# Exploring Simulation Scenarios to Mitigate Information Asymmetry Under the LGPD Perspective

## Table of Contents
1. [LGPD Ontology](#LGPD-Ontology)
1. [Scenario Structure](#Scenario-Structure)
1. [Scenario Description](#Scenario-Description)
2. [Scene 1: Set Consent Term](#Scene-1:-Set-consent-term.)
3. [Scene 2: Data Subject Agrees with the Consent Term](#Scene-2:-Data-Subject-agrees-with-the-consent-term.)
4. [Scene 3: Defining the Data Subject's Rights](#Scene-3:-Defining-the-Data-Subject's-rights.)
5. [Scene 4: Data Subject's Consent Revocation](#Scene-4:-Data-Subject's-consent-revocation.)
6. [Questions to Ask](#Questions-to-ask)
    
    8.1 [Cause-Effect 1: Consent revocation not respected](#Cause-effect:-1-How-to-evidence-when-the-Data-Controller-did-not-respect-the-consent-revocation?)
    
    8.2 [Cause-Effect 2: Evidencing data leak](#Cause-effect-2:-How-to-get-evidences-that-the-Data-Controller-leaked-the-Data-Subject's-data?)
    
    8.3 [Cause-effect 2: Data breach, what to do?](#Cause-effect-2:-Data-breach,-what-to-do?)
    
    8.4 [Cause-Effect 3: Requesting data correction](#Cause-effect-3:-Requesting-data-correction)

    8.5 [Cause-Effect 4: Requesting data anonymization](#Cause-effect-4:-Requesting-anonymization)


### LGPD Ontology

This notebook aims to describe the ontology developed to map the LGPD entities and their relationships. Next, we create scenarios to show samples of law's application using Prolog.
To do so, we based our approach on the PrOnto ontology, which was developed in the GDPR context and it has many intersections with the LGPD concepts.

There are differences between the GDPR and LGPD. The former is more normative and detailed. The latter is generalist and, as law, lets the clauses open to interpretations case by case.

The LGPD cases can present intersections with other laws in the Brazilian constitution, depending on the case, as depicted in the following image. It defines: 
 - legal basis: consent is the most popular, but there are others foreseen in the law, 
 - data protection guidelines: general guidelines, 
 - applicability: there are some situations that the LGPD cannot be applied, such as when the data is anonymized,
 - concepts: LGPD qualifies personal data, sensitive personal data, data controller, among others,
 - rights and duties: LGPD sets rights and duties for data subjects, controllers and processors.

![LGPD_Structure](./img/LGPD_Structure.png "LGPD Structure")

In this sense, we decided to create a new ontology to highlight the essential concepts in the LGPD and their relationships, as depicted in the following image.

![LGPD_Ontology](./img/LGPD_Ontology.png "LGPD Ontology")

In a detailed view, the following image depicts the relationships between the entities, and it is important to note that the "consent term" and the "right" are the central ontology points; they have many connections with other concepts as well as the entity "dispute resolution". For instance, if the purpose limitation changed, the data controller must get a new consent term from the data subject. Hence, depending on the data subject will, he/she can disagree, and it will interrupt the data collection. Still, if the data controller does not stop collecting the data subject's personal data, it will violate the data subject's rights, and fines will be applied to the data controller.

![LGPD_Ontology_Relationships](./img/LGPD_Ontology_Relationships.png "LGPD Ontology Relationships")


### Scenario Structure

This scenario structure was developed based on the PrOnto ontology, but some changed were made. PrOnto ontology presents many modules to describe the ontology entities in details, however it might be hard to an common people, aka citizens,  to understand what are the main concerns when sharing his/her data.

In this sense, we gather the PrOnto definitions to create our scenario sctructure, as depicted in the image below.


Our scenario presents four pillars: Agent, Action, Right, and DeonticOperator , which will be detailed and depicted below:
 - **Agent**: Scenarios have to define the agents, i.e., who are the Data Subjects, Data Controllers and Data Processors that will be involved and their actions.
 - **Action**: The actions are narrowed by the consent term, which defines the agents, the purpose, the data that will be used, and the time frame. Moreover, the actions are executed under a jurisdiction and entails risks, such as the risk of data leak. Last but not least, actions are composed by steps, which are executed based on the current rights available for the agents and persisted by log registries.
 - **Right**: The agents may have different rights depending on the classification, time frame and previous actions. The rights are complemented by the Deontic Operators.
 - **Deontic Operator**: The deontic concepts defines if there is a obligation, prohibition, and permission. Furthermore, PrOnto includes violation and compliance as status related to an obligation or prohibition.
 
