# Exploring Simulation Scenarios to Mitigate Information Asymmetry Under the LGPD Perspective - Health Scenario

## Table of Contents
1. [Scenario Description: Public Health](#Scene-0:-Public-Health)
2. [Scene 1: Set Consent Term](#Scene-1:-Set-consent-term.)
3. [Scene 2: Data Subject Agrees with the Consent Term](#Scene-2:-Data-Subject-agrees-with-the-consent-term.)
4. [Scene 3: Defining the Data Subject's Rights](#Scene-3:-Defining-the-Data-Subject's-rights.)
5. [Scene 4: Data Subject's Consent Revocation](#Scene-4:-Data-Subject's-consent-revocation.)
6. [Performing explanation exercises regarding possible scenarios](#Performing-explanation-exercises-regarding-possible-scenarios)
    
    6.1 [Cause-Effect: Consent revocation not respected](#Cause-effect:-How-to-evidence-when-the-Data-Controller-did-not-respect-the-consent-revocation?)
    
    6.2 [Cause-Effect: Evidencing data leak](#Cause-effect:-How-to-get-evidences-that-the-Data-Controller-leaked-the-Data-Subject's-data?)
    
    6.3 [Cause-effect: Data breach, what to do?](#Cause-effect:-Data-breach,-what-to-do?)
    
    6.4 [Cause-Effect: Requesting data correction](#Cause-effect:-Requesting-data-correction)

    6.5 [Cause-Effect: Requesting data anonymization](#Cause-effect:-Requesting-anonymization)
    
    6.6 [Cause-effect: Data deletion](#Cause-effect:-Data-deletion)
    
    6.7 [Cause-effect: Technology unavailability](#Cause-effect:-Technology-unavailability)
    
    6.8 [Cause-effect: Inconsistent behavior](#Cause-effect:-Inconsistent-behavior)
    
    6.9 [Cause-effect: Data portability](#Cause-effect:-Data-portability)

### Scenario Description: Public Health

**Data Subject agrees with the Data Controller consent term, but then decided to revoke his/her consent.**

The Data Controller RioHealth wants to use John's (Data Subject) personal data and health data to research genetic factors related to COVID-19 from Wednesday, May 26, 2021 1:21:00 PM to Thursday, November 26, 2021 1:21:00 PM (180 days). Also, RioHealth will apply cryptographic algorithms and access politics to avoid data breaches and unauthorized access. The personal and sensitive data will be stored in a private cloud where RioHealth has complete control of applied technologies. Furthermore, RioHealth is committed to sharing the data with third parties if the purpose is vaccination prioritization information.

To do so, the Data Controller must send the consent term to the Data Subject. The consent term must present all the information defined in the LGPD art. 9.

However, after accepting the consent term, the Data Subject decides to revoke his consent on Saturday, June 26, 2021 1:07:55 PM.

Agents
 - Data Subject - John
 - Data Controller and processor - RioHealth

Action
 - Defined in the consent term.
 - Risk: the data subjects should evaluate what they consider as low, medium, or high risk. For instance, they may consider the following definitions to guide their decision:
   - Low: when there is no sensitive data requisition; 
   - Medium: there are no sensitive data foreseen in the LGPD, but there are data that may generate discrimination actions to the data subject; 
   - High: At least one sensitive data foreseen in the LGPD shared with the data controller.
 - Jurisdiction: Brazilian Law
 
Consent Term
 - As the scenario description has all the required information for a consent term, it will be considered as the consent term on this occasion.

Right
 - After the Data Subject decides to agree with the consent terms, he will have all the LGPD foreseen rights
 - The consent revocation should not impact the other rights.
 
Deontic Operator
 - The Data Subject has the permission to call for any action related to his rights
 - The Data Controller is obligated to abide by the Data Subject solicitations, except when the law says the opposite.
 - The Data Controller is prohibited from using the personal data collected under other circumstances than the ones that are in the consent term
 - Violation and compliance will be explored in the extended scenarios in the end of this notebook


The following figure depicts this macro scenario process.

![Scenario2_Process](./img/Scenario2_Process.png "Process 2")
Fig.5 - Macro Scenario Process.

Moreover, other four cause-effect scenarios were explored in order to show some possibilities regarding to the data subject's rights. 

The goal is to creating a scenario with Prolog to explore the facts in different time range and some cause-effect scenarios. This notebook tries to keep general facts that could occurr in any domain. Specific domain facts were not exploered.
 
*PS-1: The timestamp is used to provide the time spectrum. The following tool was used to convert human time to timestamp and the other way around. https://www.epochconverter.com/ - 180 days is equivalent to add the value 15811200 in the timestamp*

*PS-2: To help the usage of timestamp, we considered the following association.*
- *Wednesday, May 26, 2021 1:21:00 PM = 1622035260*
- *Friday, November 26, 2021 1:07:55 PM = 1637846460*

 ---------

### Scene 1: Set consent term.

The first step is the consent setup. The consent must have all information described in the LGPD Art. 9. The following method receives all the required information.


The **Data Subject John** allows the **Data Controller RioHealth** to access, store, and process his **phone number** and **blood factor/type** to perform **research** regarding **genetic factors related to COVID-19** using **statistical analysis** for **180 days**. However, the phone number **will not be public available** and will be used only in emergency situations. 

RioHealth will apply **cryptographic algorithms** and **access politics** to avoid data breaches and unauthorized access. The personal and sensitive data will be **stored in a private cloud** where RioHealth has complete control of applied technologies. 

The Data Controller is allowed to **share** the Data Subject data **only** with the **vaccination prioritization purpose**.

To make any request, please use the Data Controller communication channel by **email lgpd@riohealth.br**.


PS: The Data Controllers must inform in any case if they are processing the personal data if requested.


In [1]:
% Description: This function defines a consent term including all 
%  required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Consent ID
%   ii. Data Controller
%  iii. Data Subject
%   iv. Specific Purpose
%    v. Form 
%   vi. Time length of processing
%  vii. The purpose when sharing the data with third parties, when applied
% viii. Communication channel to the data subject request any information
%   ix. Data Controller contact
%    x. Cryptography Algoritm
%   xi. Access Politics
%  xii. Storage Platform


createConsentTerm(ID,DC,DS,PData,SData,Purpose,
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                CA, AP, SP) :-

                assertz(id(ID)),
                assertz(dataSubject(DS)),
                assertz(dataController(DC)),
                assertz(personalData(DS,PData)),
                assertz(sensitiveData(DS,SData)),
                assertz(purpose(DC,DS,Purpose)),
                assertz(specificPurpose(DC,DS,Purpose,SpecificPurpose)),
                assertz(form(DC,DS,Purpose,SpecificPurpose,Form)),
                assertz(timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength)),
                assertz(thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,
                                                    TimeLength,ThirdPartyPurpose)),
                assertz(channelToProvideInformation(DC,DS,Channel,DCContact)),
                assertz(criptographyAlgoritm(CA)),
                assertz(accessPolitics(AP)),
                assertz(storagePlatform(SP)).



