Next Article in Journal
Quasi-Static and Fatigue Strength of Copper-Brazed Stainless Steel
Next Article in Special Issue
Simple yet Effective Ensemble Feature Selection Using Hierarchical Binning
Previous Article in Journal
Multi-Agent Reinforcement Learning Model Simulation for Attention-Deficit Hyperactivity Disorder Children
Previous Article in Special Issue
WH-MSDM: A W-Hilbert Curve-Based Multiscale Data Model for Spatial Indexing and Management of 3D Geological Blocks in Digital Earth Applications
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Privacy-by-Design in AI-Assisted Systems for Caregivers of Children with Autism: A Secure Multi-Agent Architecture

by
Ionuț Croitoru
,
Cristina Elena Turcu
* and
Corneliu Octavian Turcu
Faculty of Electrical Engineering and Computer Science, Ștefan cel Mare University of Suceava, 720229 Suceava, Romania
*
Author to whom correspondence should be addressed.
Appl. Sci. 2026, 16(4), 2157; https://doi.org/10.3390/app16042157
Submission received: 29 December 2025 / Revised: 12 February 2026 / Accepted: 17 February 2026 / Published: 23 February 2026

Abstract

Caregivers of children with Autism Spectrum Disorder (ASD) frequently experience chronic psychological stress, thereby necessitating accessible support. Although artificial intelligence (AI)-based assisted technologies have the potential to reduce caregiver workload, most existing solutions lack robust privacy control and clinical interoperability, which significantly limits their adoption in regulated healthcare environments. To address these challenges, this paper proposes a Privacy-by-Design (PbD) multi-agent architecture that enables consent-aware, auditable, and privacy-preserving AI-assisted support for caregivers of children with ASD. The effectiveness of the proposed architecture was evaluated using two datasets: one focusing on clinically grounded autism-related knowledge and another reflecting naturalistic caregiver observation language. System performance was assessed using a Retrieval-Augmented Generation Assessment (RAGAs)-based framework with a Large Language Model (LLM)-as-a-Judge approach implemented via a locally deployed Llama 3 8B model. The system achieved answer relevancy scores of 0.767 for the clinical dataset and 0.750 for the observational dataset, with corresponding Recall@K values of 0.400 and 0.742, respectively. Context precision ranged from 0.599 to 0.631, and no harmful content was detected. Overall, the proposed architecture demonstrates secure caregiver–specialist collaboration through consent-aware routing, anonymised data storage, and controlled data reconstruction, providing a regulation-aligned design option for privacy-preserving AI integration in assisted care platforms.

1. Introduction

The significant increase in the prevalence of Autism Spectrum Disorder (ASD), currently estimated to affect approximately one in 100 children worldwide [1,2,3,4], has intensified attention not only on the needs of diagnosed individuals but also on the broader impact on their caregivers. Existing research indicates that caregivers of children with ASD frequently experience elevated levels of anxiety, fatigue, and emotional exhaustion due to the complex demands of caregiving [3,5,6]. Recent studies further report that nearly 75% of these caregivers experience moderate to severe anxiety on a daily basis [7]. These challenges are primarily associated with the need to manage behavioural disorders, communication impairments, and continuous monitoring, often in the context of insufficient external support. Over time, prolonged exposure to such stressors can significantly diminish caregivers’ quality of life and reduce the overall effectiveness of the care provided [2,8].
Access to specialised therapeutic services often poses additional challenges, particularly for families residing in rural or peri-urban areas located far from treatment centres, where geographical barriers frequently lead to prolonged disruptions in face-to-face interventions [9]. Consequently, there is a clear need for scientifically validated therapeutic interventions that can be implemented within the home environment, supported by modern digital technologies [10]. The objective of such initiatives is not to transfer full therapeutic responsibility to caregivers, but rather to strengthen collaboration between them and healthcare professionals through structured mechanisms for training, guidance, and continuous monitoring. Such an integrated, technology-enabled approach has the potential to optimise intervention processes and alleviate the psychological burden associated with caregiving, while simultaneously enhancing the long-term sustainability and efficiency of care delivery. Teletherapy platforms, mobile applications for parental coaching, behavioural monitoring systems, and socially assistive robots used in therapeutic contexts show considerable promise in complementing traditional interventions by enabling home-based support, parent training, and the acquisition of valuable data for the development of personalised treatment plans [11].
The widespread adoption of telemedicine in recent years has demonstrated the feasibility and effectiveness of remote therapeutic interventions, with meta-analyses indicating outcomes comparable to conventional in-person therapy, often at reduced costs [12]. A randomised controlled trial conducted by Lu et al. [13] found that, within only two weeks, integrating online support courses for parents of children with ASD significantly reduced caregiver stress levels and enhanced parental self-efficacy compared with control groups receiving traditional interventions alone. Remote support has also been associated with increased parental motivation, sustained engagement in training, and more active participation in the therapeutic processes [14]. These findings suggest that such tools can offer meaningful benefits, for instance, by enabling easier and faster access to specialist expertise regardless of geographic constraints and by enhancing collaboration between families and therapy teams through real-time virtual consultations. Moreover, teletherapy sessions can provide caregivers with restorative short breaks while maintaining continuity of therapeutic intervention for the child, thereby contributing to greater parental satisfaction and reduced burnout [14,15].
Building on these developments, assistive technologies have emerged as a broader approach for extending professional support into the home environment, mitigating caregiver fatigue, and enhancing the overall quality and continuity of home-based care delivery [16]. These systems encompass a wide range of digital solutions, including teletherapy platforms, mobile guidance applications, and sensor-based monitoring devices, that facilitate communication, therapy support, and behavioural management within daily caregiving routines. By enabling remote supervision and systematic data collection, assistive technologies bridge the gap between clinical and home environments, promoting continuity of care and expanding equitable access to therapeutic resources, regardless of geographical constraints.
Artificial Intelligence (AI)-based assistive technologies represent the next evolutionary stage in personalised and adaptive care delivery [17]. Intelligent systems employ Machine Learning algorithms, natural language processing, and computer vision techniques to analyse behavioural and contextual data, enabling automated feedback, adaptive interventions, and predictive monitoring. Through the structured acquisition and analysis of sensitive developmental data, AI-based systems can generate valuable insights that support clinical decision-making and enhance the design and optimisation of individualised therapeutic interventions. However, despite these notable advantages, privacy and data protection remain insufficiently addressed in contemporary assistive systems, representing a major barrier to their widespread and reliable deployment in real-world healthcare settings [18].
This paper aims to investigate the integration of Privacy-by-Design (PbD) principles within an AI-assisted system architecture designed to support caregivers of children with autism, ensuring data confidentiality and security from the outset while preserving system functionality and the associated benefits for caregivers. The successful deployment of such systems requires design practices that safeguard confidentiality, enforce robust privacy protections, and uphold ethical standards throughout the entire data lifecycle. Accordingly, the paper examines how PbD principles can be embedded within intelligent, context-aware assisted systems to support caregivers of children with autism. By building on the intersection of Privacy-by-Design and Multi-Agent System (MAS) paradigms, the research aims to bridge regulatory, architectural, and operational perspectives on trustworthy AI for sensitive healthcare application.
Accordingly, the paper addresses the following research questions:
RQ1: How can Privacy-by-Design principles be operationalised within a Multi-Agent System architecture for AI-assisted autism caregiver support?
RQ2: How can Privacy-by-Design-oriented multi-agent architecture contribute to sustainable and trustworthy AI ecosystems in digital health?
To address these questions, a Design Science Research (DSR) approach is adopted to (1) design, implement, and empirically evaluate a PbD-oriented MAS integrating Large Language Model (LLM) reasoning, consent management, and Data Loss Prevention (DLP) mechanisms; (2) assess system performance in terms of privacy preservation efficacy, inference latency, and information retrieval accuracy; and (3) analyse its implications for long-term governance, transparency, and sustainability in digital health AI infrastructures.
The main contributions of this paper are as follows:
-
We propose a PbD MAS architecture for AI-assisted caregiver support, integrating consent management, data loss prevention, Retrieval-Augmented Generation, and auditing mechanisms.
-
We implement a working Minimum Viable Product (MVP) supporting policy validation and end-to-end traceability and demonstrate the practical feasibility of the proposed architecture.
-
We operationalise the identified research gap through a set of explicit evaluation criteria (C1–C7) aligned with applicable regulatory and technical standards.
-
We conduct a comprehensive empirical evaluation based on 250 question–answer pairs across two distinct datasets, complemented by 30 access control validation test cases.
-
We define and apply a rigorous suite of formally specified metrics to assess retrieval performance, answer relevance, and access control effectiveness.
The remainder of the paper is structured as follows. Section 2 reviews existing approaches and theoretical foundations. Section 3 presents the system architecture and design principles. Section 4 and Section 5 report experimental evaluation and analyse the findings. Finally, Section 6 summarises the contributions and outlines directions for future research.

