot collect the Data Subject information','Comunicate','Prohibition',Date)),
    
    retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot process the Data Subject information','Comunicate','Prohibition',Date)),
    
    retract(consentTermStatus(dataController(DC),dataSubject(DS),status('Valid'))),
    assertz(consentTermStatus(dataController(DC),dataSubject(DS),status('Invalid'))),
    assertz(log('From now, consent is not valid to be used by the data controller','Observe','Prohibition',Date)).

    



In [16]:
% This call store the Data Subject's motivation to request the cosent revocation.
?- assertz(log('Data Subject considered that the purpose limitation is not adequate','Comunicate','Permission',1624712875)).

% This is a function call returns true if all Data Subject's request was successfully performed.
?- setDSRevokeProxyConsent(id(10),
                        dataSubject('John'),
                        dataController(universityXYZ),
                        legalPersonInCharge('Mary'),
                        personalData('John','john@mail.com'),
                        sensitiveData('John','transcripts'),
                        now(1624712875),
                        startDate(1622035260),
                        endDate(EndDate)
                        ), 
                        EndDate is 1622035260+15811200.
    

true.
EndDate = 1637846460 .

Therefore, the consent revocation request, motivited by diagreement with the purpose of data colleting, impacts many LGPD relationships as depicted in Figure 6.

![RootScenarioImpact](./img/RootScenarioImpact.png "Root Scenario Impact")
Fig.6 - Consent Revocation Impact.

The red entities suffered impact directly, or indirectly, when the consent was revoked. First,  the data controller must stop collecting personal data immediately. Next, the data controller must update the sharing politics and access restriction to prevent unauthorized access or new data processing. Still, the consent status will change to "invalid", as the controller cannot use this consent anymore.

 ---------

### Performing explanation exercises regarding possible scenarios

Here, we are going to perform questions regarding access confirmation, rights compliance, and information about consent term. Those questions will exercise the data subject and controller understanding regarding possible scenarios during the relationship between these two actors.


Are the fiocruz data controller using the data subject Paulo's data? 

Expected: As the Data Subject requested to revoke his consent, the data controller is **prohibited** to still using the Data Subjects data.

In [17]:
?- dcIsProcessingDSData(id(10),dataController(universityXYZ),dataSubject('John'),personalData('John',PData),sensitiveData('John',SData),startDate(1622035260),endDate(1637846460)).

false.

Why?

In [18]:
?- log(Event,'Comunicate',Type, 1624712875).

Event = Data Subject considered that the purpose limitation is not adequate, Type = Permission ;
Event = This is not a Direct consent, so a Legal Person in Charge must to request the consent revocation, Type = Obligation ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Permission ;
Event = From now, the Data Controller cannot collect the Data Subject information, Type = Prohibition ;
Event = From now, the Data Controller cannot process the Data Subject information, Type = Prohibition .

What are the Data Subject rights right now?

Expected: As the Data Subject requested to revoke his consent, he is **prohibited** to create such request again, even though he has **permission** to request the other rights foreseen by the LGPD.

In [19]:
?- dsRight(RIGHT,dataSubject('John'),dataController(universityXYZ)).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonymization ;
RIGHT = dataPortability ;
RIGHT = dataDeletion ;
RIGHT = dataSharingInformation .

Can all items from art. 9 be informed?

In [20]:
?- specificPurpose(universityXYZ,'John','improve_class_dynamics',SPECIFICPURPOSE).

SPECIFICPURPOSE = design_class_activities .

In [21]:
?- timeLength(universityXYZ,'John','improve_class_dynamics', 'design_class_activities',TimeRange).

TimeRange = 15811200 .

Who are collecting the Data Subject's personal data and what are the respective data?

In [22]:
?- dcIsCollectingDSData(id(ID),dataController(DC),dataSubject('John'),personalData('John',PData),sensitiveData('John',SData),startDate(1622035260),endDate(1637846460)).

false.

Why?

In [23]:
?- log(Event,'Comunicate',Type, 1624712875).

Event = Data Subject considered that the purpose limitation is not adequate, Type = Permission ;
Event = This is not a Direct consent, so a Legal Person in Charge must to request the consent revocation, Type = Obligation ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Permission ;
Event = From now, the Data Controller cannot collect the Data Subject information, Type = Prohibition ;
Event = From now, the Data Controller cannot process the Data Subject information, Type = Prohibition .

Who are storing the Data Subject's personal data and what are the respective data?

Expected: Although the Data Subject requested to revoke his consent, he did not request for data deletion, so the Data Controller is **permitted** to store his dada.

In [24]:
?- dcIsStoringDSData(id(ID),dataController(DC),dataSubject('John'),personalData('John',PData),sensitiveData('John',SData),startDate(1622035260),endDate(1637846460)).

ID = 10, DC = universityXYZ, PData = john@mail.com, SData = transcripts .

Show all events.

In [25]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Observe, DeonticOperator = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Comunicate, DeonticOperator = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Type = Comunicate,

----

#### Cause-effect: How to evidence when the Data Controller did not respect the consent revocation?

Let's picture that the Data Controller did not respect the Data Subject's request and still collecting the Data Subject's data. In such plot, fines must be applied.

<div>
<img src="./img/Scenario2.1_Process.png" width="600"/>
</div>
Fig.7 - Consent Revocation Scenario Process.

In [26]:
% This command sets that the Data Controller is collecting the Data Subject's data.

dcIsCollectingDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1622035260),endDate(1637846460)).



So, now the data controller is collecting unauthorized data, it was **prohibited** since the data subject requested consent revocation. The following command will check the environment facts and it will insert this fact regarding the rights **violation** in the log.