In [2]:
% This is a function call that defines a consent term with the informed params

?- createConsentTerm(10,'RioHealth','John',976635869,'A+',research,
                'genetic_factors_related_to_COVID-19',
                'statistic_analysis',
                15811200,
                'vaccination_priorization',
                'e-mail',
                'lgpd@riohealth.br',
                'SHA256',
                'Authorized researchers can access the data only',
                'RioHealth private cloud').

true.

In [3]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject('John'),dataController('RioHealth')).
?- assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1622035260)).

true.

 ---------

### Scene 2: Data Subject agrees with the consent term.

First, the Data Subject verifies if all the crutial elements are described in the consent term present by the Data Controller. If so, the program will set that the consent term is ok, i.e., it has all the required information.

In [4]:
% Description: This function verifies if a consent term includes all required information described in the LGPD Art. 9
% The consent term must inform:
%    i. Consent ID
%   ii. Data Controller
%  iii. Data Subject
%   iv. Specific Purpose
%    v. Form 
%   vi. Time length of processing
%  vii. The purpose when sharing the data with third parties, when applied
% viii. Communication channel to the data subject request any information
%   ix. Data Controller contact

checkConsentTerm(id(ID),dataController(DC),
                dataSubject(DS),
                purpose(DC,Purpose),
                SpecificPurpose,
                Form,
                TimeLength,
                ThirdPartyPurpose,
                Channel,
                DCContact,
                Date) :-
    (
        form(DC,DS,Purpose,SpecificPurpose,Form),
        timeLength(DC,DS,Purpose,SpecificPurpose,TimeLength),
        thirdyPartySharingPurpose(DC,DS,Purpose,SpecificPurpose,TimeLength,ThirdPartyPurpose),
        channelToProvideInformation(DC,DS,Channel,DCContact),
        purpose(DC,DS,Purpose),
        specificPurpose(DC,DS,Purpose,SpecificPurpose),
        assertz(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Valid'))),
        assertz(log('Data Subject verified the consent term and it was ok','Explanation','Obligation',Date))
    ).



In [5]:
% This is a function call returns true if the consent term is ok, or false if not.

?- checkConsentTerm(id(10),dataController('RioHealth'),
                        dataSubject('John'),
                        purpose('RioHealth',research),
                        'genetic_factors_related_to_COVID-19',
                        'statistic_analysis',
                        15811200,
                        'vaccination_priorization',
                        'e-mail',
                        'lgpd@riohealth.br',
                        1622035260).

true.

So, if the consent term is ok, the Data Subject can inform that he/she agrees with the consent term.

Hence, the Data Controller can collect, store and process the Data Subject's data.

In [6]:
% Description: This function sets that the Data Subject agreed with the consent term.
% This function receives the params:
%    i. Consent ID
%   ii. Data Subject
%  iii. Data Controller
%   iv. Request Format (Direct/Expresso or Implicit/Tacito)
%   iv. Personal Data
%    v. Sensitive Data
%   vi. Start Date - Timestamp
%   vi. End Date - Timestamp

setThatdsAgreeWithConsentTerms(id(ID),dataSubject(DS),
                                dataController(DC),
                                requestFormat(RF,DS,LPC),
                                personalData(DS,PData),
                                sensitiveData(DS,SData),
                                startDate(StartTS),
                                endDate(EndTS)) :-
    consentTermStatus(id(ID),dataController(DC),dataSubject(DS),status('Valid')),
    
    assertz(origin(id(ID),dataSubject(DS),dataController(DC),requestFormat(RF,DS,LPC))),
    assertz(requestFormat(RF,DS,LPC)),
    
    assertz(dsAgreeWithConsentTerms(dataSubject(DS),dataController(DC),startDate(TS),endDate(TS))),
    assertz(log('Data Subject agrees with consent term','Communication','Compliance',StartTS)),

    assertz(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can collect the Data Subject information','Explanation','Permission',StartTS)),
    
    assertz(dcIsStoringDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can store the Data Subject information','Explanation','Permission',StartTS)),
        
    assertz(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),endDate(EndTS))),
    assertz(log('Data Controller can process the Data Subject information','Explanation','Permission',StartTS)).



In [7]:
% This is a function call returns true in case of success.

?- setThatdsAgreeWithConsentTerms(id(10),
                                dataSubject('John'),
                                dataController('RioHealth'),
                                requestFormat('Direct','John','null'),
                                personalData('John',976635869),
                                sensitiveData('John','A+'),
                                startDate(1622035260),
                                endDate(EndDate)), EndDate is 1622035260+15811200.

EndDate = 1637846460 .

Now, the Data Controller can collect, store and process the Data Subject's data.

In [8]:
?- dcIsCollectingDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                        personalData('John',976635869),sensitiveData('John','A+'),
                        startDate(1622035260),endDate(1637846460)),
                        
dcIsProcessingDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)),
                    
dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)).

true.

---------

### Scene 3: Defining the Data Subject's rights.

According to the LGPD Art. 18, when the Data Subject is sharing data with a Data Controller, he/she has the following rights:
1. Data Access
2. Data Copy
3. Data Correction
4. Data Anonymization
5. Data Portability
6. Data Deletion
7. Information regarding the data sharing with a third party
8. Request consent revocation.

In [9]:
% Description: This function sets all Data Subject right's foreseed in the LGPD.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

setDSRights(dataSubject(DS),dataController(DC),startDate(StartTS)) :-
    assertz(dsRight(dataAccess,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCopy,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataCorrection,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataAnonymization,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataPortability,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataDeletion,dataSubject(DS),dataController(DC))),
    assertz(dsRight(dataSharingInformation,dataSubject(DS),dataController(DC))),
    assertz(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject can now have all foressen rights','Explanation',
    'Permission',StartTS)).



In [10]:
% This is a function call returns true if all Data Subject's right was associated 
%  to him/her.

?- setDSRights(dataSubject('John'),dataController('RioHealth'),startDate(1622035260)).

true.

 ---------

### Scene 4: Data Subject's consent revocation.

As mentioned in the scenario's description, the Data Subject decides to revoke his/her consent.
The Data Subject considered that the purpose limitation is not adequate. 

Once performed, the action of requesting the consent revocation cannot be executed again, and the Data Controller is forbidden to still collecting the Data Subject's data.