![Scenario_Structure](./img/Scenario_Structure.png "Scenario Structure")

Our scenarios follows the structure presented below. First, we define the scenario context and formulate basic questions regarding the data subject's rights and how the data controller can address such questions. Then, we elaborate more complex scenarios in order to explore non-trivial situations to stress the scenario context and document the evidence. We aim to create a simulation tool that data subjects and controllers can explore the possible scenarios already developed and contribute with new perspectives. The collaborative contribution can generate a solid database for exploring LGPD compliance in many different situations.

<div>
<img src="./img/Scenario_Methodology.png" width="600"/>
</div>
 

### Scenario Description

**Data Subject agrees with the Data Controller consent term, but then decided to revoke his/her consent.**

The Data Controller Fiocruz wants to use Paulo's (Data Subject) personal data and health data to research genetic factors related to COVID-19 from Wednesday, May 26, 2021 1:21:00 PM to Thursday, November 25, 2021 1:21:00 PM (180 days).

To do so, the Data Controller must send the consent term to the Data Subject. The consent term must present all the information defined in the LGPD art. 9.

However, after accepting the consent term, the Data Subjects decides to revoke his consent on Saturday, June 26, 2021 1:07:55 PM.

Agents
 - Data Subject - Paulo
 - Data Controller and processor - Fiocruz

Action
 - Defined in the consent term.
 - Risk: data breach - impact: low; there is no religion, ethic, political opinion data that could generate discrimination actions to the data subject.

Right
 - After the Data Subject decides to agree with the consent terms, he will have all the LGPD foreseen rights
 - The consent revocation should not impact the other rights.
 
Deontic Operator
 - The Data Subject has the permission to call for any action related to his rights
 - The Data Controller is obligated to abide by the Data Subject solicitations, except when the law says the opposite.
 - The Data Controller is prohibited from using the personal data collected under other circumstances than the ones that are in the consent term
 - Violation and compliance will be explored in the extended scnarios in the end of this notebook



The following figure depicts this macro scenario process.

![Scenario2_Process](./img/Scenario2_Process.png "Process 2")

Moreover, other four cause-effect scenarios were explored in order to show some possibilities regarding to the data subject's rights. 

The goal is to creating a scenario with Prolog to explore the facts in different time range and some cause-effect scenarios. This notebook tries to keep general facts that could occurr in any domain. Specific domain facts were not exploered.
 
*PS-1: The timestamp is used to provide the time spectrum. The following tool was used to convert human time to timestamp and the other way around. https://www.epochconverter.com/ - 180 days is equivalent to add the value 15811200 in the timestamp*

*PS-2: To help the usage of timestamp, we considered the following association.*
- *Wednesday, May 26, 2021 1:21:00 PM = 1622035260*
- *Friday, November 26, 2021 1:07:55 PM = 1637846460*
- *Saturday, June 26, 2021 1:07:55 PM = 1624712875*

 
 ---------

### Scene 1: Set consent term.

The first step is the consent setup. The consent must have all information described in the LGPD Art. 9. The following method receives all the required information.


The **Data Subject Paulo** allows the **Data Controller Fiocruz** to access, store, and process his **phone number** and **blood factor/type** to perform **research** regarding **genetic factors related to COVID-19** using **statistical analysis** for **180 days**. However, the phone number **will not be public available** and will be used only in emergency situations.

The Data Controller is allowed to **share** the Data Subject data **only** with the **vaccination prioritization purpose**.


To make any request, please use the Data Controller communication channel by **email lgpd@fiocruz.br**.


PS: The Data Controllers must inform in any case if they are processing the personal data if requested.


In [1]:
% Description: This function defines a consent term including all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form (Processing techniques)
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

createConsentTerm(DC,DS,PData,HData,Purpose,
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact) :-

                assertz(dataSubject(DS)),
                assertz(dataController(DC)),
                assertz(personalData(DS,PData)),
                assertz(healthData(DS, HData)),
                assertz(purpose(DC,DS,Purpose)),
                assertz(specificPurpose(DC,DS,Purpose,SpecificPurpose)),
                assertz(form(DC,DS,Purpose,SpecificPurpose,Form)),
                assertz(timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength)),
                assertz(thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,
                                                    TimeLength,ThirdPartyPurpose)),
                assertz(channelToProvideInformation(DC,DS,Channel,DCContact)).