In [27]:
% This command:
%   (i) verifies if the Data Controller is collecting the Data Subject's data;
%  (ii) verifies if there is no consent with a valid status
% (iii) verifies in the log if the Data Subject requested consent revocation;
%  (iv) if all previous verifications are true, insert in the log that the Data Controller did not respect 
%       the Data Subject's will.

?- dcIsCollectingDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1622035260),endDate(1637846460)),
                        
    not(consentTermStatus(dataController(universityXYZ),dataSubject('John'),status('Valid'))),
    
    log('Data Subject requested to the Data Controller to revoke his/her consent','Comunicate','Permission',1624712875),
    
    assertz(log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied','Comunicate','Violation',1624712875)).

true.

In this sense, the program log should help the Data Subject to create evidence of his/her requests. The log will show that the consent was violated revoked and the Data Controller **violated** the data subject will.

In [28]:
?- log(Event,Type,DeonticConcept,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Observe, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Observe, DeonticConcept = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Comunicate, DeonticConcept = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Observe, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Observe, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Observe, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Observe, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Type = Comunicate, Deonti

Moreover, Figure 6 may also be used to mitigate if the consent revocation was properly attended. If there is no modification in the red entities, something is not in compliance with LGPD.

In [29]:
% Resetting scenario
?- retract(dcIsCollectingDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1622035260),endDate(1637846460))),
                        
    retract((log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied','Comunicate','Violation',1624712875))).

true.

----
#### Cause-effect: Data breach, what to do? 

The Data Controller must inform to national authority and to the Data Subject when a data breach occurs that may cause risks or damage to the Data Subject.

Such communication has to be done as soon as possible and should inform:
- personal data category
- what data were leaked
- what were the technical and security measures used to protect data
- the risks related to the incident
- what the data controller will do to revert or mitigate the damage

Depending on the incident severity, the Data Controller will have to disclose such an event in high-impact communication media.

In this sense, lets picture that Data Controller suffered from a hacker attack and Data Subject's personal data were leaked on the social media and he is receiving few calls from different numbers. So, Data Controller is **obligated to** inform the incident to ANPD and inform the Data Subject that his phone number was leaked. 

Even as Data Subject has revoked his consent, he has to be informed regarding the data breach as his data still on the Data Controller's database.

![Scenario2_DataBreach](./img/Scenario2_DataBreach.png "Process 2.2")
Fig.8 - Data Breach Scenario Process.

Thus, let translate this scenario in Prolog facts.

First, once UniversityXYZ figure out that there is a data breach, the ANPD and the data subjects involved have to be informed about that.


In [30]:
log('Data Controller UniversityXYZ triggered an alert to ANPD and to all data subjects affected by
    the data breach informing that all e-mails were exposed','Comunicate','Obligation',1624712870).



Next, UniversityXYZ has to explain that they had adopted security actions to avoid data breach. 

In [31]:
log('Data Controller UniversityXYZ informed the security measures to do not let data breach occurs',
    'Comunicate','Obligation',1624712871).



Then, UniversityXYZ fixed the vulnerability and inform the data subjects as well.

In [32]:
log('Data Controller UniversityXYZ informed that the vulnerability was found 
    and there is no unauthorized access anymore','Comunicate','Compliance',1624712872).



Furthermore, UniversityXYZ inform to Data Subjects that there is a technical group available to help anyone that have had troubles caused by this incident.

In [33]:
log('Data Controller UniversityXYZ created a technical team to help any data subject 
    that have had issues with this incident','Comunicate','Obligation',1624712873).



As the log shows, this case can present many different ends depending on the damage caused to the data subjects involved. Here, as the data subject received just a few calls and there was low damage, he decided not to enter in dispute to get reparation compensations, even though the data controller has **violated** the Data Subject's privacy.

Moreover, the omission of any fact related to informing the Data Subjects about unauthorized access or neglect the system security, fines should be applied to the Data Controller.

Last but not least, if the Data Controller noticed a data breach, once informed, the Data Controller has to act immediately. **LGPD Art. 48**

In [34]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Observe, DeonticOperator = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Comunicate, DeonticOperator = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Type = Comunicate,

Therefore, the data breach impacts many LGPD relationships as depicted in Figure 9.


![DataBreachImpact](./img/DataBreachImpact.png "Data Breach Impact")
Fig.9 - Data Breach Impact.

First, as mentioned before, a data breach event must be informed to all agents impacted. This message must contain the security methods and the storage technologies applied to avoid a data breach. However, this is an event that could trigger other impacts. For instance, after a data breach, the data subject could enter in a dispute resolution claiming discrimination, loss, and unauthorized uses of his/her data. 

Furthermore, the Data Subject might request changes in the consent term, impacting the sharing politics and access restriction. Also, the Data Subject might request consent revocation, data deletion, which affects data collecting, processing, and storing.

In [35]:
% Resetting scenario
?- retract(log('Data Controller UniversityXYZ triggered an alert to ANPD and to all data subjects affected by
    the data breach informing that all e-mails were exposed','Comunicate','Obligation',1624712870)).
    
?- retract(log('Data Controller UniversityXYZ informed the security measures to do not let data breach 
    occurs','Comunicate','Obligation',1624712871)).
                        
?- retract(log('Data Controller UniversityXYZ informed that the vulnerability was found 
    and there is no unauthorized access anymore','Comunicate','Compliance',1624712872)).
    
?- retract(log('Data Controller UniversityXYZ created a technical team to help any data subject 
    that have had issues with this incident','Comunicate','Obligation',1624712873)).

true.
true.
true.
true.

----
#### Cause-effect: How to get evidences that the Data Controller leaked the Data Subject's data? 

To create concrete evidence that a Data Controller leaked a Data Subject's data, first, it is important to verify who has such data. If there is just one Data Controller legally storing such data; hence, the chances of such Data Controller had leaked personal data is higher.