In [11]:
% Description: This function revoke the Data Controller's action of collecting the 
%  Data Subject's data.
% This function receives the params:
%   i. Consent ID
%  ii. Data Subject
% iii. Data Controller
%  iv. Personal Data
%   v. Sensitive Data

setDSRevokeConsent(id(ID),
                    dataSubject(DS),
                    dataController(DC),
                    personalData(DS,PData),
                    sensitiveData(DS,SData),
                    now(Date),
                    startDate(StartTS),
                    endDate(EndTS)                    
                    ) :-
    
    requestFormat('Direct',DS,'null'),                
    not(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject tried to revoke his/her consent, but fail',
            'Explanation','Prohibition',Date));
    
    retract(dsRight(requestConsentRevocation,dataSubject(DS),dataController(DC))),
    assertz(log('Data Subject requested to the Data Controller to revoke his/her
            consent','Communication','Permission',Date)),
    
    retract(dcIsCollectingDSData(id(ID),dataController(DC),dataSubject(DS),
            personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),
            endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot collect the Data Subject 
            information','Communication','Prohibition',Date)),
    
    retract(dcIsProcessingDSData(id(ID),dataController(DC),dataSubject(DS),
            personalData(DS,PData),sensitiveData(DS,SData),startDate(StartTS),
            endDate(EndTS))),
    assertz(log('From now, the Data Controller cannot process the Data Subject
            information','Communication','Prohibition',Date)),
    
    retract(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),
            status('Valid'))),
    assertz(consentTermStatus(id(ID),dataController(DC),dataSubject(DS),
            status('Invalid'))),
    assertz(log('From now, consent is not valid to be used by the data controller',
            'Explanation','Prohibition',Date)).



In [12]:
% This call store the Data Subject's motivation to request the cosent revocation.
?- assertz(log('Data Subject considered that the purpose limitation is not adequate','Communication','Permission',1624712875)).

% This is a function call returns true if all Data Subject's request was successfully performed.
?- setDSRevokeConsent(id(10),
                        dataSubject('John'),
                        dataController('RioHealth'),
                        personalData('John',976635869),
                        sensitiveData('John','A+'),
                        now(1624712875),
                        startDate(1622035260),
                        endDate(EndDate)
                        ), 
                        EndDate is 1622035260+15811200.
    

true.
EndDate = 1637846460 .

Therefore, the consent revocation request, motivited by diagreement with the purpose of data colleting, impacts many LGPD relationships as depicted in Figure 6.

![RootScenarioImpact](./img/RootScenarioImpact.png "Root Scenario Impact")
Fig.6 - Consent Revocation Impact.

The red entities suffered impact directly, or indirectly, when the consent was revoked. First,  the data controller must stop collecting personal data immediately. Next, the data controller must update the sharing politics and access restriction to prevent unauthorized access or new data processing. Still, the consent status will change to "invalid", as the controller cannot use this consent anymore.

 ---------

### Performing explanation exercises regarding possible scenarios

Here, we are going to perform questions regarding access confirmation, rights compliance, and information about consent term. Those questions will exercise the data subject and controller understanding regarding possible scenarios during the relationship between these two actors.


Are the riohealth data controller using the data subject John's data? 

Expected: As the Data Subject requested to revoke his consent, the data controller is **prohibited** to still using the Data Subjects data.

In [13]:
?- dcIsProcessingDSData(id(10),dataController('RioHealth'),dataSubject('John'),
        personalData('John',PData),sensitiveData('John',SData),startDate(1622035260),
        endDate(1637846460)).

false.

Why?

In [14]:
?- log(Event,'Communication',Type, 1624712875).

Event = Data Subject considered that the purpose limitation is not adequate, Type = Permission ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Permission ;
Event = From now, the Data Controller cannot collect the Data Subject information, Type = Prohibition ;
Event = From now, the Data Controller cannot process the Data Subject information, Type = Prohibition .

What are the Data Subject rights right now?

Expected: As the Data Subject requested to revoke his consent, he is **prohibited** to create such request again, even though he has **permission** to request the other rights foreseen by the LGPD.

In [15]:
?- dsRight(RIGHT,dataSubject('John'),dataController('RioHealth')).

RIGHT = processingConfirmation ;
RIGHT = dataAccess ;
RIGHT = dataCopy ;
RIGHT = dataCorrection ;
RIGHT = dataAnonymization ;
RIGHT = dataPortability ;
RIGHT = dataDeletion ;
RIGHT = dataSharingInformation .

Can all items from art. 9 be informed?

In [16]:
?- specificPurpose('RioHealth','John',research,SPECIFICPURPOSE).

SPECIFICPURPOSE = genetic_factors_related_to_COVID-19 .

In [17]:
?- timeLength('RioHealth', 'John', research, 'genetic_factors_related_to_COVID-19',TimeRange).

TimeRange = 15811200 .

Who are collecting the Data Subject's personal data and what are the respective data?

In [18]:
?- dcIsCollectingDSData(id(ID),dataController(DC),dataSubject('John'),personalData('John',PData),sensitiveData('John',SData),startDate(1622035260),endDate(1637846460)).

false.

Why?

In [19]:
?- log(Event,'Communication',Type, 1624712875).

Event = Data Subject considered that the purpose limitation is not adequate, Type = Permission ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Permission ;
Event = From now, the Data Controller cannot collect the Data Subject information, Type = Prohibition ;
Event = From now, the Data Controller cannot process the Data Subject information, Type = Prohibition .

Who are storing the Data Subject's personal data and what are the respective data?

Expected: Although the Data Subject requested to revoke his consent, he did not request for data deletion, so the Data Controller is **permitted** to store his dada.

In [20]:
?- dcIsStoringDSData(id(ID),dataController(DC),dataSubject('John'),personalData('John',PData),sensitiveData('John',SData),startDate(1622035260),endDate(1637846460)).

ID = 10, DC = RioHealth, PData = 976635869, SData = A+ .

Show all events.

In [21]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not a

----

#### Cause-effect: How to evidence when the Data Controller did not respect the consent revocation?

Let's picture that the Data Controller did not respect the Data Subject's request and still collecting the Data Subject's data. In such plot, fines must be applied.

<div>
<img src="./img/Scenario2.1_Process.png" width="600"/>
</div>
Fig.7 - Consent Revocation Scenario Process.

In [22]:
% This command sets that the Data Controller is collecting the Data Subject's data.

dcIsCollectingDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                        personalData('John',976635869),sensitiveData('John','A+'),
                        startDate(1622035260),endDate(1637846460)).



So, now the data controller is collecting unauthorized data, it was **prohibited** since the data subject requested consent revocation. The following command will check the environment facts and it will insert this fact regarding the rights **violation** in the log.

In [23]:
% This command:
%   (i) verifies if the Data Controller is collecting the Data Subject's data;
%  (ii) verifies if there is no consent with a valid status
% (iii) verifies in the log if the Data Subject requested consent revocation;
%  (iv) if all previous verifications are true, insert in the log that the Data Controller did not respect 
%       the Data Subject's will.

?- dcIsCollectingDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                        personalData('John',976635869),sensitiveData('John','A+'),
                        startDate(1622035260),endDate(1637846460)),
                        
    not(consentTermStatus(id(10),dataController('RioHealth'),dataSubject('John'),status('Valid'))),
    
    log('Data Subject requested to the Data Controller to revoke his/her consent','Communication','Permission',1624712875),
    
    assertz(log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied','Communication','Violation',1624712875)).

true.

In this sense, the program log should help the Data Subject to create evidence of his/her requests. The log will show that the consent was violated revoked and the Data Controller **violated** the data subject will.

In [24]:
?- log(Event,Type,DeonticConcept,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticConcept = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticConcept = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticConcept = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not adequate

Moreover, Figure 6 may also be used to mitigate if the consent revocation was properly attended. If there is no modification in the red entities, something is not in compliance with LGPD.