In [2]:
% This is a function call that defines a consent term with the informed params

?- createConsentTerm(fiocruz,paulo,976635869,oPlus,research,
                'genetic_factors_related_to_COVID-19',
                'statistic_analysis',
                15811200,
                'vaccination_priorization',
                'e-mail',
                'lgpd@fiocruz.br').

true.

In [3]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject(paulo),dataController(fiocruz)).
?- assertz(log('Data Subject can ask if the Data Controller is processing his/her data',1622035260)).

true.

 ---------

### Scene 2: Data Subject agrees with the consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller. If so, the program will set that the consent term is ok, i.e., it has all the required information.

In [4]:
% Description: This function verifies if a consent term includes all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Data Controller
%   ii. Data Subject
%  iii. Specific Purpose
%   iv. Form (Processing techniques)
%    v. Time length of processing
%   vi. The purpose when sharing the data with third parties, when applied
%  vii. Communication channel to the data subject request any information
% viii. Data Controller contact

checkConsentTerm(dataController(DC),
                dataSubject(DS),
                purpose(DC,Purpose),
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                Date) :-
    (
        form(DC,DS,Purpose,SpecificPurpose,Form),
        timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
        thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
        channelToProvideInformation(DC,DS,Channel,DCContact),
        purpose(DC,DS,Purpose),
        specificPurpose(DC,DS,Purpose,SpecificPurpose),
        assertz(consentTermOk(dataController(DC),dataSubject(DS))),
        assertz(log('Data Subject verified the consent term and it was ok',Date))
    ).



In [5]:
% This is a function call returns true if the consent term is ok, or false if not.

?- checkConsentTerm(dataController(fiocruz),
                        dataSubject(paulo),
                        purpose(fiocruz,research),
                        'genetic_factors_related_to_COVID-19',
                        'statistic_analysis',
                        15811200,
                        'vaccination_priorization',
                        'e-mail',
                        'lgpd@fiocruz.br',
                        1622035260).

true.

So, if the consent term is ok, the Data Subject can inform that he/she agrees with the consent term.

Hence, the Data Controller can collect, store and process the Data Subject's data.

In [6]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Personal Data
%    v. Health Data
%   vi. Start Date - Timestamp
%   vi. End Date - Timestamp

setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                personalData(DS,PData),
                                healthData(DS,HData),
                                startDate(StartTS),
                                endDate(EndTS)) :-
    consentTermOk(dataController(DC),dataSubject(DS)),
    
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC),startDate(TS),endDate(TS))),
    assertz(log('Data Subject agrees with consent term',StartTS)),

    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can collect the Data Subject information',StartTS)),
    
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can store the Data Subject information',StartTS)),
        
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can process the Data Subject information',StartTS)).



In [7]:
% This is a function call returns true in case of success.

?- setThatdsAgreeWithConsentTerms(id(10),
                                dataSubject(paulo),
                                dataController(fiocruz),
                                personalData(paulo,976635869),
                                healthData(paulo,oPlus),
                                startDate(1622035260),
                                endDate(EndDate)), EndDate is 1622035260+15811200.

EndDate = 1637846460 .

Now, the Data Controller can collect, store and process the Data Subject's data.

In [8]:
?- dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637846460)),
                        
dcIsProcessingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)),
                    
dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)).

true.

---------

### Scene 3: Defining the Data Subject's rights.

According to the LGPD Art. 18, when the Data Subject is sharing data with a Data Controller, he/she has the following rights:
1. Data Acess
2. Data Copy
3. Data Correction
4. Data Anonymization
5. Data Portability
6. Data Deletion
7. Information regarding the data sharing with a third party
8. Request consent revocation.

In [9]:
% Description: This function sets all Data Subject right's foreseed in the LGPD.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

setDSRights(dataSubject(DS),dataController(DC),startDate(StartTS)) :-
    assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
    assertz(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject can now have all foressen rights',StartTS)).



In [10]:
% This is a function call returns true if all Data Subject's right was associated to him/her.