Moreover, the data controller is **obligated** to inform if personal or sensitive data is stored in the database. The data subject can request such information for each data controller.

Last but not least, the data subject should check the consent term to verify if there is any clause/ condition which permits the data controller to share data with others. If the data subject disagrees with such clause, he is **permitted** to revoke the consent term anytime.

![Scenario2.2_Process](./img/Scenario2.2_Process.png "Process 2.2")
Fig.10 - Data Leak Process.

In [36]:
% This command verifies who is storing Paulo's personal and health data.

?- dcIsStoringDSData(id(ID),dataController(DataController),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460)).

ID = 10, DataController = universityXYZ .

Now, let's picture that the Data Controller UniversityABC has John's data.

In [37]:
dcIsStoringDSData(id(null),dataController(universityABC),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460)).



In [38]:
% These commands:
%   (i) verifies if the Data Controller is storing the Data Subject's data;
%  (ii) verifies if there is any evidence that the Data Subject allowed the Data Controller to process his/her data;
% (iii) if all previous verifications are true, insert in the log that the Data Controller is not allowed 
%       to collect the Data Subject's data.

%(i)
?- dcIsStoringDSData(id(null),dataController(universityABC),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460)).

%(ii)
?- dsAgreeWithConsentTerms(dataSubject(universityABC),dataController('John'),startDate(1622035260),endDate(1637846460)).
   
%(ii)
?- consentTermStatus(dataController(universityXYZ),dataSubject('John'),status('Valid')).

%(iii)
?- assertz(log('Data Subject did not agree with UniversityABC consent term, so the data was improperly collected, 
    fines should be applied','Observe','Violation',1624712875)).

true.
false.
false.
true.

Therefore, the event log will show that there is not consent agreement between John and UniversityABC. 

Hence, UniversityABC was **prohibited** to use such data, i.e., the data was improperly collected. 
Moreover, as UniversityXYZ is the only Data Controller storing John's data, probably UniversityXYZ **violated**, on purpose or not, the consent term and the data was leaked from UniversityXYZ to UniversityABC.

Moreover, this scenario presents the same possible impacts depicted in Figure 9 of the previous plot.

In [39]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Observe, DeonticOperator = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Comunicate, DeonticOperator = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Observe, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Type = Comunicate,

In [40]:
% Resetting scenario
?- retract(log('Data Subject did not agree with UniversityABC consent term, so the data was improperly collected, 
    fines should be applied','Observe','Violation',1624712875)),
    
    retract(dcIsStoringDSData(id(null),dataController(universityABC),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460))).

true.

----
#### Cause-effect: Requesting data correction

Data correction is one of the Data Subject's right foreseen in LGPD in the moment that the consent term was accepted.
Even if the Data Subject revoke his/her consent, the data will not be deleted; a express data deletion request is required.

So, in order to check if the data corretion request was accomplished, the Data Subject should call another right - data access.

The data controller is **obligated** to abide by the data subjects' requests as correction as data access.
Also, the controller is **obligated** to inform all processors regarding the correction.


<div>
<img src="./img/Scenario2.3_Process.png" width="600"/>
</div>
Fig.11 - Data Correction Process.

First, the Data Subject should verify if the Data Controller is storing his/her data.

In [41]:
?- dcIsStoringDSData(id(ID),dataController(universityXYZ),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460)).

ID = 10 .

If true, the Data Subject should have the right to data access and data correction.

In [42]:
?- dsRight(dataAccess,dataSubject('John'),dataController(universityXYZ)),
    dsRight(dataCorrection,dataSubject('John'),dataController(universityXYZ)).

true.

Then, the Data Subject is able to request and verify if the data was changed.

In [43]:
log('Data Subject requested to change his e-mail goodstudent@mail.com','Comunicate','Permission',1624712876).



And the Data Controller executed this correction.

In [44]:
% First, the Data Controller verifies if the Data Subject has the rights requiered to perform such action.
% Then, remove the incorrect data and insert the new data.


?-  dsRight(dataCorrection,dataSubject('John'),dataController(universityXYZ)),

    retract(dcIsStoringDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460))),

    assertz(dcIsStoringDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                    personalData('John','goodstudent@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460))),
    
    assertz(log('Data Controller has to execute the Data Subject s requerst','Observe','Obligation',1624712876)),
        
    assertz(log('Data Controller changed the data as requested by the Data Subject','Comunicate','Compliance',1624712880)),
    
    assertz(log('Data Controller notified all processors regarding the data corretion','Comunicate','Compliance',1624712880)).

true.

Hence, as the data controler attended the data subject's request, it still in **compliance** with the LGPD. The Data Subject can verify if the data was fixed.

In [45]:
% If the Data Subject has the right to access his/her data, then he/she is able to verify if his/her data was fixed.

?-  dsRight(dataAccess,dataSubject('John'),dataController(universityXYZ)),
    dcIsStoringDSData(id(10),dataController(DataController),dataSubject('John'),
                    personalData('John',Email),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460)),
    assertz(log('Data Subject confirmed that the data was fixed','Observe','Permission',1624712886)).

DataController = universityXYZ, Email = goodstudent@mail.com .

In [46]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1624712876 {-1}.

Event = Data Subject requested to change his e-mail goodstudent@mail.com, Type = Comunicate, DeonticOperator = Permission, Date = 1624712876 ;
Event = Data Controller has to execute the Data Subject s requerst, Type = Observe, DeonticOperator = Obligation, Date = 1624712876 ;
Event = Data Controller changed the data as requested by the Data Subject, Type = Comunicate, DeonticOperator = Compliance, Date = 1624712880 ;
Event = Data Controller notified all processors regarding the data corretion, Type = Comunicate, DeonticOperator = Compliance, Date = 1624712880 ;
Event = Data Subject confirmed that the data was fixed, Type = Observe, DeonticOperator = Permission, Date = 1624712886 .