In [25]:
% Resetting scenario
?- retract(dcIsCollectingDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                        personalData('John',976635869),sensitiveData('John','A+'),
                        startDate(1622035260),endDate(1637846460))),
                        
    retract((log('Data Controller did not respect the consent revocation requested by the Data Subject, 
                and still processing. Thus, fines should be applied','Communication','Violation',1624712875))).

true.

----
#### Cause-effect: Data breach, what to do? 

The Data Controller must inform to national authority and to the Data Subject when a data breach occurs that may cause risks or damage to the Data Subject.

Such communication has to be done as soon as possible and should inform:
- personal data category
- what data were leaked
- what were the technical and security measures used to protect data
- the risks related to the incident
- what the data controller will do to revert or mitigate the damage

Depending on the incident severity, the Data Controller will have to disclose such an event in high-impact communication media.

In this sense, lets picture that Data Controller suffered from a hacker attack and Data Subject's personal data were leaked on the social media and he is receiving few calls from different numbers. So, Data Controller is **obligated to** inform the incident to ANPD and inform the Data Subject that his phone number was leaked. 

Even as Data Subject has revoked his consent, he has to be informed regarding the data breach as his data still on the Data Controller's database.

![Scenario2_DataBreach](./img/Scenario2_DataBreach.png "Process 2.2")
Fig.8 - Data Breach Scenario Process.

Thus, let translate this scenario in Prolog facts.

First, once RioHealth figure out that there is a data breach, the ANPD and the data subjects involved have to be informed about that.

In [26]:
log('Data Controller RioHealth triggered an alert to ANPD and to all data subjects affected by
    the data breach informing that all phone numbers were exposed','Communication','Obligation',1624712870).



Next, RioHealth has to explain that they had adopted security actions to avoid data breach. 

In [27]:
log('Data Controller RioHealth informed the security measures to do not let data breach occurs',
    'Communication','Obligation',1624712871).



Then, RioHealth fixed the vulnerability and inform the data subjects as well.

In [28]:
log('Data Controller RioHealth informed that the vulnerability was found 
    and there is no unauthorized access anymore','Communication','Compliance',1624712872).



Furthermore, RioHealth inform to Data Subjects that there is a technical group available to help anyone that have had troubles caused by this incident.

In [29]:
log('Data Controller RioHealth created a technical team to help any data subject 
    that have had issues with this incident','Communication','Obligation',1624712873).



As the log shows, this case can present many different ends depending on the damage caused to the data subjects involved. Here, as the data subject received just a few calls and there was low damage, he decided not to enter in dispute to get reparation compensations, even though the data controller has **violated** the Data Subject's privacy.

Moreover, the omission of any fact related to informing the Data Subjects about unauthorized access or neglect the system security, fines should be applied to the Data Controller.

Last but not least, if the Data Controller noticed a data breach, once informed, the Data Controller has to act immediately. **LGPD Art. 48**

In [30]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not a

Therefore, the data breach impacts many LGPD relationships as depicted in Figure 9.


![DataBreachImpact](./img/DataBreachImpact.png "Data Breach Impact")
Fig.9 - Data Breach Impact.

First, as mentioned before, a data breach event must be informed to all agents impacted. This message must contain the security methods and the storage technologies applied to avoid a data breach. However, this is an event that could trigger other impacts. For instance, after a data breach, the data subject could enter in a dispute resolution claiming discrimination, loss, and unauthorized uses of his/her data. 

Furthermore, the Data Subject might request changes in the consent term, impacting the sharing politics and access restriction. Also, the Data Subject might request consent revocation, data deletion, which affects data collecting, processing, and storing.

In [31]:
% Resetting scenario
?- retract(log('Data Controller RioHealth triggered an alert to ANPD and to all data subjects affected by
    the data breach informing that all phone numbers were exposed','Communication','Obligation',1624712870)).
    
?- retract(log('Data Controller RioHealth informed the security measures to do not let data breach 
    occurs','Communication','Obligation',1624712871)).
                        
?- retract(log('Data Controller RioHealth informed that the vulnerability was found 
    and there is no unauthorized access anymore','Communication','Compliance',1624712872)).
    
?- retract(log('Data Controller RioHealth created a technical team to help any data subject 
    that have had issues with this incident','Communication','Obligation',1624712873)).

true.
true.
true.
true.

----
#### Cause-effect: How to get evidences that the Data Controller leaked the Data Subject's data? 

To create concrete evidence that a Data Controller leaked a Data Subject's data, first, it is important to verify who has such data. If there is just one Data Controller legally storing such data; hence, the chances of such Data Controller had leaked personal data is higher.

Moreover, the data controller is **obligated** to inform if personal or sensitive data is stored in the database. The data subject can request such information for each data controller.

Last but not least, the data subject should check the consent term to verify if there is any clause/ condition which permits the data controller to share data with others. If the data subject disagrees with such clause, he is **permitted** to revoke the consent term anytime.

![Scenario2.2_Process](./img/Scenario2.2_Process.png "Process 2.2")
Fig.10 - Data Leak Process.

In [32]:
% This command verifies who is storing John's personal and health data.

?- dcIsStoringDSData(id(ID),dataController(DataController),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)).

ID = 10, DataController = RioHealth .

Now, let's picture that the Data Controller WellBeingInstitution has John's data.

In [33]:
dcIsStoringDSData(id(null),dataController(wellbeinginstitution),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))



In [34]:
% These commands:
%   (i) verifies if the Data Controller is storing the Data Subject's data;
%  (ii) verifies if there is any evidence that the Data Subject allowed the Data Controller to process his/her data;
% (iii) if all previous verifications are true, insert in the log that the Data Controller is not allowed 
%       to collect the Data Subject's data.

%(i)
?- dcIsStoringDSData(id(null),dataController(wellbeinginstitution),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)).

%(ii)
?- dsAgreeWithConsentTerms(dataSubject(wellbeinginstitution),dataController('John'),startDate(1622035260),endDate(1637846460)).
   
%(ii)
?- consentTermStatus(id(10),dataController('RioHealth'),dataSubject('John'),status('Valid')).

%(iii)
?- assertz(log('Data Subject did not agree with WellBeingInstitution consent term, so the data was improperly collected, 
    fines should be applied','Explanation','Violation',1624712875)).

false.
false.
false.
true.

Therefore, the event log will show that there is not consent agreement between John and WellBeingInstitution. 

Hence, WellBeingInstitution was **prohibited** to use such data, i.e., the data was improperly collected. 
Moreover, as RioHealth is the only Data Controller storing John's data, probably RioHealth **violated**, on purpose or not, the consent term and the data was leaked from Friocruz to WellBeingInstitution.

Moreover, this scenario presents the same possible impacts depicted in Figure 9 of the previous plot.