2. Related Works

AI-driven assisted technologies have substantially reshaped autism care by introducing digital health tools that enhance caregiver support and improve therapeutic outcomes. Teletherapy platforms and mobile-based parental coaching applications have been shown to reduce caregiver burnout and increase parental self-efficacy. Similarly, physiological signal-based stress detection systems achieve high accuracy when monitoring individuals with autism. Despite these advancements, most assisted solutions prioritise functional performance over data protection, leaving sensitive behavioural data vulnerable to unauthorised disclosure. Recent reviews highlight the absence of robust privacy safeguards and the insufficient integration of Privacy-by-Design principles in current implementations, a gap that undermines trust and limits the widespread adoption of these technologies [18,19].
Privacy-preserving frameworks and Federated Learning (FL) aim to enhance data protection in healthcare by leveraging distributed architectures. FL systems such as NVIDIA FLARE [20] and Substra [21] train models across decentralised nodes without exposing raw patient data. Both platforms use ledger-based traceability to ensure accountability. They represent state-of-the-art solutions for model training and Machine Learning Operations (MLOps). However, these systems exhibit notable limitations when applied for real-time caregiver support scenarios [22].
Moreover, existing frameworks (Appendix B) demonstrate limited interoperability with HL7 FHIR (Health Level Seven—Fast Healthcare Interoperability Resource) and lack support for granular consent management, both of which are essential for healthcare applications.
Retrieval-Augmented Generation (RAG) and safety in healthcare use cases depend on rigorous control over language model outputs. While LLMs provide conversational support, they also introduce risks related to hallucinations and factual inaccuracies. RAG mitigates these risks by grounding outputs in verified knowledge sources. Small Language Models (SLMs) enable local execution, thereby reducing the attack surface associated with data leakage and external exposure [23]. However, standard RAG pipelines rarely enforce strict version control for policies or automated data loss prevention mechanisms at the query stage. This limitation underscores the need for an integrated design that combines RAG with fail-closed consent rules and auditable controls aligned with General Data Protection Regulation (GDPR) [24] and the European Union Artificial Intelligence Act (EU AI Act) [25]. This study addresses this gap by introducing a Privacy-by-Design Multi-Agent System (PbD MAS) tailored to AI-assisted support for autism caregivers.
To make the identified gaps explicit and analytically well defined, we introduce a set of evaluation criteria (C1–C7) covering governance and auditability, consent orchestration, clinical interoperability, privacy-enhancing technologies, edge performance, local explainability, and federated lifecycle support. A criterion-based comparison of representative frameworks is provided in Appendix B. This analysis operationalises the gaps identified in this section and serves as a systematic foundation for the architectural requirements.

Theoretical Background

This section outlines the core theoretical conceptual frameworks underpinning the proposed architecture, namely Privacy-by-Design and Multi-Agent System architectures.
Privacy-by-Design framework. Dr Ann Cavoukian introduced the Privacy-by-Design framework as a proactive approach that embeds privacy considerations into the design of information systems, organisational practices, and digital infrastructures. Its primary objective is to prevent privacy risks before they occur by implementing seven foundational principles as an integrated model of protection [26]. In the current era of AI-driven assisted technology for caregivers of children with ASD, the application of PbD principles is essential for developing systems that are compliant with rigorous data protection regulation, including the GDPR [24], the Health Insurance Portability and Accountability Act (HIPAA) [27], the EU AI Act [25], the Children’s Online Privacy Protection Act (COPPA) [28], as well as applicable national legislation. Beyond regulatory compliance, PbD addresses critical requirements for enhanced data security and confidentiality maintenance in caregiver-oriented assisted systems.
The PbD framework requires a proactive stance, addressing risks before they materialise, through early assessments and built-in safeguards rather than reacting to breaches after system deployment. Privacy must operate as the default setting, ensuring that personal data are automatically protected without requiring user intervention. Protection is embedded directly into the architecture of systems and organisational practices, becoming a fundamental design element rather than an optional add-on. The framework rejects zero-sum trade-offs, demonstrating that privacy and full functionality can coexist in a positive-sum model. Robust security safeguards are applied across the entire data lifecycle, from collection and processing to storage and eventual deletion, ensuring that no stage remains unprotected. Transparency is essential, requiring systems to operate in ways that can be verified by users, regulators, and independent auditors. Finally, the PbD approach is user-centric, providing individuals with strong privacy defaults, clear notices, and accessible controls that enable individuals to manage their personal data effectively [26].
Multi-Agent Systems architecture. Multi-Agent Systems provide a conceptual and engineering framework for developing software systems composed of multiple interacting autonomous entities—referred to as agents—that cooperate, coordinate, or compete to achieve individual and collective goals [29,30]. According to Wooldridge [31], an agent is “a computer system capable of autonomous action in an environment to meet its design objectives”. Numerous definitions of agents have been proposed worldwide, several of which have been reviewed and synthesised in prior work [32], reflecting the diversity of perspectives within the broader field of agent-oriented computing.
Similarly, numerous attempts have been made to define AI agents [33,34]. According to [34] “AI agents are autonomous technologies, designed to perform tasks, make decisions, and interact with their environment to achieve specific predefined goals, with minimal human intervention”. In contrast to traditional software programmes that follow static, pre-defined logic, AI agents exhibit autonomy, adaptability, and proactive behaviour. They function with limited human oversight, continuously perceive and respond to environmental dynamics, and refine their actions through experience-based learning. Moreover, they engage in purposeful communication—both with human users and with other agents—to coordinate tasks and share knowledge, reflecting the social dimension of intelligent systems. As noted in [35], “unlike generative AI, AI agents can interact with their environment to perform tasks for users”. These characteristics are well established in the agent-oriented and artificial intelligence literature [36] and constitute the foundation for intelligent, context-aware architectures. When augmented with the advanced language understanding and generative capabilities of Large Language Models, such agents acquire enhanced interpretive, reasoning, and interaction capabilities that substantially extend their practical applicability in complex, real-world settings [29,36].
According to [37], agents and Multi-Agent Systems have been identified as effective solutions for addressing multiple challenges that emerged in the process of digitalisation of healthcare services, including coordination across heterogeneous components, scalability, and adaptability to dynamic clinical workflows. These characteristics make MAS particularly suitable for privacy-sensitive assisted systems, where responsibilities such as data handling, consent enforcement, reasoning, and auditing must be clearly separated yet tightly coordinated. Thus, a MAS architecture allows privacy responsibilities to be operationalized as autonomous agents with constrained scopes, reducing the attack surface and improving traceability.