Therefore, the data correction impacts many LGPD relationships as depicted in Figure 12.

![DataCorrectionImpact](./img/DataCorrectionImpact.png "Data Correction Impact")
Fig.12 - Data Correction Impact.

The data correction impacts data processing and data storage, as the personal or sensitive data were changed. Therefore, Data Controllers and Processors should also verify if the copy requested by the Data Subject is the updated personal and sensitive data.

In [47]:
% Resetting scenario
?-  retract(log('Data Subject requested to change his e-mail goodstudent@mail.com','Comunicate','Permission',1624712876)),
    retract(log('Data Controller has to execute the Data Subject s requerst','Observe','Obligation',1624712876)),
    retract(log('Data Controller changed the data as requested by the Data Subject','Comunicate','Compliance',1624712880)),
    retract(log('Data Subject confirmed that the data was fixed','Observe','Permission',1624712886)),
    retract(log('Data Controller notified all processors regarding the data corretion','Comunicate','Compliance',1624712880)),
    retract(dcIsStoringDSData(id(10),dataController(universityXYZ),dataSubject('John'),
                    personalData('John','goodstudent@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1622035260),endDate(1637846460))).
    %assertz(dcIsStoringDSData(id(10),dataController(universityXYZ),dataSubject('John'),
    %                personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
    %                startDate(1622035260),endDate(1637846460))).

true.

PS: We considered that the professors would use the university's system as a communication channel. Hence, when the data subject's e-mail has been updated, there is no need for notifying professors.

----
#### Cause-effect: Requesting anonymization

Let's picture that the Data Subject is now considered as an adult by the Brazilian law, i.e., he is above 18 years ild and he must decide if he agrees or not with the UniversityXYZ consent term.

Still, let's picture that the Data Subejct agreed with the consent term and he has subscribed to the HTML discipline and requested the data anonymization right. 

This discipline usually has students from computer science and different engineering and design courses; so, the professors require the Data Subject's transcripts to create balanced students' groups.



In [48]:
?- checkConsentTerm(dataController(universityXYZ),
                        dataSubject('John'),
                        purpose(universityXYZ,'improve_class_dynamics'),
                        'design_class_activities',
                        'statistic_analysis',
                        15811200,
                        'none',
                        'e-mail',
                        'lgpd@universityxyz.br',
                        1637846460).

true.

In [49]:
?- setThatdsAgreeWithConsentTerms(id(11),
                                dataSubject('John'),
                                dataController(universityXYZ),
                                requestFormat('Direct','John','null'),
                                personalData('John','john@mail.com'),
                                sensitiveData('John','transcripts'),
                                startDate(1637846460),
                                endDate(EndDate)), EndDate is 1637846460+15811200.

EndDate = 1653657660 .

In [50]:
?- setDSRights(dataSubject('John'),dataController(universityXYZ),startDate(1622035260)).

true.

In [51]:
?- assertz(class(className('HTML_2021.1'),requireTranscript(true),dataSubject('John'),acceptShareInformation(true),startDate(1637846461))),
   assertz(log('Data Subject agrees to share his sensitive data','Comunicate','Permission',1637846461)).

true.

Once the data is anonymized, the Data Controller will not have the resources to give any details about such data, including correction. Hence, if the Data Subject submits this request, he will not be able to participate in this discipline. The data controller is **not obligated** to comply with requests that should involve deidentification actions.

Also, the controller is **obligated** to inform all processors regarding the anonymization.

Here, questions regarding the anonymization algorithms could emerge, but this is not the focus of this work.
This work focus on the causes and consequences understanding of possible scenarios.


<div>
<img src="./img/Scenario2.4_Process.png" width="600"/>
</div>
Fig.13 - Data Anonymization Process.

First, the Data Subject should show that the Data Controller has his data.

In [52]:
?- dcIsStoringDSData(id(11),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1637846460),endDate(1653657660)),
                    
    assertz(log('Data Subject requested to anonymize his data','Comunicate','Permission',1637846462)).

true.

Next, the Data Controller accomplish the Data Subject request.

In [53]:
?- retract(dcIsStoringDSData(id(11),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1637846460),endDate(1653657660))),

    assertz(dcIsStoringDSData(id(_),dataController(universityXYZ),dataSubject(_),
                    personalData(_,_),sensitiveData(_,'anonymized_transcripts'),
                    startDate(1637846460),endDate(1653657660))),

    assertz(log('Data Controller has to execute the Data Subject s request','Delete-Anonymise','Compliance',1637846463)),
    assertz(log('Data Controller has to notify all processors regarding the anonymization request','Delete-Anonymise','Compliance',1637846463)),
    assertz(log('Data Controller anonymized the Data Subjects data','Delete-Anonymise','Compliance',1637846463)),
    assertz(log('Data Subject cannot request data: access, copy, correction,anonymization, 
            portability, deletion, and details of data sharing','Comunicate','Prohibition',1637846463)),
            
    retract(class(className('HTML_2021.1'),requireTranscript(true),dataSubject('John'),acceptShareInformation(true),startDate(1637846461))),
    assertz(log('Data Subject does not accept to share his information anymore','Comunicate','Prohibition',1637846463)),
    
    retract(dsRight(dataAccess,dataSubject('John'),dataController(universityXYZ))),
    retract(dsRight(dataCopy,dataSubject('John'),dataController(universityXYZ))),
    retract(dsRight(dataCorrection,dataSubject('John'),dataController(universityXYZ))),
    retract(dsRight(dataAnonymization,dataSubject('John'),dataController(universityXYZ))),
    retract(dsRight(dataPortability,dataSubject('John'),dataController(universityXYZ))),
    retract(dsRight(dataDeletion,dataSubject('John'),dataController(universityXYZ))),
    retract(dsRight(dataSharingInformation,dataSubject('John'),dataController(universityXYZ))).