?- setDSRights(dataSubject(paulo),dataController(fiocruz),startDate(1622035260)).

true.

 ---------

### Scene 4: Data Subject's consent revocation.

As mentioned in the scenario's description, the Data Subject decides to revoke his/her consent.
The Data Subject considered that the purpose limitation is not adequate. 

Once performed, the action of requesting the consent revocation cannot be executed again, and the Data Controller is forbidden to still collecting the Data Subject's data.

In [11]:
% Description: This function revoke the Data Controller's action of collecting the Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Data Controller
%  iv. Personal Data
%   v. Health Data

setDSRevokeConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    personalData(DS,PData),
                    healthData(DS,HData),
                    now(Date),
                    startDate(StartTS),
                    endDate(EndTS),
                    requestDate(ReqDate)) :-
                    
    not(dsRight(requestConsentRevocation,dataSubject(paulo),dataController(fiocruz))),
    assertz(log('Data Subject tried to revoke his/her consent, but fail',ReqDate));
    
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject requested to the Data Controller to revoke his/her consent',Date)),
    
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot collect the Data Subject information',Date)),
    
    retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),healthData(DS,HData),startDate(StartTS),endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot process the Data Subject information',Date)).

    



In [12]:
% This call store the Data Subject's motivation to request the cosent revocation.
?- assertz(log('Data Subject considered that the purpose limitation is not adequate',1624712875)).

% This is a function call returns true if all Data Subject's request was successfully performed.
?- setDSRevokeConsent(id(10),
                        dataSubject(paulo),
                        dataController(fiocruz),
                        personalData(paulo,976635869),
                        healthData(paulo,oPlus),
                        now(1624712875),
                        startDate(1622035260),
                        endDate(EndDate),
                        requestDate(1624712875)), 
                        EndDate is 1622035260+15811200.
    

true.
EndDate = 1637846460 .

 ---------

### Questions to ask

Are the fiocruz data controller using the data subject Paulo's data? 

Expected: As the Data Subject requested to revoke his consent, the data controller is **prohibited** to still using the Data Subjects data.

In [13]:
?- dcIsProcessingDSData(id(10),dataController(fiocruz),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData),startDate(1622035260),endDate(1637846460)).

false.

What are the Data Subject rights right now?

Expected: As the Data Subject requested to revoke his consent, he is **prohibited** to create such request again, even though he has **permission** to request the other rights foreseen by the LGPD.

In [14]:
?- dsRight(RIGHT,dataSubject(paulo),dataController(fiocruz)).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonymization ;
RIGHT = dataPortability ;
RIGHT = dataDeletion ;
RIGHT = dataSharingInformation .

Can all items from art. 9 be informed?

In [15]:
?- specificPurpose(fiocruz,paulo,research,SPECIFICPURPOSE).

SPECIFICPURPOSE = genetic_factors_related_to_COVID-19 .

In [16]:
?- timeLength(fiocruz, paulo, research, 'genetic_factors_related_to_COVID-19',TimeRange).

TimeRange = 15811200 .

Who are collecting the Data Subject's personal data and what are the respective data?

In [17]:
?- dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData),startDate(1622035260),endDate(1637846460)).

false.

Who are storing the Data Subject's personal data and what are the respective data?

Expected: Although the Data Subject requested to revoke his consent, he did not request for data deletion, so the Data Controller is **permitted** to store his dada.

In [18]:
?- dcIsStoringDSData(id(ID),dataController(DC),dataSubject(paulo),personalData(paulo,PData),healthData(paulo,HData),startDate(1622035260),endDate(1637846460)).

ID = 10, DC = fiocruz, PData = 976635869, HData = oPlus .

Show all events.

In [19]:
?- log(Event,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Date = 1624712875 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Date = 1624712875 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Date = 1624712875 ;
Event = From now, the Data Controller cannot process the Data Subject information, Date = 1624712875 .

----

#### Cause-effect: 1 How to evidence when the Data Controller did not respect the consent revocation?

Let's picture that the Data Controller did not respect the Data Subject's request and still collecting the Data Subject's data. In such plot, fines must be applied.

<div>
<img src="./img/Scenario2.1_Process.png" width="600"/>
</div>

In [20]:
% This command sets that the Data Controller is collecting the Data Subject's data.

dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637846460)).