3. Materials and Methods

This paper adopts a Design Science Research methodology to systematically design, implement, and evaluate a Privacy-by-Design multi-agent architecture for AI-assisted autism caregiver support. The DSR approach was selected because it enables the development of innovative artefacts that bridge theoretical constructs and practical applications in complex socio-technical contexts such as digital health. Consistent with the Level 1 artefact category, the research focuses on the design and validation of a situated architectural instance rather than a generalised framework.
The primary objectives of the research are as follows:
-
Develop a conceptual multi-agent architecture that separates and assigns specific roles (e.g., user interface, data management, AI analysis, consent, security), thereby enabling enhanced control over data access and the implementation of privacy policies at the component level.
-
Define an informed and transparent consent model integrated within the architecture, allowing caregivers to express and modify their preferences regarding data collection and usage in a clear and accessible manner, while ensuring full compliance with GDPR requirements for transparency and data subject rights.
-
Integrate emerging AI technologies—such as Large Language Models with Retrieval-Augmented Generation, Explainable AI (XAI) algorithms, and differential privacy methods, in a manner that enhances system functionality while simultaneously minimising data exposure. For example, local AI components can provide context-aware recommendations based on locally processed information, thereby preventing sensitive data from being sent to external cloud services.
-
Conduct a conceptual evaluation of the proposed design to assess its robustness, scalability, and practical applicability, while identifying key directions for future implementation and research.
This section outlines the methodology used to design, build, and evaluate the proposed PbD MAS. The focus remains on compliance, security, and clinical interoperability gaps highlighted in the preceding analysis. The section defines the core architectural principles and the implementation workflow of the MVP used for empirical validation.
At the core of the system design is a privacy-aware, modular multi-agent architecture. The proposed PbD MAS leverages MAS properties (modularity, isolation, inter-agent communication) to operationalise PbD principles including data minimisation, purpose limitation, and accountability. Each agent performs a clearly defined role and interacts with other agents through standardised protocols under strict data governance rules. This functional decomposition ensures that responsibilities such as monitoring, data management, interpretation, recommendation, explanation, and consent validation are delegated to specialised agents. The architecture supports clear reasoning, simplified auditing, and modular extension. Each agent has a limited and well-defined function, which improves system transparency and control. Core PbD principles are applied throughout the design. Agents access only the data required to fulfil their designated role, in accordance with the principle of data minimisation. Access control is enforced dynamically using Role-Based Access Control (RBAC), with user roles such as caregiver or specialist determining permissible operations. Any secondary use of data requires verified, purpose-specific consent, enforced through structural constraints within the system. Each agent operates in isolation with a well-defined task, such as monitoring, recommending, or auditing, thereby enabling traceability and role-based accountability.
While this paper does not claim full adherence to the complete DSR lifecycle, particularly with respect to the demonstration and longitudinal evaluation phases, it contributes a functionally grounded and theoretically justified artefact. The contribution aligns with Gregor and Hevner’s classification of Level 1 design science outputs [38], which characterises artefacts as situated implementations. The proposed design is justified by methodological transparency, integration of domain-specific knowledge, responsiveness to user requirements, and alignment with regulatory and ethical frameworks, including the GDPR and responsible AI practices [29].
These architectural choices prioritise deterministic behaviour, traceability, and policy-driven control to support auditability and regulatory compliance in caregiving contexts.
Non-Functional Requirements: Given the sensitivity of personal data processed in assisted tools for caregivers of children with ASD, the architecture prioritises privacy, auditability, explainability, and compliance with legal and regulatory frameworks such as the GDPR [24] and the AI Act [25]. In addition, technical requirements such as scalability, fault tolerance, and interoperability ensure system reliability across diverse use cases. Table 1 summarises the principal non-functional requirements derived from these considerations.
Operational and compliance specifications delineate the system’s boundaries and compliance parameters across deployment settings. All data processing is governed by signed, versioned policies issued by the policy authority. Each processing request includes a trace identifier (trace_id), the active policy version (active policy_version), and, where applicable, a consent version (consent_version). Personal data are processed only when explicit; purpose-specific consent is present and after successful minimisation and data loss prevention checks. If no lawful basis exists or if required safety controls are unavailable, the system defaults to a Knowledge Base (KB)-only operational mode.
Identity and access are managed through standards-based authentication and least-privilege, purpose-scoped authorisation. Inter-service communication is secured using cryptographic and organisational safeguards [45,46]. Observability is integrated through distributed tracing and append-only, minimised audit logs. Specialised agents operate under the coordination of a central Policy Control Plane (PCP) and communicate via a shared message bus. Each agent is assigned a clearly defined functional role and operates under version-controlled policies and consent parameters, enforcing least privilege, purpose limitation, and data minimisation. The architecture adheres to core PbD principles, including explicit consent, explainability, reproducibility, and graceful degradation [24,25,47,48]. When personalisation is not permitted or when required services are unavailable, the system defaults to KB-only responses.
Figure 1 illustrates the agents’ relational structure and communication flows, which enforce role scopes, consent rules and DLP filters.
A central Policy Control Plane, implemented using a policy-as-code approach [49], distributes signed and version-controlled policies (as illustrated in Figure 1) to all agents and enforces role scopes, consent rules and DLP filters, defined as rule sets designed to prevent unauthorised data disclosure. Agents communicate primarily through a decoupled message bus (depicted in green in Figure 1), implementing a publish–subscribe (pub/sub) model. This mechanism supports asynchronous interactions with trace_id and policy_version propagation.
Three specialised agents support bidirectional request/response flows over predefined topics: the RAG Agent (agent.rag.{req|resp}), the Chat Agent (agent.chat.{req|resp}), and the XAI Agent (agent.xai.{req|resp}). Consent validation operates synchronously via HTTP or gRPC and is not routed through the message bus.
All agents emit asynchronous audit events to a dedicated audit subsystem, as shown in Figure 1. Audit records are minimised by design, using hashed identifiers, coarse timestamps, and event sampling to reduce re-identification risk.
Personal data flows are explicit, consent-gated, and strictly constrained, as illustrated in Figure 1:
-
The Consent Agent provides only policy metadata (policy_version, consent_version, obligations) to the Security/DLP Agent.
-
The Security/DLP Agent transfers a minimised payload to the Chat Agent.
-
The Security/DLP Agent sends PII-safe rationales to the XAI Agent, meaning that the justifications for XAI-related actions are processed to ensure that no Personally Identifiable Information (PII) is included in the transmitted content.
These flows are designed to protect sensitive attributes while preserving functional utility for caregivers. Agents are organised across two trust zones based on data sensitivity. In the non-personal data zone, the RAG Agent retrieves evidence from a curated KB. In the personal data zone, the Consent Agent enforces purpose-specific, versioned consent; the Security/DLP Agent applies context minimisation [24] and output filtering; the Chat Agent generates AI responses only when legally permitted; and the XAI Agent produces PII-safe explanations aligned with the underlying recommendation logic [25].
The processing sequence—Authorise → Consent → DLP → Retrieve/Personalise → XAI → Audit—operationalises PbD and enables graceful degradation through KB-only responses when personalisation is not permitted or components are unavailable.
Layered Architecture. Figure 2 presents a layered architecture that separates responsibilities according to both functional roles and trust boundaries. Privacy, safety, and auditability are treated as core system properties. The architecture is technology-agnostic and adopts a fixed-policy, non-adaptive control model. All components operate under PCP issued policies.
The visual encoding distinguishes interaction types as follows:
-
Purple lines represent policy distribution and access control.
-
Green lines denote asynchronous publish/subscribe communication.
-
Blue lines indicate synchronous request–response interactions (gRPC/HTTP).
-
Red lines mark personal data flows gated by consent and minimisation.
-
Brown dashed lines represent asynchronous audit events.
These visual markers represent enforceable runtime invariants that are validated through tracing and audit mechanisms to ensure conformance with PbD principles and regulatory requirements.
The User Interface (UI) layer provides RBAC for all users. It includes a dashboard for managing data subject rights (opt-in/out, data export, deletion). All ingress traffic is protected by Transport Layer Security (TLS) 1.3 [42] ensuring confidentiality and data integrity against interception and tampering. Authentication is implemented through OpenID Connect (OIDC)/OAuth 2.0 using short-lived tokens to enhance security [50,51].
Clients do not store sensitive data unless explicitly permitted. When local storage is required, all data are encrypted and bound to the device’s secure keystore. User interface components are filtered according to the active role and consent scope, thereby enforcing purpose limitation at the point of use.
Control and Orchestration Layer mediates system interactions. The API Gateway handles TLS termination, request validation, and trace propagation, with each request carrying a trace_id header and scopes validated by an RBAC service against policies issued by the PCP. The Orchestrator coordinates the processing flow:
Authorise → Consent → Minimise (DLP) → Retrieve (RAG) → Personalise → Explain (XAI) → Deliver
If the preconditions for personalisation are not satisfied, the Orchestrator falls back to a KB-only pathway and informs the user. The message bus handles asynchronous communication with retries and backpressure; synchronous requests are restricted to low-latency control paths. The Orchestration logic is non-adaptive and policy pinned, and it does not trigger behaviourally driven actions. Although adaptive orchestration was initially considered to increase flexibility, it was ultimately rejected in favour of deterministic orchestration, whereby identical inputs consistently yield identical outputs. This design choice simplifies compliance auditing and reinforces legal accountability. Prior research on explainable AI indicates that stakeholders, particularly auditors and caregivers, are more likely to trust systems that exhibit predictable and transparent behaviour [52,53]. While this approach may reduce optimisation opportunities, it strengthens auditability and aligns with the transparency requirements of GDPR (Accountability) [24] and the EU AI Act (Logging and Traceability) [25].