 ;
 .

Now, the Data Subject's blood type is not associated with any personal data that could identify that such data is from the Data Subject. Hence, the data controller is in **compliance** with LGPD.

In [54]:
?- dcIsStoringDSData(id(_),dataController(universityXYZ),dataSubject(DataSubject),
                    personalData(_,_),sensitiveData(_,'anonymized_transcripts'),
                    startDate(1637846460),endDate(1653657660)).

DataSubject = Variable(70) .

In [55]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1637846461 {-1}.

Event = Data Subject agrees to share his sensitive data, Type = Comunicate, DeonticOperator = Permission, Date = 1637846461 ;
Event = Data Subject requested to anonymize his data, Type = Comunicate, DeonticOperator = Permission, Date = 1637846462 ;
Event = Data Controller has to execute the Data Subject s request, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1637846463 ;
Event = Data Controller has to notify all processors regarding the anonymization request, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1637846463 ;
Event = Data Controller anonymized the Data Subjects data, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1637846463 ;
Event = Data Subject cannot request data: access, copy, correction,anonymization, portability, deletion, and details of data sharing, Type = Comunicate, DeonticOperator = Prohibition, Date = 1637846463 ;
Event = Data Subject does not accept to share his information anymore, Type = Comunicate, DeonticOperator 

So, as the Data Subject requested to anonymize himself, he will not be able to participate in the HTML_2021.1 class activities.

In [56]:
?- class(className('HTML_2021.1'),requireTranscript(true),dataSubject('John'),acceptShareInformation(true),startDate(1637846461)).

false.

Furthermore, the remaining rights are: the right to ask if a Data Controller is processing his/her data, and the right to request consent revocation .

In [57]:
?- dsRight(RIGHT,dataSubject('John'),dataController(universityXYZ)).

RIGHT = processingConfirmation ;
RIGHT = requestConsentRevocation .

Therefore, the data anonymization impacts many LGPD relationships, as depicted in Figure 14.

![DataAnonymizationImpact](./img/DataAnonymizationImpact.png "Data Anonymization Impact")
Fig.14-  Data anonymization Impact.

Data anonymization impacts almost all Data Subjects Rights. The anonymization process may turn the personal data not identifiable anymore. Hence, the anonymized data is out of LGPD's scope. In this sense, requests related to data access, deletion, correction, portability, or copy, may not be answered by the Data Controller, as the Controller might not identify the Data Subject anymore.

Least but not least, there are other scenarios that could be explored as well.
 -  For instance, other university can present a different behaviour when a student revokes his/her consent before the group creation, e.g., the university can define that the student must cancel the class subscription, or do the activities alone.
  -  If a student revokes his/her consent after the group creation, the student can continue with the discipline activities
 - As the student request anonymization, the professors will not be able to get the information that they set as required. Thus, the student will not be able to subscribe to any discipline that requires the transcripts
 - If a student decline the class, the professor will be not able to access his/her sensitive data

In [58]:
% Resetting scenario
?-  assertz(dcIsStoringDSData(id(11),dataController(universityXYZ),dataSubject('John'),
                        personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                        startDate(1637846460),endDate(1653657660))),
    retract(dcIsStoringDSData(id(_),dataController(universityXYZ),dataSubject(_),
                    personalData(_,_),sensitiveData(_,'anonymized_transcripts'),
                    startDate(1637846460),endDate(1653657660))),
    retract(log('Data Subject requested to anonymize his data','Comunicate','Permission',1637846462)),
    retract(log('Data Controller has to execute the Data Subject s request','Delete-Anonymise','Compliance',1637846463)),
    retract(log('Data Controller has to notify all processors regarding the anonymization request','Delete-Anonymise','Compliance',1637846463)),
    retract(log('Data Controller anonymized the Data Subjects data','Delete-Anonymise','Compliance',1637846463)),
    retract(log('Data Subject cannot request data: access, copy, correction,anonymization, 
            portability, deletion, and details of data sharing','Comunicate','Prohibition',1637846463)),
    retract(log('Data Subject does not accept to share his information anymore','Comunicate','Prohibition',1637846463)),
    assertz(dsRight(dataAccess,dataSubject('John'),dataController(universityXYZ))),
    assertz(dsRight(dataCopy,dataSubject('John'),dataController(universityXYZ))),
    assertz(dsRight(dataCorrection,dataSubject('John'),dataController(universityXYZ))),
    assertz(dsRight(dataAnonymization,dataSubject('John'),dataController(universityXYZ))),
    assertz(dsRight(dataPortability,dataSubject('John'),dataController(universityXYZ))),
    assertz(dsRight(dataDeletion,dataSubject('John'),dataController(universityXYZ))),
    assertz(dsRight(dataSharingInformation,dataSubject('John'),dataController(universityXYZ))).

true.

----
#### Cause-effect: Data deletion

As mentioned before, there is more than one definition for data deletion. In the case aforementioned, we anonymized the data, which can be considered as data deletion. Now, let's picture that the Data Subject John wants to destroy his data from the UniversityXYZ database. 

This means that John will not be able to subscribe in any class from University XYZ.

Moreover, the following purposes, also described in LGPD art. 16, legitimizes, i.e., **allow** the Data Controller to have still the personal data stored in the database:
 - I - compliance with a legal or regulatory obligation by the controller;
 - II - study by a research institution, ensuring, whenever possible, the anonymization of personal data;
 - III - transfer to a third party, provided that the data processing requirements set out in this Law is respected; or
 - IV - exclusive use of the controller, its access by a third party is prohibited, and anonymization is required as well.