In [35]:
?- log(Event,Type,DeonticOperator,Date) {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1622035260 ;
Event = Data Subject agrees with consent term, Type = Communication, DeonticOperator = Compliance, Date = 1622035260 ;
Event = Data Controller can collect the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can store the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Controller can process the Data Subject information, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1622035260 ;
Event = Data Subject considered that the purpose limitation is not a

In [36]:
% Resetting scenario
?- retract(log('Data Subject did not agree with WellBeingInstitution consent term, so the data was improperly collected, 
    fines should be applied','Explanation','Violation',1624712875)),
    
    retract(dcIsStoringDSData(id(null),dataController(wellbeinginstitution),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))).

false.

----
#### Cause-effect: Requesting data correction

Data correction is one of the Data Subject's right foreseen in LGPD in the moment that the consent term was accepted.
Even if the Data Subject revoke his/her consent, the data will not be deleted; a express data deletion request is required.

So, in order to check if the data corretion request was accomplished, the Data Subject should call another right - data access.

The data controller is **obligated** to abide by the data subjects' requests as correction as data access.
Also, the controller is **obligated** to inform all processors regarding the correction.


<div>
<img src="./img/Scenario2.3_Process.png" width="600"/>
</div>
Fig.11 - Data Correction Process.

First, the Data Subject should verify if the Data Controller is storing his/her data.

In [37]:
?- dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)).

true.

If true, the Data Subject should have the right to data access and data correction.

In [38]:
?- dsRight(dataAccess,dataSubject('John'),dataController('RioHealth')),
    dsRight(dataCorrection,dataSubject('John'),dataController('RioHealth')).

true.

Then, the Data Subject is able to request and verify if the data was changed.

In [39]:
log('Data Subject requested to change his blood type to A+','Communication','Permission',1624712876).



And the Data Controller executed this correction.

In [40]:
% First, the Data Controller verifies if the Data Subject has the rights requiered to perform such action.
% Then, remove the incorrect data and insert the new data.


?-  dsRight(dataCorrection,dataSubject('John'),dataController('RioHealth')),

    retract(dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))),

    assertz(dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))),
    
    assertz(log('Data Controller has to execute the Data Subject s requerst','Explanation','Obligation',1624712876)),
        
    assertz(log('Data Controller changed the data as requested by the Data Subject','Communication','Compliance',1624712880)),
    
    assertz(log('Data Controller notified all processors regarding the data corretion','Communication','Compliance',1624712880)).

true.

Hence, as the data controler attended the data subject's request, it still in **compliance** with the LGPD. The Data Subject can verify if the data was fixed.

In [41]:
% If the Data Subject has the right to access his/her data, then he/she is able to verify if his/her data was fixed.

?-  dsRight(dataAccess,dataSubject('John'),dataController('RioHealth')),
    dcIsStoringDSData(id(10),dataController(DataController),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John',BloodType),
                    startDate(1622035260),endDate(1637846460)),
    assertz(log('Data Subject confirmed that the data was fixed','Explanation','Permission',1624712886)).

DataController = RioHealth, BloodType = A+ .

In [42]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1624712876 {-1}.

Event = Data Subject requested to change his blood type to A+, Type = Communication, DeonticOperator = Permission, Date = 1624712876 ;
Event = Data Controller has to execute the Data Subject s requerst, Type = Explanation, DeonticOperator = Obligation, Date = 1624712876 ;
Event = Data Controller changed the data as requested by the Data Subject, Type = Communication, DeonticOperator = Compliance, Date = 1624712880 ;
Event = Data Controller notified all processors regarding the data corretion, Type = Communication, DeonticOperator = Compliance, Date = 1624712880 ;
Event = Data Subject confirmed that the data was fixed, Type = Explanation, DeonticOperator = Permission, Date = 1624712886 .

Therefore, the data correction impacts many LGPD relationships as depicted in Figure 12.

![DataCorrectionImpact](./img/DataCorrectionImpact.png "Data Correction Impact")
Fig.12 - Data Correction Impact.

The data correction impacts data processing and data storage, as the personal or sensitive data were changed. Therefore, Data Controllers and Processors should also verify if the copy requested by the Data Subject is the updated personal and sensitive data.

In [43]:
% Resetting scenario
?-  retract(log('Data Subject requested to change his blood type to A+','Communication','Permission',1624712876)),
    retract(log('Data Controller has to execute the Data Subject s requerst','Explanation','Obligation',1624712876)),
    retract(log('Data Controller changed the data as requested by the Data Subject','Communication','Compliance',1624712880)),
    retract(log('Data Subject confirmed that the data was fixed','Explanation','Permission',1624712886)),
    retract(log('Data Controller notified all processors regarding the data corretion','Communication','Compliance',1624712880)),
    retract(dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))),
    assertz(dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))).

true.

----
#### Cause-effect: Requesting anonymization

Let's picture that the Data Subject requested the data anonymization right. Once the data is anonymized, the Data Controller will not have the resources to give any details about such data, including correction. Hence, after this request, the data controller is **not obligated** to comply with requests that should involve reidentification actions.

Also, the controller is **obligated** to inform all processors regarding the anonymization.

Here, questions regarding the anonymization algorithms could emerge, but this is not the focus of this work.
This work focus on the causes and consequences understanding of possible scenarios.


<div>
<img src="./img/Scenario2.4_Process.png" width="600"/>
</div>
Fig.13 - Data Anonymization Process.

First, the Data Subject should show that the Data Controller has his data.

In [44]:
?- dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)),
                    
    assertz(log('Data Subject requested to anonymize his data','Communication','Permission',1624712877)).

true.

Next, the Data Controller accomplish the Data Subject request.

In [45]:
?- dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)), 

    retract(dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))),

    assertz(dcIsStoringDSData(id(_),dataController('RioHealth'),dataSubject(_),
                    personalData(_,_),sensitiveData(_,'A+'),
                    startDate(1622035260),endDate(1637846460))),

    assertz(log('Data Controller has to execute the Data Subject s request','Delete-Anonymise','Compliance',1624712878)),
    assertz(log('Data Controller has to notify all processors regarding the anonymization request','Delete-Anonymise','Compliance',1624712878)),
    assertz(log('Data Controller anonymized the Data Subjects data','Delete-Anonymise','Compliance',1624712878)),
    assertz(log('Data Subject cannot request data: access, copy, correction,anonymization, 
            portability, deletion, and details of data sharing','Communication','Prohibition',1624712878)),
    
    retract(dsRight(dataAccess,dataSubject('John'),dataController('RioHealth'))),
    retract(dsRight(dataCopy,dataSubject('John'),dataController('RioHealth'))),
    retract(dsRight(dataCorrection,dataSubject('John'),dataController('RioHealth'))),
    retract(dsRight(dataAnonymization,dataSubject('John'),dataController('RioHealth'))),
    retract(dsRight(dataPortability,dataSubject('John'),dataController('RioHealth'))),
    retract(dsRight(dataDeletion,dataSubject('John'),dataController('RioHealth'))),
    retract(dsRight(dataSharingInformation,dataSubject('John'),dataController('RioHealth'))).

true.

Now, the Data Subject's blood type is not associated with any personal data that could identify that such data is from the Data Subject. Hence, the data controller is in **compliance** with LGPD.