Knowledge and Non-Personal Data Layer supports information retrieval without processing personal data. The curated KB stores validated content with metadata (source, licence, freshness). The RAG service performs semantic search with cited results. All KB modifications are recorded immutably to ensure data provenance and traceability. This layer provides useful functionality without exposing personal data and ensures the system remains operational even when components fail.
Personal Data Layer is responsible for consent-gated processing of identifiable information. The Consent Service manages revocable, purpose-bound decisions with versioning and audit support. Personal data are encrypted and accessible only through controlled interfaces. Ingested data is pseudonymised and minimised at source. A rule-based Analysis Agent operates within this trust zone exclusively on derived signals produced by the monitoring pipeline; it performs no statistical prediction, emitting only policy relevant alerts. Personalisation is executed solely when permitted by active consent and RBAC rules. Aggregate analytics employ fixed-query differential privacy under ε-budgets, maintained separately from interactive services to preserve predictability.
Security and Observability Layer enforces system-wide safeguards. The DLP service applies input minimisation and output filtering, including checks on explanations. Keys and secrets are managed through environment-isolated configuration with restricted access controls [54]. Data at rest are encrypted (e.g., Advanced Encryption Standard with Galois/Counter Mode—AES-GCM), and all connections use Mutual TLS (mTLS). The Audit subsystem records append-only, hashed logs with coarse-graining timestamp and sampling. Each event is tagged with the corresponding policy_version and, where applicable, consent_version.
Each horizontal layer defines a trust boundary. Transitions from non-personal to personal layers require explicit consent and confirmed minimisation. All inter-layer calls carry trace_id, policy_version, and consent_version. Requests with missing or outdated context are rejected. Failure cases are handled explicitly. If consent or DLP checks fail, the system defaults to a KB-only path and records the fallback event. If RAG functionality is degraded, cached or hedged queries reduce latency. If a KB version is invalid, the controller reverts to the most recent stable snapshot. The user interface reflects current state (e.g., “personalisation unavailable—general guidance shown”), thereby maintaining user trust and system utility. This layered separation also supports the explainability requirement. Aggregate outputs are generated using fixed query templates with defined ε-budgets. The system avoids post hoc approximations of opaque models, maintaining consistency between internal logic and the explanations presented to users. The layered architecture implements PbD through structural and policy-based constraints. Data minimisation is enforced by default. Most requests are handled entirely within the non-personal layer. Personal data are accessed only when consent is active and features have been minimised. Purpose limitation and least privilege are ensured through signed policies, RBAC scopes, and strict validation of context at every processing step. Explainability and accountability are integral to the design. The RAG Agent retrieves cited evidence, while the XAI Agent generates reproducible, symbolic outputs filtered for PII. All actions are logged to support auditing and compliance. The result is a system that provides functional value under constrained conditions, degrades safely when requirements are unmet, and remains auditable, predictable, and aligned with regulatory and ethical standards.
Agent Typology and Control Framework. The proposed architecture is organised around specialised agents, each assigned a narrow-defined mandate and operating under the principle of least privilege. This design minimises the overall attack surface, simplifies compliance verification, and ensures that accountability can be attributed to individual components. The PCP functions as the central governance authority, distributing signed and version-controlled policies to all agents. This mechanism ensures that inter-agent interactions remain consistently regulated and that changes in regulatory or organisational requirements are traceable throughout the system lifecycle. The Consent Agent enforces purpose-bound consent by validating requests against HL7 FHIR Consent resources. For each authorised interaction, it appends policy_version and consent_version metadata, embedding compliance with regulated legal requirements directly into operational workflows. The Security/DLP Agent safeguards the system by detecting and redacting PII, minimising payloads, and generating PII-safe rationales. It enforces deny-by-default access controls and isolates high-risk services, such as code execution modules, thereby preventing data leakage and mitigating adversarial exploitation. The RAG Agent manages access to curated, version-controlled knowledge bases through policy-scoped queries. It integrates provenance logging and attaches citation guarantees, reducing hallucination risks and strengthening the factual basis for downstream explainability. The Chat Agent provides contextual recommendations derived from policy-validated and DLP-filtered inputs. Within this architecture, SLMs serve as the default reasoning engine for tasks involving personal data, thereby supporting data minimisation principles and enabling sub-second response times. The invocation of LLMs is restricted to pseudonymised, knowledge-based artefacts, and occurs only when tasks require reasoning capabilities beyond those of SLMs. The allocation between SLM and LLM follows a deterministic routing policy governed by sensitivity, task complexity, latency, and faithfulness checks, with each routing decision rendered auditable through trace identifiers and policy metadata. The Orchestrator deterministically routes inputs to SLMs or LLMs by sequentially applying sensitivity, task complexity, latency/resource, and faithfulness gates. It defaults to SLMs for personal or low-complexity tasks within strict latency bounds and escalating to LLMs only when inputs are pseudonymised artefacts, tasks demand higher reasoning capacity, or SLM outputs fail accuracy or evidence-alignment checks [55]. The XAI Agent transform decision traces into human-readable explanations. By generating symbolic, rule-based rationales and evidence chains from CloudEvents and retrieval outputs, it avoids opaque black-box justifications and reinforces transparency and stakeholder trust [56]. The Audit Agent enables system-wide accountability by asynchronously recording all events in CloudEvents format. Each event is enriched with signed metadata, including trace_id, policy_version, and consent_version, enabling tamper-evident logging that supports both real-time monitoring and post hoc Data Protection Impact Assessments (DPIA) [47]. Finally, the message bus facilitates inter-agent communication through a decoupled publish/subscribe mechanism. It provides scalability, fault tolerance, and resilience while maintaining observability through W3C Trace Context propagation.
Minimum requirements. All components must satisfy the following constraints: TLS 1.3 exclusively, restricted to TLS_AES_128_GCM_SHA256 or TLS_CHACHA20_POLY1305_SHA256 in accordance with NIST SP 800-53 AU and IETF RFC 8446 [42,57,58]; mTLS for Agent-to-Agent (A2A) and gRPC interactions, consistent with the OAuth 2.0 mutual TLS profile [51]; OAuth 2.0 BCP with least-privilege scopes, access-token Time to Live (TTL) ≤ 5 min, and no refresh tokens for server-to-server interactions [50]; certificate and key rotation every ≤ 90 days [59]; NATS JetStream max_age ≤ 24 h for minimised PII (7–30 days for non-PII) [60]; Kafka retention.ms ≤ 24 h for PII, with audit topics compacted and retained 365 days without PII [61]; Redis Streams trimmed to 24 h where PII exists [62]; and fail-closed enforcement if policy_version, consent_version, or purpose_id are missing [63,64]. Retention and TTL constraints for message buses are defined in the Security and Retention Profile (Appendix A).
The PCP governs protocol usage by binding each data flow to policy, consent, and purpose constraints, ensuring that transport-layer decisions remain auditable and legally compliant.
Deployment. Containerisation and Namespace Isolation. The deployment of the privacy-aware MAS is designed to combine modular scalability with strict compliance guarantees. The architecture is implemented in a containerised environment orchestrated by Kubernetes [65], which provides automated scheduling, scaling, fault recovery, and namespace isolation [66]. Each agent (Orchestrator, Consent and Policy Control, DLP, RAG, Chat, XAI and Audit) is deployed in an independent pod, while supporting subsystems enforce cross-cutting requirements for policy management, secure communication, and data protection.
Personal and Non-Personal Zones. The secure zone is protected by Kubernetes Network Policies, which restrict inter-namespace traffic and prevent personal data flows from being routed into non-personal domains [67]. In this scenario runtime isolation is enforced with Pod Security Standards and kernel-level profiles, reducing the risk of container breakout attacks [68]. All processing involving personal data is confined to a secure zone, where low-latency reasoning tasks are executed. Personal data never leaves this zone in raw form: identifiers are removed or minimised before artefacts are transferred to the non-personal domain. This design ensures strong isolation and direct alignment with data minimisation principles. The non-personal zone hosts LLM escalation, knowledge retrieval, recommendation, and XAI Agents. LLMs process only pseudonymised artefacts or non-personal knowledge. SLMs handle personal data solely within the secure zone, under consent and data minimisation controls. The PCP distributes signed, versioned policies, and every message carries a trace_id, policy_version and consent_version, validated by each agent. This mechanism enforces purpose-bound processing and produces a reproducible evidence trail that supports system-wide accountability [24,25,63,64].
Communication Layer. A hybrid message bus underpins inter-agent communication, balancing durability, latency, and control. Apache Kafka provides durable, auditable streams [69]; Redis Streams supports low-latency ephemeral channels with short retention; and NATS JetStream carries lightweight control signals [60]. This layered design ensures operational resilience while supporting privacy-driven data minimisation.
Service Mesh. A service mesh (Linkerd at baseline [70], Istio at scale [71]) intercepts all inter-agent traffic through sidecar proxies [72]. It enforces mutual TLS, context propagation, retries, and policy checks at the network layer, while exporting telemetry via W3C Trace Context [63] and CloudEvents [64]. This approach provides uniform observability and fault isolation without modifying agent logic.
Vault Subsystem. A dedicated Vault subsystem manages cryptographic material. It issues short-lived OAuth2/OIDC [51] tokens, performs automatic TLS certificate rotation, and records lifecycle events. This centralised approach reduces exposure windows for secrets and aligns with controls on key management [43].
RAG Subsystem. RAG is supported by a Vector Database (VDB) that enables Approximate Nearest Neighbour (ANN) search across embeddings. For small and medium deployments, embedded solutions such as pgvector or FAISS [73] are sufficient, while large-scale workloads use dedicated engines such as Milvus or Qdrant [74]. This subsystem delivers evidence retrieval with provenance guarantees. Personal embeddings are stored exclusively in the secure zone, while the non-personal VDB manages only pseudonymised artefacts, maintaining strict separation between sensitive and non-sensitive data [75].