<div>
<img src="./img/Scenario2_DataDeletion.png" width="600"/>
</div>
Fig.15 - Data Deletion Process.

As the University purpose is not based on any aforementioned situations; hence, UniversityXYZ must accept the Data Subject request.

In [59]:
?- purpose(universityXYZ,'John',Purpose).

Purpose = improve_class_dynamics .

In order to specify the rule that defines if the Data Controller has the right to keep the Data Subject's data, we developed the following function.

In [60]:
% Description: This function verifies if the Data Controller purpose is elegible to hold the Data Subject's data.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

verifyIfDCCanHoldDSData(dataController(DC),dataSubject(DS)) :-
    purpose(DC,DS,legalObligation), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,research), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,transferToThirdParty), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,exclusiveDCUse), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    assertz(dcCanHoldData('','')).



So, let's run the above function to verify if a new fact is generated informing that the Data Controller can hold de Data Subject's data.

In [61]:
?- verifyIfDCCanHoldDSData(dataController(universityXYZ),dataSubject('John')).

true.

Then, let's verify if such a fact was generated.

In [62]:
?- dcCanHoldData(dataController(universityXYZ),dataSubject('John')).

false.

In this sense, let's simulate the request for data deletion from the Data Subject John to the Data Controller UniversityXYZ.

In [63]:
log('Data Subject requested to delete his data','Comunicate','Permission',1637846464).



In [64]:
log('Data Controller received the data deletion request and will evaluate the solicitation','Comunicate','Compliance',1637846465).



The code below will check if the Data Controler can hold the Data Subject information. If yes, two new log activities will be recorded. On the other hand, the code will return false if the Data Controller cannot hold the information, and the two log activities will not be recorded.

In [65]:
?- dcCanHoldData(dataController(universityXYZ),dataSubject('John')),
    
    assertz(log('Data Controller can hold the data because its purpose allows it.','Observe','Permission',1637846466)),

    assertz(log('Data Controller decided to keep the data on the database.','Comunicate','Compliance',1637846467)).

false.

In [66]:
% Description: This function deletes the Data Subject's data if the Data Controller is allowed to do that.
% This function receives the params:
%    i. Data Subject
%   ii. Data Controller
%  iii. Date Time

requestToDeleteDSData(dataSubject(DS),dataController(DC),date(DT)) :- 
 not(dcCanHoldData(dataController(DC),dataSubject(DS))),
 assertz(log('Data Controller has to delete the data','Comunicate','Obligation',DT)).



In [67]:
?- requestToDeleteDSData(dataSubject('John'),dataController(universityXYZ),date(1637846468)).

true.

Why 1: This method returned true because the Data Controller cannot hold the Data Subject's data, as presented bellow.

In [68]:
?-  dcCanHoldData(dataController(fiocruz),dataSubject(paulo)).

false.

Why 2: The Data Controller cannot hold personal data because it will be not used for any aforementioned situations.

In [69]:
?- purpose(DC,'John',Purpose).

DC = universityXYZ, Purpose = improve_class_dynamics .

It means that the purpose presented by the Data Controller is **not valid** to permits that UniversityXTZ holds the Data Subject's data.

In [70]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1637846463 {-1}.

Event = Data Subject requested to delete his data, Type = Comunicate, DeonticOperator = Permission, Date = 1637846464 ;
Event = Data Controller received the data deletion request and will evaluate the solicitation, Type = Comunicate, DeonticOperator = Compliance, Date = 1637846465 ;
Event = Data Controller has to delete the data, Type = Comunicate, DeonticOperator = Obligation, Date = 1637846468 .

Therefore, as depicted in Figure 16, the request for data deletion may impacts differently depending on the purpose limitation. For example, the data storage may have to anonymize the data. Moreover, if the data was deleted or anonymized, the Data Controller cannot achieve requests related to data correction, portability, and copy anymore.

![DataDeletionImpact](./img/DataDeletionImpact.png "Data Deletion Impact")
Fig.16 - Data Deletion Impact.

In [71]:
% Resetting scenario
?-  retract(log('Data Subject requested to delete his data','Comunicate','Permission',1637846464)),
    retract(log('Data Controller received the data deletion request and will evaluate the solicitation',
        'Comunicate','Compliance',1637846465)),
    retract(log('Data Controller has to delete the data','Comunicate','Obligation',1637846468)).

true.

----
#### Cause-effect: Technology unavailability

Companies are vulnerable to technical fault, unavailability, or security breach. In this sense, Data Subjects might be impacted by technology throubles. In some cases, the technology unavailability may not impact Data Subjects, but only internal companies' processes.

In this scenario, we will simulate an event of technology unavailability, i.e., let's picture that UniversityXYZ's cloud server, which has the personal data storage, is offline. Internally, UniversityXYZ suffered a high impact of this unavailability; all systems that depend on this database are offline, i.e., the internal data governance is jeopardized/ compromised. Hence, students and professors cannot access any internal system.

Figure 17 depicts the impact of system unavailability.

![DataUnavailabilityImpact](./img/DataUnavailabilityImpact.png "Data Unavilability Impact")
Fig.17 - Data Unavailability Impact.

Besides the governance, data unavailability may impacts directly the users' rights. For example, without the system, the Data Controller and Processor cannot delete or execute data corrections. Moreover, if a Data Controller requests for portability, anonymization, or portability, the Data Controller will not be able to attend to such requests as fast as expected; a considerable delay is expected, instead. Furthermore, depending on the delay, fines can be applied, but they should be evaluated case-by-case.