So, now the data controller is collecting unauthorized data, it was **prohibited** since the data subject requested consent revocation. The following command will check the environment facts and will insert the inconsistency in the log.

In [21]:
% This command:
%   (i) verifies if the Data Controller is collecting the Data Subject's data;
%  (ii) verifies in the log if the Data Subject requested consent revocation;
% (iii) if all previous verifications are true, insert in the log that the Data Controller did not respect 
%       the Data Subject's will.

?- dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637846460)),
                        
    log('Data Subject requested to the Data Controller to revoke his/her consent',1624712875),
    
    assertz(log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied',1624712875)).

true.

In this sense, the program log should help the Data Subject to create evidence of his/her requests. The log will show that the consent was violated revoked and the Data Controller **violated** the data subject will.

In [22]:
?- log(Event,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Date = 1624712875 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Date = 1624712875 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Date = 1624712875 ;
Event = From now, the Data Controller cannot process the Data Subject information, Date = 1624712875 ;
Event = Data Con

In [23]:
% Resetting scenario
?- retract(dcIsCollectingDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                        personalData(paulo,976635869),healthData(paulo,oPlus),
                        startDate(1622035260),endDate(1637846460))),
                        
    retract((log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied',1624712875))).

true.

----
#### Cause-effect 2: Data breach, what to do? 

The Data Controller must inform to national authority and to the Data Subject when a data breach occurs that may cause risks or damage to the Data Subject.

Such communication has to be done as soon as possible and should inform:
- personal data category
- what data were leaked
- what were the technical and security measures used to protect data
- the risks related to the incident
- what the data controller will do to revert or mitigate the damage

Depending on the incident severity, the Data Controller will have to disclose such an event in high-impact communication media.

In this sense, lets picture that Fiocruz suffered from a hacker attack and Paulo's personal data were leaked on the social media and he is receiving few calls from different numbers. So, Fiocruz is **obligated to** inform the incident to ANPD and inform Paulo that his phone number was leaked. 

Even as Paulo has revoked his consent, he has to be informed regarding the data breach as his data still on the Fiocruz database.

![Scenario2_DataBreach](./img/Scenario2_DataBreach.png "Process 2.2")

Thus, let translate this scenario in Prolog facts.

First, once Fiocruz figure out that there is a data breach, the ANPD and the data subjects involved have to be informed about that.


In [24]:
log('Data Controller Fiocruz triggered an alert to ANPD and all data subjects affected by
    the data breach informing that all phone numbers were exposed',1624712870).



Next, Fiocruz has to explain that they had adopted security actions to avoid data breach. 

In [25]:
log('Data Controller Fiocruz informed the security measures to do not let data breach occurs',1624712871).



Then, Fiocruz fixed the vulnerability and inform the data subjects as well.

In [26]:
log('Data Controller Fiocruz informed that the vulnerability was found 
    and there is no unouthorized access anymore',1624712872).



Furthermore, Fiocruz inform to Data Subjects that there is a technical group available to help anyone that have had troubles caused by this incident.

In [27]:
log('Data Controller Fiocruz created a technical team to help any data subject 
    that have had issues with this incident',1624712873).



As the log shows, this case can present many different ends depending on the damage caused to the data subjects involved. Here, as the data subject received just a few calls and there was low damage, he decided not to enter in dispute to get reparation compensations, even though the data controller has **violated** the Data Subject's privacy.

Moreover, the omission of any fact related to informing the Data Subjects about unauthorized access or neglect the system security, fines should be applied to the Data Controller.

Last but not least, if the Data Controller noticed a data breach, once informed, the Data Controller has to act immediately. **LGPD Art. 48**

In [28]:
?- log(Event,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Date = 1624712875 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Date = 1624712875 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Date = 1624712875 ;
Event = From now, the Data Controller cannot process the Data Subject information, Date = 1624712875 ;
Event = Data Con

In [29]:
% Resetting scenario
?- retract(log('Data Controller Fiocruz triggered an alert to ANPD and all data subjects affected by
    the data breach informing that all phone numbers were exposed',1624712870)).
    
?- retract(log('Data Controller Fiocruz informed the security measures to do not let data breach 
    occurs',1624712871)).
                        
?- retract(log('Data Controller Fiocruz informed that the vulnerability was found 
    and there is no unouthorized access anymore',1624712872)).
    