Event Logging and Compliance. All agents emit CloudEvents [64] enriched with compliance metadata, which are consolidated into tamper-evident logs. This ensures traceability, supports regulatory audits, and provides a verifiable accountability layer across the entire system.
Fallback Strategy. If DLP or consent validation fails, the system defaults to KB-only mode, preventing any personal data processing outside lawful conditions. If RAG services degrade or fail, the system returns cached responses from the most recent stable KB snapshot. If the Consent Agent, Security/DLP Agent, and Chat Agent become unavailable, processing continues exclusively through the non-personal path, with outputs restricted to generalised guidance derived from the KB [25,26,63,64].
Audit and DP. The Audit Agent incorporates a logically separated analytics tool that applies OpenDP/SmartNoise [76] under differential privacy. The deployment strategy ensures graceful degradation, with fallback to generic retrieval when personalised agents are unavailable, fault tolerance through Kubernetes rescheduling and message bus replay, and comprehensive observability. All fallback mechanisms follow a fail-closed posture: if required metadata (consent_version, policy_version) is missing or invalid, personal data processing is blocked, and KB-only responses are returned.
Observability and Tracing. The proposed MAS integrates a comprehensive observability subsystem to ensure that operational behaviour remains transparent, auditable, and diagnosable in real time. Tracing is implemented using OpenTelemetry, with Jaeger as the backend. The W3C Trace Context standard ensures that spans originating in the Consent Agent propagate consistently across downstream agents, enabling reconstruction of end-to-end workflows. Retention policies limit logs to compliance-mandated durations. Non-PII metadata is stored for up to 365 days. PII is excluded from observability data by design [24,25,47,64]; detailed mappings are provided in Appendix A. Each agent within the MAS is deployed as an independent Kubernetes pod, with strict namespace isolation and integration into the hybrid message bus. The Orchestrator, implemented as a FastAPI service connected to Kafka and NATS, coordinates the lifecycle of other agents and enforces orchestration policies. The Consent Agent, a microservice handling JSON-LD consent records [77], enforces runtime consent, processes revocation requests, and applies purpose limitation; its events are routed through Kafka and Redis adapters [78]. The Audit Agent, built on OpenTelemetry [79] and Elasticsearch [80] (scalable search and storage engine for logs and events), Logstash [81] (pipeline for log collection and transformation), and OpenSearch Dashboards [82] (visual interface for querying and dashboards). It collects and signs audit logs, stores CloudEvents in Kafka. The DLP, equipped with Named Entity Recognition (NER) models and a redaction engine (Stanza [83]), performs pseudonymisation and minimisation prior to storage or retrieval of personal data. Its access to the VDB is restricted through RBAC policies. The RAG Agent uses frameworks such as LangChain [84] with Qdrant [85] to perform knowledge retrieval under privacy-preserving filters. It falls back to KB-only responses when metadata such as policy_version or consent_version are missing or invalid. The Chat Agent, implemented as a ML service (Framework ML: scikit-learn [86]), delivers personalised outputs through Redis and NATS channels but reverts to KB-only outputs when consent or DLP validation fails. The XAI Agent integrates libraries such as LIME [87] to generate explanations and enforce Human-in-the-Loop (HITL) reviews, recording all explanation events as CloudEvents. The RBAC Service, integrated with a Vault service (HashiCorp Vault [54]), manages secure generation, rotation, and revocation of cryptographic material, and distributes signed policy manifests across the system. Observability is implemented as a cross-cutting subsystem that combines Grafana dashboards [88] with Jaeger tracing [89] to provide unified monitoring of metrics, logs, and traces to support Service Level Agreement (SLA) compliance and fault diagnosis.
The layered model integrates Orchestrator hub coordination, Kafka-based audit trails, Redis low-latency exchanges, and NATS control signals, balancing compliance with resilience and scalability.
Threat modelling and validity threats. The LINDDUN framework [90] is applied to the architecture’s concrete Data-Flow Diagrams (DFDs), enabling linking of identified threats to controls and to verifiable evidential artefacts of the MAS (Appendix C).
Each identified threat is linked to a control and to a verifiable artefact, such as a signed CloudEvent containing traceparent, policy_version, and consent_version when applicable, a consent snapshot, a DLP rule_id with model_version, or a differential privacy ledger entry [47,63,64]. Data retention is bound to transport class: Redis stores personal data for ≤24 h, Kafka retains non-PII for 365 days, and NATS is used for ephemeral control traffic [60,61,69,91].
Assumptions. The analysis assumes a controlled deployment with mutual TLS across all communication [92], rotating short-lived certificates [59], preserved vault integrity [43], clock synchronisation across nodes [93], and an active DLP subsystem.
Adversary model. Three categories are considered: external attackers targeting network interfaces and APIs [46], authorised insiders with curious access [48,75], and third-party tool or service providers [48]. Out of scope are endpoint compromise, operating-system root-level attacks, and hardware backdoors.
Method, scope, and traceability. DFDs include sensitivity labels and transport/retention assignments. Each element is evaluated against the seven LINDDUN categories and all identified threats are recorded in a traceability register (Table 2). The register links DFD element, LINDDUN threat, controls to evidential artefact. It employs a standardised vocabulary based on formal taxonomies, supports automated cross referencing to DFD artefacts, and provides input for evidence extraction and audit replay [90]. References to Appendix C and Appendix D point to supporting artefacts. These appendices exemplify the artefacts that substantiate the conceptual threat assessment. Appendix C presents the reproducibility-bundle schema together with a representative export comprising an audit event, consent snapshot, DLP entry, PCP resolution, VDB provenance, and privacy-accountant excerpt. Appendix D documents the complete LINDDUN mapping, qualitative risk scores, and the validation checklist, including sensitivity analyses, PCP continuous-integration tests, and portability smoke tests.
Within the LINDDUN categories of Disclosure and Content Unawareness, hallucination is treated as a combined disclosure and misinformation risk. Mitigation strategies rely on the systematic tracking of trace_id, policy_version and consent_version tracking, DLP-based minimisation, RAG provenance records, and fail-closed. On detecting deviations, the system triggers auditing and returns a non-personalised fallback response.
Validity threats. Construct validity risks arise from proxy measures (timestamp coarsening, hashing, privacy budget in differential privacy). Internal validity is affected by policy drift [102]. External validity depends on middleware defaults (Kafka, Redis, NATS) [69,78,103]. Conclusion validity is contingent on the availability of a complete reproducibility bundle (signed audit event, consent snapshot, DLP entry, PCP resolution, VDB provenance data) [76,98,102]. The complete reproducibility-bundle schema and the sample artefacts used in the assessment of conclusion validity are presented in Appendix C. The full LINDDUN mapping together with the associated validation checklists is provided in Appendix D.
DFD identifiers. Each element has a stable dfd_id of the form DFD-L<level>-<component>-<seq>. L1 denotes context diagrams; L2 identifies detailed sub-flows [90]. The complete registry and version history are provided in Appendix D.
Evidence captures must be both deterministic and minimal. For each trace, only the following artefacts should be collected: (i) signed audit CloudEvent [64], (ii) consent snapshot [95], (iii) DLP/redaction entry [104], (iv) PCP resolution [49], (v) VDB provenance [97], and (vi) privacy-accountant excerpt [76]. All artefacts must include canonical attributes (traceparent or mapped trace_id [63], policy_version, consent_id, consent_version, decision/action, timestamp) as well as provenance metadata [43]. Where raw content cannot be shared, redacted copies should be provided alongside hash commitments [102]. A sampled trace should include: the signed audit event with its offset; the corresponding consent database row or snapshot; the DLP log line with rule_id, model_version, and action; the PCP-resolution log with applied policy_version; the VDB retrieval_provenance file for the relevant query_id; and the privacy-accountant ledger excerpt. This bundle supports DPIA validation and remains compliant with GDPR requirements, provided that retention guarantees are enforced [24,43,105].
Comparison with other frameworks. We evaluate the proposed architecture against alternative frameworks using seven criteria (C1–C7) (Table 3) derived from established international standards and regulatory guidance. The criteria cover governance and auditability, consent orchestration, clinical interoperability, privacy-enhancing technologies, edge performance, local explainability, and federated lifecycle management. Each criterion is assessed using verifiable technical and procedural controls aligned with GDPR and EU AI Act accountability requirements.
Privacy-preserving analytics in healthcare have shifted from centralised data lakes to distributed paradigms such as “algorithm-to-data” approaches and federated learning. Contemporary frameworks illustrate this transition: NVIDIA FLARE [20] integrates audit logging and PETs [20]; Substra applies a “data never leave the node” model with ledger-backed traceability [21]; DataSHIELD enables non-federated assign/aggregate statistics. Agentic enablers such as Microsoft Healthcare Agent Orchestrator [107] and Model Context Protocol (MCP)-FHIR connectors bridge multi-agent workflows to FHIR endpoints [108]. Despite these advances, two gaps remain in clinical assisted settings: (1) limited production-grade FHIR conformance and (2) the absence of consent orchestration aligned with ISO/IEC TS 27560 [77]. ENISA further emphasises that PETs should be integrated as engineered controls within governance frameworks rather than appended in an ad hoc manner. The proposed architecture addresses these gaps by combining a secure MAS (supporting consent management, audit/DLP, local explainability) with a hybrid message bus and a SMART-on-FHIR perimeter, encapsulating FL runtimes and non-FL distributed analytics as agents. This design preserves the strengths of PET- and FL-based approaches while resolving critical governance and conformance gaps (C2–C3–C6), thereby supporting deployment in autism-care settings. A detailed criterion-based comparison (C1–C7) is presented in Appendix B.
Experimental setup. The operational validity of the proposed PbD MAS was assessed through a structured empirical evaluation of complete Retrieval-Augmented Generation pipeline. The evaluation employed two complementary evaluation datasets (combined n = 250), covering clinically grounded knowledge and naturalistic caregiver communication. To assess practical feasibility, all experiments were conducted on consumer-grade edge hardware. Specifically, the system was deployed on a MacBook Pro M4 with 16 GB RAM, running a containerised microservices stack and a local language model runtime.
The system implements a modular multi-agent architecture composed of narrowly scoped agents, supporting PbD principles and end-to-end traceability. Processing begins with a DLP-first pipeline, in which caregiver or clinical text is processed by a dedicated Security/DLP Agent for pseudonymisation and personal data redaction. Raw identifiers are not stored; only sanitised text is subsequently chunked and indexed in the vector database by the RAG Agent. Consent enforcement, runtime policy checks, and residual PII validation operate across both retrieval and generation stages. Audit logging and distributed tracing provide accountability and traceability aligned with GDPR and EU AI Act requirements.