In [46]:
?- dcIsStoringDSData(id(_),dataController('RioHealth'),dataSubject(DataSubject),
                    personalData(_,_),sensitiveData(_,'A+'),
                    startDate(1622035260),endDate(1637846460)).

DataSubject = Variable(70) .

In [47]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1624712876 {-1}.

Event = Data Subject requested to anonymize his data, Type = Communication, DeonticOperator = Permission, Date = 1624712877 ;
Event = Data Controller has to execute the Data Subject s request, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1624712878 ;
Event = Data Controller has to notify all processors regarding the anonymization request, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1624712878 ;
Event = Data Controller anonymized the Data Subjects data, Type = Delete-Anonymise, DeonticOperator = Compliance, Date = 1624712878 ;
Event = Data Subject cannot request data: access, copy, correction,anonymization, portability, deletion, and details of data sharing, Type = Communication, DeonticOperator = Prohibition, Date = 1624712878 .

So, the remain right is the one that every Data Subject has: the right to ask if a Data Controller is processing his/her data.

In [48]:
?- dsRight(RIGHT,dataSubject('John'),dataController('RioHealth')).

RIGHT = processingConfirmation .

Therefore, the data anonymization impacts many LGPD relationships, as depicted in Figure 14.

![DataAnonymizationImpact](./img/DataAnonymizationImpact.png "Data Anonymization Impact")
Fig.14-  Data anonymization Impact.

Data anonymization impacts almost all Data Subjects Rights. The anonymization process may turn the personal data not identifiable anymore. Hence, the anonymized data is out of LGPD's scope. In this sense, requests related to data access, deletion, correction, portability, or copy, may not be answered by the Data Controller, as the Controller might not identify the Data Subject anymore.

In [49]:
% Resetting scenario
?-  retract(dcIsStoringDSData(id(_),dataController('RioHealth'),dataSubject(_),
                    personalData(_,_),sensitiveData(_,'A+'),
                    startDate(1622035260),endDate(1637846460))),
    retract(log('Data Subject requested to anonymize his data','Communication','Permission',1624712877)),
    retract(log('Data Controller has to execute the Data Subject s request','Delete-Anonymise','Compliance',1624712878)),
    retract(log('Data Controller has to notify all processors regarding the anonymization request','Delete-Anonymise','Compliance',1624712878)),
    retract(log('Data Controller anonymized the Data Subjects data','Delete-Anonymise','Compliance',1624712878)),
    retract(log('Data Subject cannot request data: access, copy, correction,anonymization, 
            portability, deletion, and details of data sharing','Communication','Prohibition',1624712878)),
    assertz(dsRight(dataAccess,dataSubject('John'),dataController('RioHealth'))),
    assertz(dsRight(dataCopy,dataSubject('John'),dataController('RioHealth'))),
    assertz(dsRight(dataCorrection,dataSubject('John'),dataController('RioHealth'))),
    assertz(dsRight(dataAnonymization,dataSubject('John'),dataController('RioHealth'))),
    assertz(dsRight(dataPortability,dataSubject('John'),dataController('RioHealth'))),
    assertz(dsRight(dataDeletion,dataSubject('John'),dataController('RioHealth'))),
    assertz(dsRight(dataSharingInformation,dataSubject('John'),dataController('RioHealth'))).

true.

In [50]:
?-  assertz(dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460))).

true.

In [51]:
?- dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)).

true.

----
#### Cause-effect: Data deletion

As mentioned before, there is more than one definition for data deletion. In the case aforementioned, we anonymized the data, which can be considered as data deletion. Now, let's picture that the Data Subject John wants to destroy his data from the RioHealth database. 

However, the LGPD foresees some situations that the Data Controller can persist the personal data even with an explicit request to delete from the Data Subject.

The following purposes, also described in LGPD art. 16, legitimizes, i.e., **allow** the Data Controller to have still the personal data stored in the database:
 - I - compliance with a legal or regulatory obligation by the controller;
 - II - study by a research institution, ensuring, whenever possible, the anonymization of personal data;
 - III - transfer to a third party, provided that the data processing requirements set out in this Law is respected; or
 - IV - exclusive use of the controller, its access by a third party is prohibited, and anonymization is required as well.

<div>
<img src="./img/Scenario2_DataDeletion.png" width="600"/>
</div>
Fig.15 - Data Deletion Process.

As the RioHealth purpose is based on the research; hence, RioHealth can reject the Data Subject request.

In [52]:
?- purpose('RioHealth','John',Purpose).

Purpose = research .

In order to specify the rule that defines if the Data Controller has the right to keep the Data Subject's data, we developed the following function.

In [53]:
% Description: This function verifies if the Data Controller purpose is elegible to hold the Data Subject's data.
% This function receives the params:
%  i. Data Subject
% ii. Data Controller

verifyIfDCCanHoldDSData(dataController(DC),dataSubject(DS)) :-
    purpose(DC,DS,legalObligation), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,research), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,transferToThirdParty), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    purpose(DC,DS,exclusiveDCUse), assertz(dcCanHoldData(dataController(DC),dataSubject(DS)));
    assertz(dcCanHoldData('','')).



So, let's run the above function to verify if a new fact is generated informing that the Data Controller can hold de Data Subject's data.

In [54]:
?- verifyIfDCCanHoldDSData(dataController('RioHealth'),dataSubject('John')).

 ;
 .

Then, let's verify if such a fact was generated.

In [55]:
?- dcCanHoldData(dataController('RioHealth'),dataSubject('John')).

true.

In this sense, let's simulate the request for data deletion from the Data Subject John to the Data Controller RioHealth.

In [56]:
log('Data Subject requested to delete his data','Communication','Permission',1624712877).



In [57]:
log('Data Controller received the data deletion request and will evaluate the solicitation','Communication','Compliance',1624712878).



In [58]:
?- dcCanHoldData(dataController('RioHealth'),dataSubject('John')),
    
    assertz(log('Data Controller can hold the data because its purpose allows it.','Explanation','Permission',1624712879)),

    assertz(log('Data Controller decided to keep the data on the database.','Communication','Compliance',1624712880)).

true.

In [59]:
% Description: This function defines delete the Data Subject's data if the Data Controller is allowed to do that.
% This function receives the params:
%    i. Data Subject
%   ii. Data Controller
%  iii. Date Time


requestToDeleteDSData(dataSubject(DS),dataController(DC),date(DT)) :- 
 not(dcCanHoldData(dataController(DC),dataSubject(DS))),
 assertz(log('Data Controller has to delete the data.','Communication','Obligation',DT)).



In [60]:
?- requestToDeleteDSData(dataSubject('John'),dataController('RioHealth'),date(1624712881)).

false.

Why 1: This method returned false because the Data Controller can keep the Data Subject's data, as presented bellow.

In [61]:
?-  dcCanHoldData(dataController('RioHealth'),dataSubject('John')).

true.

Why 2: The Data Controller can keep personal data because it will be used for research purposes.