Last but not least, in this educational scenario, depending on the moment of this data unavailability, the impact might be more, or less, severe. For instance, if the students are on the subscription moment, they may lose the timing to do their class subscriptions. Hence, it could generate many issues, for instance, related to: 
- classes size measurement, i.e., students per class, 
- available physical space, which depends on the class size, 
- the university should provide another moment to students do their class subscriptions if they were affected, and so on. 

Moreover, if the students are at the end of the term, the students may request to delay the final exam, and the professors may delay the final grade.

Conversely, if the unavailability occurs in the middle of the term, students may not be impacted.

----
#### Cause-effect: Inconsistent behavior

Forecast human behavior can be a big challenge; the strange behaviors can be originated from different aspects, such as by a bad interface, system instability or error, or by a malicious person. In this sense, let's picture a person who agrees and revokes consent repeatedly in a short time-space.

In [72]:
?- createConsentTerm(universityXYZ,joao,'joao@mail.com',joaoTranscripts,improve_class_dynamics,
                'design_class_activities',
                'statistic_analysis',
                15811200,
                'none',
                'e-mail',
                'lgpd@universityxyz.br',
                'SHA256',
                'Authorized employees can access the data only',
                'UniversityXYZ private cloud'),
                
    assertz(dsRight(processingConfirmation,dataSubject(joao),dataController(universityXYZ))),
    assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Observe','Permission',1637846470)),

    checkConsentTerm(dataController(universityXYZ),
                        dataSubject(joao),
                        purpose(universityXYZ,improve_class_dynamics),
                        'design_class_activities',
                        'statistic_analysis',
                        15811200,
                        'none',
                        'e-mail',
                        'lgpd@universityxyz.br',
                        1637846470),
                        
    setThatdsAgreeWithConsentTerms(id(12),
                                dataSubject(joao),
                                dataController(universityXYZ),
                                requestFormat('Direct',joao,'null'),      
                                personalData(joao,'joao@mail.com'),
                                sensitiveData(joao,joaoTranscripts),
                                startDate(1637846470),
                                endDate(EndDate)), EndDate is 1637846470+15811200,
                        
    setDSRights(dataSubject(joao),dataController(universityXYZ),startDate(1637846470)).

EndDate = 1653657670 .

In [73]:
?- setDSRevokeConsent(id(12),
                        dataSubject(joao),
                        dataController(universityXYZ),
                        personalData(joao,'joao@mail.com'),
                        sensitiveData(joao,joaoTranscripts),
                        now(1637846472),
                        startDate(1637846470),
                        endDate(EndDate)), 
                        EndDate is 1637846470+15811200.

EndDate = 1653657670 .

In [74]:
?- createConsentTerm(universityXYZ,joao,'joao@mail.com',joaoTranscripts,improve_class_dynamics,
                'design_class_activities',
                'statistic_analysis',
                15811200,
                'none',
                'e-mail',
                'lgpd@universityxyz.br',
                'SHA256',
                'Authorized employees can access the data only',
                'UniversityXYZ private cloud'),
                
    assertz(dsRight(processingConfirmation,dataSubject(joao),dataController(universityXYZ))),
    assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Observe','Permission',1637846472)),

    checkConsentTerm(dataController(universityXYZ),
                        dataSubject(joao),
                        purpose(universityXYZ,improve_class_dynamics),
                        'design_class_activities',
                        'statistic_analysis',
                        15811200,
                        'none',
                        'e-mail',
                        'lgpd@universityxyz.br',
                        1637846472),
                        
    setThatdsAgreeWithConsentTerms(id(13),
                                dataSubject(joao),
                                dataController(universityXYZ),
                                requestFormat('Direct',joao,'null'),      
                                personalData(joao,'joao@mail.com'),
                                sensitiveData(joao,joaoTranscripts),
                                startDate(1637846472),
                                endDate(EndDate)), EndDate is 1637846472+15811200,
                        
    setDSRights(dataSubject(joao),dataController(universityXYZ),startDate(1637846472)).

EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 .

In [75]:
?- setDSRevokeConsent(id(13),
                        dataSubject(joao),
                        dataController(universityXYZ),
                        personalData(joao,'joao@mail.com'),
                        sensitiveData(joao,joaoTranscripts),
                        now(1637846472),
                        startDate(1637846472),
                        endDate(EndDate)), 
                        EndDate is 1637846472+15811200.

EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 ;
EndDate = 1653657672 .

Figure 18 depicts the impacted entities.

![InconsistentBehaviorImpact](./img/InconsistentBehaviorImpact.png "Inconsistent Behaviour Impact")
Fig.18 - Inconsistent Behavior Impact.

This unusual behaviour can be catched analysing the event log. Depending on the magnitude, this kind of of event may cause damage to the system, as the Deny of Service attack, for instance. 

Moreover, in our educational scenario, as some professors need the students's transcripts to diversify the working groups, the student might perform such inconsistent behaviour to try getting into a better working group. In this case, if identified by the class professor, the professor could not accept the student to his/her class.

Even though a student may have performed such inconsistent behavior accidentally, the Data Controller has mechanisms to identify such a situation. Therefore, the Data Controller should look for the inconsistency motivation. For instance, if it is just a user testing his/her possibilities in the system, or if there is a bug in the system, or if a malicious person is trying to create some damage to the Data Controller, among others.

In [76]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1637846470 {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Observe, DeonticOperator = Permission, Date = 1637846470 ;
Event = Data Subject verified the consent term and it was ok, Type = Observe, DeonticOperator = Obligation, Date = 1637846470 ;
Event = Data Subject agrees with consent term, Type = Comunicate, DeonticOperator = Compliance, Date = 1637846470 ;
Event = Data Controller can collect the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1637846470 ;
Event = Data Controller can store the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1637846470 ;
Event = Data Controller can process the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1637846470 ;
Event = Data Subject can now have all foressen rights, Type = Observe, DeonticOperator = Permission, Date = 1637846470 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Comunic

----
#### Cause-effect: Data portability


Data portability can be explored at least in two ways. First, as cellphone companies, data portability means migrating the data subject phone number to another company. The client information should be migrated from one company to another. Second, like streaming video companies, data portability may mean just the act of copying the data to another company. Both companies would have the same client data at the moment of data portability request. 

