# Scenario 1 - Data Subject agrees with the Data Controller consent term.

## Table of Contents
1. [Scenario Description](#Scenario-Description)
2. [Scene 1: Set Consent Term](#Scene-1:-Set-consent-term.)
3. [Scene 2: Data Subject Agrees with the Consent Term](#Scene-2:-Data-Subject-agrees-with-the-consent-term.)
4. [Questions to Ask](#Questions-to-ask)

### Scenario Description

The Data Controller Fiocruz wants to use the Data Subjects' personal data and health data to research genetic factors in the COVID-19 plot.

To do so, the Data Controller must send the consent term to the Data Subject. The consent term must present all the information defined in the LGPD art. 9.

Next, if the Data Subject agreed with the Fiocruz consent terms, he/she will have all LGPD foreseen rights. 

The following figure depicts this macro scenario process.

![Scenario1_Process](./img/Scenario1_Process.png "Process 1")

Art. 9 
- I - finalidade específica do tratamento;
- II - forma e duração do tratamento, observados os segredos comercial - e industrial;
- III - identificação do controlador;
- IV - informações de contato do controlador;
- V - informações acerca do uso compartilhado de dados pelo controlador e a finalidade;
- VI - responsabilidades dos agentes que realizarão o tratamento; e
- VII - direitos do titular, com menção explícita aos direitos contidos no art. 18 desta Lei. 

At the end of this scenario execution, many questions can be made to Prolog to test the rules and facts.

 ---------

### Scene 1: Set consent term.

The Data Subject Paulo allows the Data Controller Fiocruz to access, store, and process his personal data and health data to perform research regarding genetic factors related to COVID-19 using statistical analysis for 180 days.


The Data Controller is allowed to share the Data Subject data only with the vaccination prioritization purpose.


To make any request, please use the Data Controller communication channel by email lgpd@fiocruz.br.


PS: The Data Controllers must inform in any case if they are processing the personal data if requested.

This consent text can be splited into the following clauses:

`The Data Subject Paulo allows ...`

`... the Data Controller Fiocruz ...`

`... access, store, and process his personal data ...`

`... and his health data ...`

`... under the purpose to perform research ...`

`... regarding genetic factors related to COVID-19 ...`

`... using statistical analysis ...`

`... for 180 days. `

`The Data Controller is allowed to share the Data Subject data only with the vaccination priorization purpose.`

`To do any request, please use the Data Controller communication channel by email lgpd@fiocruz.br.`

In [1]:
dataSubject(paulo).



In [2]:
dataController(fiocruz).



In [3]:
personalData(paulo,976635869).



In [4]:
healthData(paulo, oPlus).



In [5]:
purpose(fiocruz,paulo,research).



In [6]:
specificPurpose(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19').



In [7]:
form(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19','statistic_analysis').



In [8]:
timeLength(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19',180).



In [9]:
thirdyPartySharingPurpose(fiocruz,paulo,research,'genetic_factors_related_to_COVID-19',180,'vaccination_priorization').



In [10]:
channelToProvideInformation(fiocruz,paulo,'e-mail','lgpd@fiocruz.br').



In [11]:
dsRight(processingConfirmation,dataSubject(paulo),dataController(fiocruz)).



 ---------

### Scene 2: Data Subject agrees with the consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller

In [12]:
% Description: This function verifies if a consent term includes all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form (Processing techniques)
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

checkConsentTerm(dataController(DC),
                dataSubject(DS),
                purpose(DC,Purpose),
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact) :-
    (
        form(DC,DS,Purpose,SpecificPurpose,Form),
        timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
        thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
        channelToProvideInformation(DC,DS,Channel,DCContact),
        purpose(DC,DS,Purpose),
        specificPurpose(DC,DS,Purpose,SpecificPurpose),
        assertz(consentTermOk(dataController(DC),dataSubject(DS)))
    ).



In [13]:
% This is a function call that verifies if the consent term have all the information required

?- checkConsentTerm(dataController(fiocruz),dataSubject(paulo),purpose(fiocruz,research),
'genetic_factors_related_to_COVID-19','statistic_analysis',180,'vaccination_priorization','e-mail','lgpd@fiocruz.br').

true.

If ok, the Data Subject decides to agree with the presented terms.

In [14]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Personal Data
%    v. Health Data

setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                personalData(DS,PData),
                                healthData(DS,HData)) :-
    consentTermOk(dataController(DC),dataSubject(DS)),
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC))),
    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))),
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))),
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData))).



In [15]:
% This is a function call returns true in case of success.

?- setThatdsAgreeWithConsentTerms(id(10),dataSubject(paulo),dataController(fiocruz),personalData(paulo,976635869),healthData(paulo,oPlus)).

true.

Now, the Data Controller can collect, store and process the Data Subject's data.

In [16]:
?- dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),personalData(paulo,976635869),healthData(paulo,oPlus)),
dcIsProcessingDSData(id(10),dataController(fiocruz),dataSubject(paulo),personalData(paulo,976635869),healthData(paulo,oPlus)),
dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),personalData(paulo,976635869),healthData(paulo,oPlus)).

true.

 ---------

### Scene 3: Defining the Data Subject's rights.

According to the LGPD Art. 18, when the Data Subject is sharing data with a Data Controller, he/she has the following rights:
1. Data Acess
2. Data Copy
3. Data Correction
4. Data Anonymization
5. Data Portability
6. Data Deletion
7. Information regarding the data sharing with a third party
8. Request consent revocation.

In [17]:
% Description: This function sets all Data Subject right's foreseed in the LGPD.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

setDSRights(dataSubject(DS),dataController(DC)) :-
	assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
	assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
	assertz(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))).



In [18]:
% This is a function call returns true if all Data Subject's right was associated to him/her.

?- setDSRights(dataSubject(paulo),dataController(fiocruz)).

true.

 ---------

### Questions to ask

Are the fiocruz data controller using the data subject Paulo's data? 

In [19]:
?- dcIsProcessingDSData(id(10),dataController(fiocruz),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData)).

PData = 976635869, HData = oPlus .

What are the Data Subject rights right now?

In [20]:
?- dsRight(RIGHT,dataSubject(paulo),dataController(fiocruz)).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonymization ;
RIGHT = dataPortability ;
RIGHT = dataDeletion ;
RIGHT = dataSharingInformation ;
RIGHT = requestConsentRevocation .

Can all items from art. 9 be informed?

In [21]:
?- specificPurpose(fiocruz,paulo,research,SPECIFICPURPOSE).

SPECIFICPURPOSE = genetic_factors_related_to_COVID-19 .

In [22]:
?- timeLength(fiocruz, paulo, research, 'genetic_factors_related_to_COVID-19',DAYS).

DAYS = 180 .

Who are processing the Data Subject's personal data and what are the respective data?

In [23]:
?- dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData)).

ID = 10, DC = fiocruz, PData = 976635869, HData = oPlus .