?- retract(log('Data Controller Fiocruz created a technical team to help any data subject 
    that have had issues with this incident',1624712873)).

true.
true.
true.
true.

----
#### Cause-effect 3: How to get evidences that the Data Controller leaked the Data Subject's data? 

To create concrete evidence that a Data Controller leaked a Data Subject's data, first, it is important to verify who has such data. If there is just one Data Controller legally storing such data; hence, the chances of such Data Controller had leaked personal data is higher.

Moreover, the data controller is **obligated** to inform if personal or sensitive data is stored in the database. The data subject can request such information for each data controller.

Last but not least, the data subject should check the consent term to verify if there is any clause/ condition which permits the data controller to share data with others. If the data subject disagrees with such clause, he is **permitted** to revoke the consent term anytime.

![Scenario2.2_Process](./img/Scenario2.2_Process.png "Process 2.2")

In [29]:
% This command verifies who is storing Paulo's personal and health data.

?- dcIsStoringDSData(id(ID),dataController(DataController),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)).

ID = 10, DataController = fiocruz .

Now, let's picture that the Data Controller Butantan has Paulo's data.

In [30]:
dcIsStoringDSData(id(null),dataController(butantan),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)).



In [31]:
% This command:
%   (i) verifies if the Data Controller is storing the Data Subject's data;
%  (ii) verifies if there is any evidence that the Data Subject allowed the Data Controller to process his/her data;
% (iii) if all previous verifications are true, insert in the log that the Data Controller is not allowed 
%       to collect the Data Subject's data.

?- dcIsStoringDSData(id(null),dataController(butantan),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)),

    not(dsAgreeWithConsentTerms(dataSubject(butantan),dataController(paulo),startDate(1622035260),endDate(1637846460))),

    assertz(log('Data Subject did not agree with Butantan consent term, so the data was improperly collected, 
    fines should be applied',1624712875)).

true.

Therefore, the event log will show that there is not consent agreement between Paulo and Butantan. 

Hence, Butantan was **prohibited** to use such data, i.e., the data was improperly collected. 
Moreover, as Fiocruz is the only Data Controller storing Paulo's data, probably Fiocruz **violated**, on purpose or not, the consent term and the data was leaked from Friocruz to Butantan.

In [32]:
?- log(Event,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate, Date = 1624712875 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Date = 1624712875 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Date = 1624712875 ;
Event = From now, the Data Controller cannot process the Data Subject information, Date = 1624712875 ;
Event = Data Con

In [33]:
% Resetting scenario
?- retract(log('Data Subject did not agree with Butantan consent term, so the data was improperly collected, 
    fines should be applied',1624712875)),
    
    retract(dcIsStoringDSData(id(null),dataController(butantan),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460))).

true.

----
#### Cause-effect 3: Requesting data correction

Data correction is one of the Data Subject's right foreseen in LGPD in the moment that the consent term was accepted.
Even if the Data Subject revoke his/her consent, the data will not be deleted; a express data deletion request is required.

So, in order to check if the data corretion request was accomplished, the Data Subject should call another right - data access.

The data controller is **obligated** to abide by the data subjects' requests as correction as data access.


<div>
<img src="./img/Scenario2.3_Process.png" width="600"/>
</div>

First, the Data Subject should verify if the Data Controller is storing his/her data.

In [34]:
?- dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)).

true.

If true, the Data Subject should have the right to data access and data correction.

In [35]:
?- dsRight(dataAccess,dataSubject(paulo),dataController(fiocruz)),
    dsRight(dataCorrection,dataSubject(paulo),dataController(fiocruz)).

true.

Then, the Data Subject is able to request and verify if the data was changed.

In [36]:
log('Data Subject requested to change his blood type to A+',1624712876).



And the Data Controller executed this correction.

In [37]:
% First, the Data Controller verifies if the Data Subject has the rights requiered to perform such action.
% Then, remove the incorrect data and insert the new data.


?-  dsRight(dataCorrection,dataSubject(paulo),dataController(fiocruz)),

    retract(dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460))),

    assertz(dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,'A+'),
                    startDate(1622035260),endDate(1637846460))),
                    
    assertz(log('Data Controller changed the data as requested by the Data Subject',1624712876)).

true.

Hence, as the data controler attended the data subject's request, it still in **compliance** with the LGPD. The Data Subject can verify if the data was fixed.