In [62]:
?- purpose(DC,'John',Purpose).

DC = RioHealth, Purpose = research .

It means that the purpose presented by the Data Controller is valid to **permits** that RioHealth holds the Data Subject's data. However, it is important to note that LGPD recommends anonymizing data in these cases.

In [63]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1624712876 {-1}.

Event = Data Subject requested to delete his data, Type = Communication, DeonticOperator = Permission, Date = 1624712877 ;
Event = Data Controller received the data deletion request and will evaluate the solicitation, Type = Communication, DeonticOperator = Compliance, Date = 1624712878 ;
Event = Data Controller can hold the data because its purpose allows it., Type = Explanation, DeonticOperator = Permission, Date = 1624712879 ;
Event = Data Controller decided to keep the data on the database., Type = Communication, DeonticOperator = Compliance, Date = 1624712880 .

Therefore, as depicted in Figure 16, the request for data deletion may impacts differently depending on the purpose limitation. For example, the data storage may have to anonymize the data. Moreover, if the data was deleted or anonymized, the Data Controller cannot achieve requests related to data correction, portability, and copy anymore.

![DataDeletionImpact](./img/DataDeletionImpact.png "Data Deletion Impact")
Fig.16 - Data Deletion Impact.

In [64]:
% Resetting scenario
?-  retract(dcCanHoldData(dataController('RioHealth'),dataSubject('John'))),
    retract(log('Data Subject requested to delete his data','Communication','Permission',1624712877)),
    retract(log('Data Controller received the data deletion request and will evaluate the solicitation',
        'Communication','Compliance',1624712878)),
    retract(log('Data Controller can hold the data because its purpose allows it.','Explanation','Permission',1624712879)),
    retract(log('Data Controller decided to keep the data on the database.','Communication','Compliance',1624712880)).

true.

----
#### Cause-effect: Technology unavailability

Companies are vulnerable to technical fault, unavailability, or security breach. In this sense, Data Subjects might be impacted by technology throubles, or not. In some cases, the technology unavailability may not impact Data Subjects, but only internal companies' processes.

In this scenario, we will simulate an event of technology unavailability, i.e., let's picture that RioHealth cloud server, which has the personal data storage, is offline. Internally, RioHealth suffered a high impact of this unavailability; all systems that depend on this database are offline, i.e., the internal data governance is jeopardized/ compromised.

Figure 17 depicts the impact of system unavailability.

![DataUnavailabilityImpact](./img/DataUnavailabilityImpact.png "Data Unavilability Impact")
Fig.17 - Data Unavailability Impact.

Besides the governance, data unavailability may impacts directly the users' rights. For example, without the system, the Data Controller and Processor cannot delete or execute data corrections. Moreover, if a Data Controller requests for portability, anonymization, or portability, the Data Controller will not be able to attend to such requests as fast as expected; a considerable delay is expected, instead. Furthermore, depending on the delay, fines can be applied, but they should be evaluated case-by-case.

----
#### Cause-effect: Inconsistent behavior

Forecast human behavior can be a big challenge; the strange behaviors can be originated from different aspects, such as by a bad interface, system instability or error, or by a malicious person. In this sense, let's picture a person who agrees and revokes consent repeatedly in a short time-space.

In [65]:
?- createConsentTerm(12,'RioHealth','Brian',9000000,'AB+',research,
                'genetic_factors_related_to_COVID-19',
                'statistic_analysis',
                15811200,
                'vaccination_priorization',
                'e-mail',
                'lgpd@riohealth.br',
                'SHA256',
                'Authorized researchers can access the data only',
                'RioHealth private cloud'),
                
    assertz(dsRight(processingConfirmation,dataSubject('Brian'),dataController('RioHealth'))),
    assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1624712890)),

    checkConsentTerm(id(12),dataController('RioHealth'),
                        dataSubject('Brian'),
                        purpose('RioHealth',research),
                        'genetic_factors_related_to_COVID-19',
                        'statistic_analysis',
                        15811200,
                        'vaccination_priorization',
                        'e-mail',
                        'lgpd@riohealth.br',
                        1624712890),
                        
    setThatdsAgreeWithConsentTerms(id(12),
                                dataSubject('Brian'),
                                dataController('RioHealth'),
                                requestFormat('Direct','Brian','null'),                                
                                personalData('Brian',9000000),
                                sensitiveData('Brian','AB+'),
                                startDate(1622035290),
                                endDate(EndDate)), EndDate is 1624712890+15811200,
                        
    setDSRights(dataSubject('Brian'),dataController('RioHealth'),startDate(1624712890)).

EndDate = 1640524090 .

In [66]:
?- setDSRevokeConsent(id(12),
                        dataSubject('Brian'),
                        dataController('RioHealth'),
                        personalData('Brian',9000000),
                        sensitiveData('Brian','AB+'),
                        now(1624712892),
                        startDate(1622035290),
                        endDate(EndDate)), 
                        EndDate is 1624712890+15811200.

EndDate = 1640524090 .

In [67]:
?- createConsentTerm(13,'RioHealth','Brian',9000000,'AB+',research,
                'genetic_factors_related_to_COVID-19',
                'statistic_analysis',
                15811200,
                'vaccination_priorization',
                'e-mail',
                'lgpd@riohealth.br',
                'SHA256',
                'Authorized researchers can access the data only',
                'RioHealth private cloud'),
                
    assertz(dsRight(processingConfirmation,dataSubject('Brian'),dataController('RioHealth'))),
    assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1624712892)),

    checkConsentTerm(id(13),dataController('RioHealth'),
                        dataSubject('Brian'),
                        purpose('RioHealth',research),
                        'genetic_factors_related_to_COVID-19',
                        'statistic_analysis',
                        15811200,
                        'vaccination_priorization',
                        'e-mail',
                        'lgpd@riohealth.br',
                        1624712892),
                        
    setThatdsAgreeWithConsentTerms(id(13),
                                dataSubject('Brian'),
                                dataController('RioHealth'),
                                requestFormat('Direct','Brian','null'),                                      
                                personalData('Brian',9000000),
                                sensitiveData('Brian','AB+'),
                                startDate(1624712892),
                                endDate(EndDate)), EndDate is 1624712892+15811200,
                        
    setDSRights(dataSubject('Brian'),dataController('RioHealth'),startDate(1624712892)).

EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 .

In [68]:
?- setDSRevokeConsent(id(13),
                        dataSubject('Brian'),
                        dataController('RioHealth'),
                        personalData('Brian',9000000),
                        sensitiveData('Brian','AB+'),
                        now(1624712892),
                        startDate(1624712892),
                        endDate(EndDate)), 
                        EndDate is 1624712892+15811200.

EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 ;
EndDate = 1640524092 .

Figure 18 depicts the impacted entities.

![InconsistentBehaviorImpact](./img/InconsistentBehaviorImpact.png "Inconsistent Behaviour Impact")
Fig.18 - Inconsistent Behavior Impact.

This unusual behaviour can be catched analysing the event log. Depending on the magnitude, this kind of of event may cause damage to the system, as the Deny of Service attack, for instance. 