Scenario Evaluation. An MVP of the proposed system was evaluated under controlled conditions. In addition to the technical assessments of data processing and retrieval, reported in the Results section, we designed and implemented a representative MAS use case. The scenario models secure remote collaboration between a caregiver and a specialist, such as a therapist or special education teacher, who must review home-based progress. The use case verifies that the distributed agent architecture safeguards personal data while maintaining the required communication flow. The scenario covers an end-to-end cycle of sharing child’s observation records, from data ingestion to authorised access and consent revocation. A caregiver uploads a child’s observation note. The Security/DLP Agent processes the note using three detection layers. Regular expression (Regex) detects fixed patterns. NER from Presidio (2.2.360) identifies structured entities. A context-sensitive detector loads entries (e.g., the child’s name) from a local SQLite (3.50.4) context and marks them as PII. The DLP engine produces deterministic placeholders using salted SHA-256 hashes. A dual storage model in the note_registry table stores (i) the original text in encrypted form, (ii) an anonymised version for retrieval, and (iii) pii_spans_json to enable reconstruction when authorised.
The RAG Agent stores anonymised child’s observation records in Qdrant (v1.16.3). The retrieval strategy combines dense embeddings with sparse BM25 search. Maximal Marginal Relevance (MMR) filters the combined set. To prevent cross-user leakage, separate collections are maintained for each caregiver. Specialist access is managed through a token-based mechanism. After admin approval, the system issues a Universally Unique Identifier (UUID) token which is recorded as “active” in the assignments table. When a specialist accesses a record under an active token, the system reconstructs the original view by inserting values from the child context into the anonymised text. Once the token status becomes revoked, reconstruction is blocked and only the anonymised text is exposed. The Chat Agent performs local inference, using LM Studio (0.3.39—Build 2), to avoid cloud-based exposure.
The agent merges child’s observation records from the rag_collection with objective guidance retrieved from the global_knowledge collection. A system prompt constrains the agent to an Applied Behaviour Analysis (ABA) therapy assistant and explicitly prohibits diagnostic content. The MCP gateway performs consent and DLP checks prior to generating any output. All activities are logged by the Audit Agent to ensure GDPR-aligned accountability and compliance with EU AI Act traceability requirements.
Evaluation methodology: The empirical evaluation of the proposed Privacy-by-Design Multi-Agent System employs the RAGAs (Retrieval-Augmented Generation Assessment) framework proposed by Es et al. (2024) [109], adapted for deployment with locally hosted LLMs to ensure reproducibility and eliminate dependencies on external API services. Two domain-specific evaluation corpora were developed to assess system performance across complementary linguistic and informational contexts.
The DSM-5 Knowledge QA Dataset (n = 100) consists of question–answer pairs derived from the Diagnostic and Statistical Manual of Mental Disorders 5th Edition [110] and evidence-based literature on autism interventions. The questions cover diagnostic criteria, behavioural indicators, therapeutic modalities (including applied behaviour analysis, speech therapy, and occupational therapy) and prognostic aspects. The dataset evaluates retrieval and synthesis of clinically grounded information using medical terminology.
The Caregiver Notes QA Dataset (n = 150) simulates naturalistic communication between caregivers and educational or therapeutic specialists. The notes cover eight behavioural categories, including daily transitions, communication patterns, sensory responses, social interaction, routine adherence, therapy observations, behavioural incidents, and health-related observations. The dataset assesses retrieval performance on informal observational language commonly used in caregiver documentation.
In addition, 30 metadata filter test cases were used to validate access control mechanisms, including single-value filters, OR condition queries, combined filter operations, owner-based restrictions, and edge case scenarios.
The evaluation framework implements 14 metrics organised into four methodologically distinct categories:
(a) 
LLM-as-a-Judge metrics—6 metrics
Answer Relevancy is a core evaluation metric that assesses the extent to which a generated response addresses the original user query. The metric is computed by reconstructing a set of synthetic questions from the generated answer using an LLM and measuring their semantic similarity to the original query embedding:
A n s w e r   R e l e v a n c y = 1 n   i = 1 n c o s e o r i g i n a l , e g e n e r a t e d i
where e o r i g i n a l denotes the embedding of the original question and e g e n e r a t e d i represents the embeddings of the reconstructed questions derived from the generated answer. Lower values indicate reduced relevance, reflecting the presence of redundant, incomplete, or off-topic content in the generated response [109].
Faithfulness quantifies the proportion of answer claims that are supported by the retrieved context. The computation follows two steps: (i) atomic claims are extracted from the generated answer, and (ii) each claim is verified against the retrieved context using Natural Language Inference (NLI). Formally:
F a i t h f u l n e s s = C s u p p o r t e d C t o t a l
where C t o t a l denotes the set of atomic factual statements extracted from the generated answer and C s u p p o r t e d denotes the subset verified as entailed by the retrieved context [109].
Context Precision measures the position-weighted relevance of retrieved documents:
C o n t e x t   P r e c i s i o n = k = 1 K ( P r e c i s i o n @ k   ×   v k ) k = 1 K v k
where v k ∈ {0,1} indicates the relevance of the context at rank k, and Precision@k denotes the proportion of relevant contexts in the top-k retrieved results [109].
Context Recall evaluates whether content from the reference answer is attributable to the retrieved context and is defined as:
C o n t e x t   R e c a l l = S s u p p o r t e d S t o t a l
where S t o t a l denotes the set of sentences in the gold-standard answer, and S_supporteddenotes the subset of sentences that are verified as being supported by the retrieved context [109].
Answer Correctness and Context Relevance are assessed using direct LLM evaluation on a 1 to 5 ordinal scale, measuring factual accuracy against reference answers and alignment between the query and the retrieved context, following the LLM-as-a-Judge paradigm [111].
(b) 
Answer Similarity measures the semantic similarity between generated and reference answers by computing the cosine similarity between their embedding representations:
A n s w e r   S i m i l a r i t y = i = 1 d e g o l d , i   e p r e d , i i = 1 d e g o l d , i 2   i = 1 d e p r e d , i 2  
where the embedding vectors e g o l d and e p r e d are generated using the mxbai-embed-large-v1 embedding model.
(c) 
Information Retrieval Lexical Metrics—4 metrics
Precision@K follows the classical definition in information retrieval [112], measuring the proportion of relevant documents among the top-K retrieved results. Relevance is formalised as a binary predicate based on lexical overlap with the gold-standard answer:
P r e c i s i o n @ K = 1 K d     D K   |   o v e r l a p d , g o l d   θ
where D K denotes the set of the top-K retrieved documents, and θ = 0.3 represents the minimum word-overlap threshold. The function o v e r l a p d , g o l d computes the proportion of shared significant terms (length > 3, excluding stopwords) between the retrieved context d and the reference answer [112].
Recall@K quantifies the coverage of gold-standard answer content by the retrieved documents:
R e c a l l @ K = | t e r m s g o l d t e r m s ( D K ) | t e r m s g o l d
where t e r m s g o l d t e r m s ( D K ) significant lexical units through tokenization, stopword removal, and length-based filtering [112].
Mean Reciprocal Rank (MRR) evaluates ranking quality by measuring how early the first relevant document appears in the ranked list:
M R R = 1 Q   i = 1 Q 1 r a n k i
where Q is the set of evaluated queries, Q denotes its cardinality, and r a n k i is the rank position of the first retrieved document deemed relevant for query i. If no relevant document is retrieved within the top-K results, the reciprocal rank is defined as zero [113].
HasHits indicates retrieval success as the proportion of queries for which at least one relevant context is retrieved:
H a s H i t s = 1 Q   i = 1 Q 1 d   D K i : o v e r l a p d , g o l d i   θ
where Q denotes the set of evaluated queries, D K i is the set of top-K contexts retrieved for query i, θ is the lexical overlap threshold, and 1 d   D K i : o v e r l a p d , g o l d i   θ is the indicator function, which returns 1 if the condition is satisfied, and 0 otherwise [112].
(d) 
Heuristic Quality Metrics
Harmfulness identifies healthcare misinformation with safety risk using deterministic pattern matching. The method applies five domain-specific regular expression patterns: (i) dangerous treatment language, (ii) anti-medical advice (e.g., “stop medication”), (iii) unsubstantiated cure claims, (iv) known harmful substances (bleach/Miracle Mineral Solution (MMS), unregulated chelation), and (v) anti-vaccination content. The metric is conservative. It favours safety over recall.
H a r m f u l n e s s = m i n 1.0 ,   i = 1 5 m i × 0.2
where m i 0,1 indicates whether harmful pattern i is matched in the generated response and i 1 ,   , 5 corresponds to the predefined set of harmful content patterns. A score of 0.0 indicates no detected harmful content, while a score of 1.0 reflects the presence of multiple high-risk patterns. Lower values are preferable [114].
Coherence metric measures structural organisation and linguistic quality. It combines sentence validity, discourse connectors, and lexical diversity for short, domain-specific outputs.
C o h e r e n c e = m i n 1.0 ,   S + C + D
where S = 0.3 if at least one sentence exceeds 10 characters (and 0 otherwise), C = 0.3 if at least one discourse connector appears (else 0), and
D = 0.4 ,   i f W > 20   U W > 0.5 0.2 ,   i f   W > 10 0 ,   o t h e r w i s e
with W total number of tokens and U the number of unique tokens. Discourse connectors include examples such as because, therefore, however, and additionally [115].
Noise Robustness measures reliance on retrieved context rather than speculative language. The metric rewards explicit evidence references and penalises uncertainty markers linked to hallucination.
N o i s e   R o b u s t n e s s = c l a m p   0.3 + G H ,   0 ,   1
where G =   m i n ( 0.5 ,   0.15   ×   | g r o u n d i n g _ p h r a s e s | ) and H = m i n 0.5,0.10 × h e d g i n g p h r a s e s . Grounding phrases include expressions such as “according to”, “based on”, “as mentioned”, and “the context shows”, whereas hedging phrases include expressions such as “I think”, “probably”, “might be”, “could be”, and “generally speaking”. Higher scores indicate evidence-based, context-anchored responses, whereas lower scores suggest speculative or weakly grounded output [116].
The evaluation judge, Meta Llama 3 8B Instruct, operates via local deployment through LM Studio ensuring deterministic reproducibility without reliance on external service dependencies. Embedding generation utilised the mxbai-embed-large-v1 model (text-embedding-mxbai-embed-large-v1). The vector database, Qdrant with HNSW indexing [73], applied a minimum relevance threshold (min_score = 0.3) for context filtering, retaining the top-3 semantically similar chunks per query. This configuration prioritises precision over recall in context selection to minimise hallucination risk while maintaining response groundedness.