In [38]:
% If the Data Subject has the right to access his/her data, then he/she is able to verify if his/her data was fixed.

?-  dsRight(dataAccess,dataSubject(paulo),dataController(fiocruz)),
    dcIsStoringDSData(id(10),dataController(DataController),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,BloodType),
                    startDate(1622035260),endDate(1637846460)),
    assertz(log('Data Subject confirmed that the data was fixed',1624712876)).

DataController = fiocruz, BloodType = A+ .

In [39]:
?- log(Event,Date), Date >= 1624712876 {-1}.

Event = Data Subject requested to change his blood type to A+, Date = 1624712876 ;
Event = Data Controller changed the data as requested by the Data Subject, Date = 1624712876 ;
Event = Data Subject confirmed that the data was fixed, Date = 1624712876 .

In [40]:
% Resetting scenario
?-  retract(log('Data Subject requested to change his blood type to A+',1624712876)),
    retract(log('Data Subject confirmed that the data was fixed',1624712876)),
    retract(log('Data Controller changed the data as requested by the Data Subject',1624712876)),
    retract(dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,'A+'),
                    startDate(1622035260),endDate(1637846460))),
    assertz(dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460))).

true.

----
#### Cause-effect 4: Requesting anonymization

Let's picture that the Data Subject requested the data anonymization right. Once the data is anonymized, the Data Controller will not have the resources to give any details about such data, including correction. Hence, after this request, the data controller is **not obligated** to comply with requests that should involve deidentification actions.

Here, questions regarding the anonymization algorithms could emerge, but this is not the focus of this work.
This work focus on the causes and consequences understanding of possible scenarios.

<div>
<img src="./img/Scenario2.4_Process.png" width="600"/>
</div>

First, the Data Subject should show that the Data Controller has his data.

In [41]:
?- dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)),
                    
    assertz(log('Data Subject requested to anonymize his data',1624712877)).

true.

Next, the Data Controller accomplish the Data Subject request.

In [42]:
?- dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460)), 

    retract(dcIsStoringDSData(id(10),dataController(fiocruz),dataSubject(paulo),
                    personalData(paulo,976635869),healthData(paulo,oPlus),
                    startDate(1622035260),endDate(1637846460))),

    assertz(dcIsStoringDSData(id(_),dataController(fiocruz),dataSubject(_),
                    personalData(_,_),healthData(_,'A+'),
                    startDate(1622035260),endDate(1637846460))),
                    
    assertz(log('Data Controller anonymized the Data Subjects data',1624712878)),
    assertz(log('Data Subject cannot request data: access, copy, correction,anonymization, 
            portability, deletion, and details of data sharing',1624712878)),
    
    retract(dsRight(dataAccess,dataSubject(paulo),dataController(fiocruz))),
    retract(dsRight(dataCopy,dataSubject(paulo),dataController(fiocruz))),
    retract(dsRight(dataCorrection,dataSubject(paulo),dataController(fiocruz))),
    retract(dsRight(dataAnonymization,dataSubject(paulo),dataController(fiocruz))),
    retract(dsRight(dataPortability,dataSubject(paulo),dataController(fiocruz))),
    retract(dsRight(dataDeletion,dataSubject(paulo),dataController(fiocruz))),
    retract(dsRight(dataSharingInformation,dataSubject(paulo),dataController(fiocruz))).

true.

Now, the Data Subject's blood type is not associated with any personal data that could identify that such data is from the Data Subject. Hence, the data controller is in **compliance** with LGPD.

In [43]:
?- dcIsStoringDSData(id(_),dataController(fiocruz),dataSubject(DataSubject),
                    personalData(_,_),healthData(_,'A+'),
                    startDate(1622035260),endDate(1637846460)).

DataSubject = Variable(70) .

In [44]:
?- log(Event,Date), Date >= 1624712876 {-1}.

Event = Data Subject requested to anonymize his data, Date = 1624712877 ;
Event = Data Controller anonymized the Data Subjects data, Date = 1624712878 ;
Event = Data Subject cannot request data: access, copy, correction,anonymization, portability, deletion, and details of data sharing, Date = 1624712878 .

So, the remain right is the one that every Data Subject has: the right to ask if a Data Controller is processing his/her data.

In [45]:
?- dsRight(RIGHT,dataSubject(paulo),dataController(fiocruz)).

RIGHT = processingConfirmation .