Even though there is no evidence of the motivation for this behavior, the Data Controller should be aware of this situation and should look for the cause, if it is just a users testing his/her possibilities in the system, or if there is a bug in the system, or if there is a malicious person trying to create some damage to the Data Controller, among others.

In [69]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1624712890 {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1624712890 ;
Event = Data Subject verified the consent term and it was ok, Type = Explanation, DeonticOperator = Obligation, Date = 1624712890 ;
Event = Data Subject can now have all foressen rights, Type = Explanation, DeonticOperator = Permission, Date = 1624712890 ;
Event = Data Subject requested to the Data Controller to revoke his/her consent, Type = Communication, DeonticOperator = Permission, Date = 1624712892 ;
Event = From now, the Data Controller cannot collect the Data Subject information, Type = Communication, DeonticOperator = Prohibition, Date = 1624712892 ;
Event = From now, the Data Controller cannot process the Data Subject information, Type = Communication, DeonticOperator = Prohibition, Date = 1624712892 ;
Event = From now, consent is not valid to be used by the data controller, Type = Explanation, DeonticOperator = Prohibition, Dat

----
#### Cause-effect: Data portability


Data portability can be explored at least in two ways. First, as cellphone companies, data portability means migrating the data subject phone number to another company. The client information should be migrated from one company to another. Second, like streaming video companies, data portability may mean just the act of copying the data to another company. Both companies would have the same client data at the moment of data portability request. 

In our scenario, let's define that data portability acts like the second case. The Data Subject wants to share his personal data with WellBeingInstitution, another health institution. But, first, the Data Subject has to accept the WellBeingInstitution's consent term and then ask RioHealth to send a copy of his data.
In this sense, RioHealth is **obligated** to comply with such request and send the requested information. 

<div>
<img src="./img/Scenario2_DataPortability.png" width="800"/>
</div>
Fig.19 - Data Portability Process.

In this sense, lets create the consent term from WellBeingInstitution to John.

In [70]:
?- createConsentTerm(11,wellbeinginstitution,'John',"Cellphone number to be informed by data portability","Blood type to be informed by data portability",research,
                'genetic_factors_related_to_COVID-19',
                'statistic_analysis',
                15811200,
                'vaccination_priorization',
                'e-mail',
                'lgpd@wellbeinginstitution.br',
                'SHA256',
                'Authorized researchers can access the data only',
                'WellBeingInstitution private cloud').

true.

In [71]:
% This function defines the right to request processing confirmation to the Data Subject

dsRight(processingConfirmation,dataSubject('John'),dataController(wellbeinginstitution)).
?- assertz(log('Data Subject can ask if the Data Controller is processing his/her data','Explanation','Permission',1625712876)).

true.

In [72]:
?- checkConsentTerm(id(11),dataController(wellbeinginstitution),
                        dataSubject('John'),
                        purpose(wellbeinginstitution,research),
                        'genetic_factors_related_to_COVID-19',
                        'statistic_analysis',
                        15811200,
                        'vaccination_priorization',
                        'e-mail',
                        'lgpd@wellbeinginstitution.br',
                        1625035270),
    
    setThatdsAgreeWithConsentTerms(id(11),
                                dataSubject('John'),
                                dataController(wellbeinginstitution),
                                requestFormat('Direct','John','null'),                                      
                                personalData('John',"Cellphone number to be informed by data portability"),
                                sensitiveData('John',"Blood type to be informed by data portability"),
                                startDate(1625035270),
                                endDate(EndDate)), EndDate is 1625035270+15811200,

    setDSRights(dataSubject('John'),dataController(wellbeinginstitution),startDate(1625035270)),
    
    dcIsStoringDSData(id(11),dataController(wellbeinginstitution),dataSubject('John'),
                    personalData('John',"Cellphone number to be informed by data portability"),
                    sensitiveData('John',"Blood type to be informed by data portability"),
                    startDate(1625035270),endDate(1640846470)).

EndDate = 1640846470 .

Now, the Data Subject requests data portability from RioHealth to WellBeingInstitution, which means a data copy from one institution to another.

In [73]:
?- assertz(log('Data Subject requestested data portability from RioHealth to WellBeingInstitution','Communication','Obligation',1625712877)).

true.

In [74]:
?- 

% First, RioHealth should have the right to store John s data.

    dcIsStoringDSData(id(10),dataController('RioHealth'),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1622035260),endDate(1637846460)). 
                    
?-
% As the Data Subject agreed with the consent term, the Data Controller has the right to store the DS personal data.

    dcIsStoringDSData(id(11),dataController(wellbeinginstitution),dataSubject('John'),
                    personalData('John',"Cellphone number to be informed by data portability"),
                    sensitiveData('John',"Blood type to be informed by data portability"),
                    startDate(1625035270),endDate(1640846470)).
                    
?- 
% Next, we have to update the WellBeingInstitution s database with data with the data sent from RioHealth. 
    retract(dcIsStoringDSData(id(11),dataController(wellbeinginstitution),dataSubject('John'),
                    personalData('John',"Cellphone number to be informed by data portability"),
                    sensitiveData('John',"Blood type to be informed by data portability"),
                    startDate(1625035270),endDate(1640846470))),
                    
    assertz(dcIsStoringDSData(id(11),dataController(wellbeinginstitution),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(1625035270),endDate(1640846470))).

?- 
% Last but not least, the following log registered the action log.
                    
    assertz(log('Data Controller RioHealth achived the Data Subject request','Communication','Obligation',1625712878)),
    
    assertz(log('Data Subject should check if the data are correct','Explanation','Permission',1625712879)).
                

true.
true.
true.
true.

In [75]:
?- log(Event,Type,DeonticOperator,Date), Date >= 1625712876 {-1}.

Event = Data Subject can ask if the Data Controller is processing his/her data, Type = Explanation, DeonticOperator = Permission, Date = 1625712876 ;
Event = Data Subject requestested data portability from RioHealth to WellBeingInstitution, Type = Communication, DeonticOperator = Obligation, Date = 1625712877 ;
Event = Data Controller RioHealth achived the Data Subject request, Type = Communication, DeonticOperator = Obligation, Date = 1625712878 ;
Event = Data Subject should check if the data are correct, Type = Explanation, DeonticOperator = Permission, Date = 1625712879 .

In this sense, as the new relationship between John and WellBeingInstitution requires a new consent term, all relationships are impacted, as depicted in Figure 20.

![DataPortabilityImpact](./img/DataPortabilityImpact.png "Data Portability Impact")
Fig.20 - Data Portability Impact.

Finally, let's check who has the John's data.

In [76]:
?- dcIsStoringDSData(id(ID),dataController(DataController),dataSubject('John'),
                    personalData('John',976635869),sensitiveData('John','A+'),
                    startDate(StartDate),endDate(EndDate)).

ID = 10, DataController = RioHealth, StartDate = 1622035260, EndDate = 1637846460 ;
ID = 11, DataController = wellbeinginstitution, StartDate = 1625035270, EndDate = 1640846470 .