In our scenario, let's define that data portability acts like the second case. The Data Subject wants to share his sensitive data with UniversityABC, another health institution. But, first, the Data Subject has to accept the UniversityABC's consent term and then ask UniversityXYZ to send a copy of his data.
In this sense, UniversityXYZ is **obligated** to comply with such request and send the requested information. 

<div>
<img src="./img/Scenario2_DataPortability.png" width="800"/>
</div>
Fig.19 - Data Portability Process.

In this sense, lets create the consent term from UniversityABC to John.

In [77]:
?- createConsentTerm(universityABC,'John',"E-mail to be informed by data portability","Transcripts to be informed by data portability",improve_class_dynamics,
                'design_class_activities',
                'statistic_analysis',
                15811200,
                'none',
                'e-mail',
                'lgpd@universityabc.br',
                'SHA256',
                'Authorized professors can access the data only',
                'UniversityABC private cloud').

true.

In [78]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject('John'),dataController(universityABC)).
?- assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Observe','Permission',1625712876)).

true.

In [79]:
?- checkConsentTerm(dataController(universityABC),
                        dataSubject('John'),
                        purpose(universityABC,'improve_class_dynamics'),
                        'design_class_activities',
                        'statistic_analysis',
                        15811200,
                        'none',
                        'e-mail',
                        'lgpd@universityabc.br',
                        1637846470),
    
    setThatdsAgreeWithConsentTerms(id(14),
                                dataSubject('John'),
                                dataController(universityABC),
                                requestFormat('Direct','John','null'),                                      
                                personalData('John',"E-mail to be informed by data portability"),
                                sensitiveData('John',"Transcripts to be informed by data portability"),
                                startDate(1637846470),
                                endDate(EndDate)), EndDate is 1637846470+15811200,

    setDSRights(dataSubject('John'),dataController(universityABC),startDate(1625035270)),
    
    dcIsStoringDSData(id(14),dataController(universityABC),dataSubject('John'),
                    personalData('John',"E-mail to be informed by data portability"),
                    sensitiveData('John',"Transcripts to be informed by data portability"),
                    startDate(1637846470),endDate(1653657670)).

EndDate = 1653657670 .

Now, the Data Subject requests data portability from UniversityXYZ to UniversityABC, which means a data copy from one institution to another.

In [80]:
?- assertz(log('Data Subject requestested data portability from UniversityXYZ to UniversityABC','Comunicate','Obligation',1625712877)).

true.

In [81]:
?- 

% First, UniversityXYZ should have the right to store John s data.

    dcIsStoringDSData(id(11),dataController(universityXYZ),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1637846460),endDate(1653657660)).
                    
?-
% As the Data Subject agreed with the consent term, the Data Controller has the right to store the DS personal data.

    dcIsStoringDSData(id(14),dataController(universityABC),dataSubject('John'),
                    personalData('John',"E-mail to be informed by data portability"),
                    sensitiveData('John',"Transcripts to be informed by data portability"),
                    startDate(1637846470),endDate(1653657670)).
                    
?- 
% Next, we have to update the UniversityABC s database with data with the data sent from UniversityXYZ. 
    retract(dcIsStoringDSData(id(14),dataController(universityABC),dataSubject('John'),
                    personalData('John',"E-mail to be informed by data portability"),
                    sensitiveData('John',"Transcripts to be informed by data portability"),
                    startDate(1637846470),endDate(1653657670))),
                    
    assertz(dcIsStoringDSData(id(14),dataController(universityABC),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(1637846470),endDate(1653657670))).

?- 
% Last but not least, the following log registered the action log.
                    
    assertz(log('Data Controller UniversityXYZ achived the Data Subject request','Comunicate','Obligation',1625712878)),
    
    assertz(log('Data Subject should check if the data are correct','Observe','Permission',1625712879)).
                

true.
true.
true.
true.

In [82]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1625712876 {-1}.

Event = Data Subject verified the consent term and it was ok, Type = Observe, DeonticOperator = Obligation, Date = 1637846460 ;
Event = Data Subject agrees with consent term, Type = Comunicate, DeonticOperator = Compliance, Date = 1637846460 ;
Event = Data Controller can collect the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1637846460 ;
Event = Data Controller can store the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1637846460 ;
Event = Data Controller can process the Data Subject information, Type = Observe, DeonticOperator = Permission, Date = 1637846460 ;
Event = Data Subject agrees to share his sensitive data, Type = Comunicate, DeonticOperator = Permission, Date = 1637846461 ;
Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Observe, DeonticOperator = Permission, Date = 1637846470 ;
Event = Data Subject verified the consent term and it was ok, Type = Observe, DeonticOpera

In this sense, as the new relationship between John and UniversityABC requires a new consent term, all relationships are impacted, as depicted in Figure 20.

![DataPortabilityImpact](./img/DataPortabilityImpact.png "Data Portability Impact")
Fig.20 - Data Portability Impact.

Finally, let's check who has the John's data.

In [83]:
?- dcIsStoringDSData(id(ID),dataController(DataController),dataSubject('John'),
                    personalData('John','john@mail.com'),sensitiveData('John','transcripts'),
                    startDate(StartDate),endDate(EndDate)).

ID = 11, DataController = universityXYZ, StartDate = 1637846460, EndDate = 1653657660 ;
ID = 14, DataController = universityABC, StartDate = 1637846470, EndDate = 1653657670 .