4. Results

The empirical evaluation encompasses 250 question–answer pairs evaluated using the complete RAG pipeline with all privacy-preserving components enabled. Table 4 presents aggregate evaluation metrics stratified by dataset, enabling a comparative analysis between clinical terminology (DSM-5) and Caregiver Observation Notes.
The results demonstrate stable answer quality across both corpora. Answer relevancy scores reach 0.767 for the DSM-5 dataset and 0.750 for the Caregiver Notes dataset, indicating that system responses address user queries regardless of linguistic register. Coherence scores of 0.888 and 0.927 confirm that the generated outputs remain logically structured and highly readable. A zero-harmfulness score across all 250 queries validates the effectiveness of the DLP mechanism and orchestration-level safety controls.
Retrieval performance differs across domains. The Caregiver Notes dataset achieves a higher Recall@K value of 0.742, compared to 0.400 for DSM-5 dataset. This disparity suggests that the embedding and retrieval pipeline captures semantic relationships more effectively in naturalistic observational language than in formal clinical terminology. These findings have direct implications for KB design and domain-specific tuning. Context precision and context relevancy values range from 0.599 to 0.631 and from 0.858 to 0.862, respectively, confirming strong topical alignment between queries and retrieved context, while the moderate precision values indicate remaining opportunities for retrieval optimisation.
Faithfulness scores are low, with values of 0.020 for the DSM-5 dataset and 0.178 for the Caregiver Notes. These results reflect the strict NLI-based verification applied by Llama 3 8B(meta-llama-3-8b-instruct), which requires near verbatim alignment between claims and context. Higher Recall@K values confirm that relevant information is successfully retrieved. Lower faithfulness scores arise from paraphrasing and synthesis during generation. The behaviour reduces NLI-based faithfulness but supports improved readability and clinical usability.
Table 5 presents performance disaggregated by thematic category within the DSM-5 dataset, revealing systematic variation in retrieval and generation efficacy across clinical domains.
Medical-domain queries (n = 47) achieve strong answer relevancy (0.782) and moderate recall (0.442), reflecting the concentration of therapeutic intervention content within the KB. Behavioural observation queries exhibit the highest answer relevancy (0.827), suggesting effective semantic alignment between behavioural terminology and the indexed content. Communication-related queries achieve the highest recall (0.475), whereas social interaction queries exhibit the lowest performance across both metrics (relevancy: 0.679, recall: 0.281), suggesting a potential gap in KB coverage for social development related content.
Table 6 summarises the metadata filter validation results across 30 test cases designed to verify the integrity of privacy-preserving access controls.
All metadata filter tests achieved a 100% pass rate. These results confirm the correct implementation of child_id filtering, caregiver_id restrictions, OR condition queries, combined filters, and owner-based access control rules. Edge case tests confirm correct handling of empty result sets, malformed filter specifications, and boundary conditions.

Limitations

Scope and research stage. As a research artefact, the limitations align with the MVP stage. The study prioritises validation of the core Multi-Agent System architecture and its security and privacy controls, rather than production level optimisation. The contribution encompasses both the conceptual design of the proposed architecture and its quantitative evaluation on 250 test queries using a comprehensive set of 14 metrics adapted from the RAGAs framework.
Evaluation setup and performance constraints. The evaluation focuses on response quality, semantic correctness, and groundedness, measured using metrics adapted from the RAGAs framework. Response latency ranges between 48 and 74 s per query and has not been optimised. The reported values correspond to evaluation time execution, including retrieval, scoring, and LLM-as-a-Judge assessment, rather than end user operational latency.
Methodological limitations of evaluation metrics. Several methodological considerations warrant acknowledgment. First, the use of Llama 3 8B as the evaluation judge, rather than GPT-4 as employed in the original RAGAs framework validation [109], may affect metric calibration. The 8-billion parameter model exhibits more conservative scoring behaviour, particularly for faithfulness assessment, where it applies stricter criteria for claim-context entailment than larger models. This methodological choice prioritises reproducibility and local deployment capability over alignment with GPT-4-based benchmark scores reported in the RAGAs literature [117].
Dataset realism and generalisability are limited by the use of synthetic data. The Caregiver Notes dataset was generated synthetically to reproduce linguistic patterns found in caregiver communication. Synthetic data were used to support PbD and to avoid processing real caregiver records containing personal or health data. The approach enables controlled evaluation under ethical constraints. The dataset does not cover the full variability of caregiver documentation across populations, languages, and cultural contexts. Consequently, generalisation of longitudinal clinical deployment requires further validation.
Domain-specific retrieval limitations. The performance gap between clinical terminology in the DSM-5 dataset and observational caregiver language suggests that embedding models trained on general purpose corpora are less effective for specialised medical vocabulary.
Architectural and security trade-offs. This work follows a DSR approach and presents a designed artefact grounded in established architectural patterns and security principles. The architecture mitigates session hijacking risk within the MCP [118] through frequent token rotation, short-lived sessions, and mutual TLS, which reduce exposure to man-in-the-middle attacks. The design prioritises security, auditability, and legal compliance, resulting in trade-offs with operational simplicity and dynamic flexibility. A deterministic orchestration model was selected instead of an adaptive one to support trust, compliance auditing, and legal accountability. This approach aligns with GDPR and EU AI Act requirements and provides a predictable operational model. The use of a hybrid message bus increases operational complexity but supports performance, durability, and privacy requirements. Service mesh integration introduces additional latency from sidecar proxies, which the design mitigates through gradual adoption.

5. Discussion

The proposed architecture provides an appropriate foundation for an AI-assisted system designed to support autism caregivers:
-
Alignment with stakeholder structure: Caregivers, autistic individuals, and clinicians correspond to distinct roles with different rights and obligations. MASs allow these roles to be mapped to agents and organisational structures, making consent flows explicit rather than implicit.
-
Handling distributed, heterogeneous data: Information about an autistic individual’s routines, behaviours, and interventions is distributed across home devices, clinical records, and educational settings. MASs are designed to operate over distributed environments and can coordinate access through dedicated data access and consent agents.
-
Embedding PbD controls: Privacy and security responsibilities can be assigned to specific agents (e.g., Consent Agent, Security/DLP Agent, Audit Agent), instantiated as first-class entities in the system rather than cross-cutting concerns spread across codebases. This supports data minimisation, purpose limitation, and accountability as required by privacy regulations. The token model described in our scenario applies purpose limitation and data minimisation. Admin approval initiates a UUID token recorded as active or revoked. The dual storage model keeps original text for the caregiver and anonymised text with pii_spans_json for controlled reconstruction. A revoked token blocks reconstruction and returns the anonymised note, enforcing fail-closed behaviour. The DLP engine applies regex, NER, and a context layer that loads child and caregiver names from SQLite. Deterministic salted SHA 256 placeholders keep stable references while reducing re-identification risk. Separate Qdrant collections are maintained for each caregiver–child pair to prevent cross-user leakage. A global knowledge collection provides supplementary specialised information. The Chat Agent fuses both sources to generate guidance tied to child observation records without exposing personal data.
-
Integration with AI components: MASs naturally structure the orchestration of KB, retrieval components, and language models. Within a PbD-compliant workflow, for example, a retrieval agent may interact with a knowledge base of vetted autism resources, while a generation agent produces responses only after consent and security/DLP agents have authorised the use of relevant context. MAS theory provides both conceptual tools (agents, roles, norms, organisations, interaction protocols) and practical engineering guidance (modularity, separation of concerns, explicit coordination) that underpin our architectural choice to design an AI-assisted autism support system as a PbD MAS rather than as a monolithic application or a simple microservices collection.
By embedding principles of privacy, accountability, and ethics directly into the system’s design, the proposed solution operationalises digital trust—an important prerequisite for the sustainable adoption of technology within vulnerable communities.
The modular and interoperable design promotes economic sustainability through component reuse, scalability, and optimisation of operational costs.
The research directly addresses RQ1 and RQ2 through iterative design–build–evaluate cycles. For RQ1, the process operationalises PbD principles into concrete system components—agent roles, communication patterns, and privacy enforcement mechanisms—and assesses their performance and compliance.
For RQ2, the evaluation extends to governance, sustainability, and trustworthiness aspects by comparing the proposed architecture with existing federated and centralised frameworks. The artefact is validated through technical metrics (retrieval accuracy, privacy detection, latency) and analytical methods (LINDDUN threat modelling, compliance mapping, and validity threat assessment).
The findings presented in this paper could provide actionable guidance for developers, system architects, and policymakers engaged in the design of AI-driven digital health solutions.

6. Conclusions and Future Work

The research employs a Design Science Research methodology to develop and evaluate a multi-agent architecture that integrates privacy enforcement, governance, and Large Language Model reasoning within a single, context-aware framework. Through this approach, we provide an integrated perspective on sustainable digital transformation in healthcare.
The proposed design addresses RQ1 and RQ2 by integrating PbD principles into a modular multi-agent architecture and laying the foundation for scalable, sustainability-oriented AI solutions in healthcare.
The primary contributions are threefold:
-
First, the architecture demonstrates that privacy enforcement can be implemented as first-class agents rather than cross-cutting concerns. The Consent Agent, Security/DLP Agent, and Audit Agent operate as autonomous services with clearly defined responsibilities, enabling independent verification and modular evolution. This separation of concerns aligns with both software engineering best practices and the accountability requirements of GDPR Article 5(2).
-
Second, the token-based access control mechanism provides a practical model for implementing purpose limitation and temporal access constraints. The dual storage approach—retaining original text for data subjects while exposing only anonymised versions to authorised processors—demonstrates that data minimisation need not compromise clinical utility when combined with controlled reconstruction capabilities.
-
Third, the hybrid RAG architecture shows that privacy-preserving AI can deliver contextually relevant responses by fusing personal observations with curated knowledge bases. The fail-closed design ensures that system failures result in reduced functionality (KB-only responses) rather than privacy breaches, addressing a critical gap in existing assisted technology deployments.
The empirical evaluation, conducted on 250 question–answer pairs spanning clinical knowledge (n = 100) and caregiver observational contexts (n = 150), confirms architectural feasibility and demonstrates the viability of privacy-preserving RAG deployment on consumer-grade hardware. PII detection achieves robust accuracy through a multi-layer approach combining Microsoft Presidio for Named Entity Recognition, spaCy for contextual entity extraction, and deterministic regex patterns for structured identifiers. RAG-grounded generation achieved answer relevancy scores of 0.767 (clinical domain) and 0.750 (observational domain), with coherence metrics of 0.888 and 0.927, respectively, indicating that the generation pipeline produces contextually appropriate, logically structured responses. The zero-harmfulness detection rate across all 250 evaluation queries validates the effectiveness of embedded safety mechanisms. Metadata filter validation achieved 100% pass rate across 30 test cases, confirming the integrity of privacy-preserving access controls. The differential retrieval performance between clinical (Recall@K = 0.400) and observational (Recall@K = 0.742) corpora suggests opportunities for domain-specific embedding optimisation in future iterations. These findings establish a foundation for subsequent clinical validation studies and inform the roadmap for production deployment in regulated healthcare environments.
Future work will focus on large-scale deployment, extended technical evaluation, and model refinement. Planned steps include the following:
-
Retrieval and faithfulness improvements. Future iterations will address the current faithfulness and retrieval limitations by investigating optimised chunking strategies, prompt refinement, domain-specific fine-tuning, and LLMs to improve response grounding and accuracy.
-
Latency optimisation. Reduce response time from the current 48–74 s through model quantization, caching strategies, and optimised agent orchestration for real-time interaction scenarios.
-
Longitudinal evaluation. Conduct extended studies to measure reliability, policy drift, and caregiver outcomes.
-
Clinical validation. Deploy the system in controlled settings with caregivers and therapists to assess usability, trust, and acceptance.
-
KB expansion. Extend beyond the current DSM-5 dataset (57 chunks) to include additional clinical guidelines, therapy protocols, and regional autism support resources.
-
Domain transfer. Investigate the transferability of the proposed architecture to other application domains under domain-specific personalisation and privacy constraints.
-
Federated learning integration. Add the FL components described in the design to allow model personalisation without centralising sensitive data.
-
IoT integration. Integrate consent-governed IoT data sources with edge processing and/or pseudonymisation to preserve privacy and accountability.
-
Multi-language support. Extend XAI explanations to support users across different languages, building on the existing template infrastructure.

Author Contributions

Conceptualization, I.C. and C.O.T.; methodology, I.C. and C.E.T.; software, I.C.; validation, I.C., C.E.T. and C.O.T.; investigation, I.C., C.E.T. and C.O.T.; resources, I.C.; data curation, I.C.; writing—original draft preparation, I.C.; writing—review and editing, I.C., C.E.T. and C.O.T.; visualization, I.C. and C.E.T.; supervision, C.E.T. and C.O.T.; project administration, C.O.T. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

The data presented in this study are openly available at https://huggingface.co/datasets/Ionutcroitoru/pbd-autism-caregiver (accessed on 16 February 2026).

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
A2AAgent-to-Agent
ABAApplied Behaviour Analysis
AES-GCMAdvanced Encryption Standard—Galois/Counter Mode
AIArtificial Intelligence
ANNApproximate Nearest Neighbour
APIApplication Programming Interface
ASDAutism Spectrum Disorder
AUAudit Controls (NIST SP 800-53 AU)
BCPBest Current Practice
BM25Best Match 25 (ranking function)
COPPAChildren’s Online Privacy Protection Act
CRISP-MLQCross-Industry Standard Process for Machine Learning Quality
DFDData-Flow Diagrams
DLPData Loss Prevention
DPDifferential Privacy
DPIAData Protection Impact Assessment
DSRDesign Science Research
EDPBEuropean Data Protection Board
EHRElectronic Health Record
ENISAEuropean Union Agency for Cybersecurity
EU AI ActEuropean Union Artificial Intelligence Act
FAISSFacebook AI Similarity Search
FHIRFast Healthcare Interoperability Resources
FLFederated Learning
FLAREFederated Learning Application Runtime Environment
gRPCGoogle Remote Procedure Call
GDPRGeneral Data Protection Regulation
HIPAAHealth Insurance Portability and Accountability Act
HITLHuman-in-the-Loop
HL7Health Level Seven
HNSWHierarchical Navigable Small World
IoTInternet of Things
ISO/IECInternational Organisation for Standardisation/International Electrotechnical Commission
KBKnowledge Base
LLMLarge Language Model
LMLanguage Model
MCPModel Context Protocol
MLMachine Learning
MLOpsMachine Learning Operations
MMRMaximal Marginal Relevance
MQTTMessage Queuing Telemetry Transport
MVPMinimum Viable Product
NERNamed Entity Recognition
NLPNatural Language Processing
OIDCOpenID Connect
PCPPolicy Control Plane
PETsPrivacy-Enhancing Technologies
PIIPersonally Identifiable Information
PbDPrivacy-by-Design
RAGRetrieval-Augmented Generation
RAGAs Retrieval-Augmented Generation Assessment
RBACRole-Based Access Control
RESTRepresentational State Transfer
SLMSmall Language Model
SQuaRESoftware Quality Requirements and Evaluation
TLSTransport Layer Security
TLAThree-Letter Acronym
TTLTime to Live
UIUser Interface
UUIDUniversally Unique Identifier
VDBVector Database
XAIExplainable Artificial Intelligence
W3CThe World Wide Web Consortium

Appendix A

Table A1. CloudEvents transport mapping and retention constraints.
Table A1. CloudEvents transport mapping and retention constraints.
Message/FlowDirectionSensitivityPrimary TransportRationaleCloudEvents HeadersRetention PolicyPII AllowedDelivery SemanticsFallbackReference
Audit event (append-only)Asyncnon-PII (minimised)KafkaDurability, compliance, replay, traceparent, policy_version, consent_version, purpose_id365 days (no payload PII)NoAt least once, ordered-Kafka immutable logs [119,120]; GDPR minimisation [24]; AI Act logging [25]
Policy distribution (PCP to agents)Asyncnon-PIIKafkaVersioning, traceability, fan-outtraceparent, policy_version≥90 daysNoAt least onceNATS—fast broadcastKafka durability [61]; AI Act on Art. 12 [25]
Health/heartbeat/TTLAsyncnon-PIINATS JetStreamSub-ms latency, TTL controltraceparent (short), policy_version optional1–24 h max_ageNoAt least once-NATS low latency; TTL max_age
Agent status/control signalsAsyncnon-PIINATS JetStreamLightweight signallingidem1–24 hNoAt least once-NATS JetStream ephemeral channels [60]
Personalisation requestAsyncPII (minimised)Redis StreamsSub-ms latency in personal zonetraceparent, policy_version, consent_version, purpose_id≤24 h (trim)Yes—minimisedAt least onceKafka (meta only)Redis Streams latency [91] GDPR storage limitation [24]
DLP rationale to XAIAsyncnon-PIIRedis StreamsLocal, low latencytraceparent, policy_version, purpose_id≤24 hNoAt least onceKafka (meta log)Redis near-real-time; PbD default minimisation [24,53]
XAI explanation to UIAsyncnon-PIIKafkaAudit + fan-outtraceparent, policy_version, purpose_id90 daysNoAt least onceRedis (cache)Transparency and explainability (AI Act Art. 13) [25]
Knowledge base retrieval result (RAG)Asyncnon-PIIKafkaProvenance and Version Controltraceparent, policy_version, purpose_id90 daysNoAt least onceRedis (local)Knowledge provenance logging [63,64]
Consent decisionsync (gRPC/ HTTP)PII (meta only)Synchronous channelDeterministic control pathHeaders: traceparent, policy_version, consent_versionnaYes—meta onlyExactly once-gRPC low latency typed calls [121,122]
Routing decision (by Orchestrator)asyncnon-PIIKafkaTraceable, replayabletraceparent, policy_version, purpose_id365 daysNoAt least once-Deterministic routing policy [61,78]

Appendix B

Table A2. Comparison with Other Frameworks.
Table A2. Comparison with Other Frameworks.
CriterionStandard(s)NVIDIA FLARE Substra DataSHIELD Microsoft Healthcare Agent Orchestrator EHR Tools with MCP and FHIR Proposed MAS
Generic FL Framework Focused on ML Workflows [20,121].ComplianceGovernance And Orchestration Infrastructure For Fl Projects [21].ComplianceServer-side Analysis Produces Only Non-disclosive Ag-gregate Outputs, Enabling Priva-cy-preserving Epide-miological Collabora-tion Across Cohorts [123].ComplianceCoordinate Healthcare Agents With Fhir-connected, Secure Clinical Workflows [107].ComplianceAgentic MCP Server Ex-posing Smart-on-Fhir Tools For Ehr Integration Securely [108].Compliance Compliance
C1 Governance and auditISO/IEC 27001; NIST SP 800-53 AUAudit logs and secure provisioning; ISMS/NIST AU mapping remains organisational [124]PProvides governance and audit through an immutable distributed ledger that records full traceability of every operation, from data to modelsPServer-side logs and non-disclosive outputs support accountability, but the scope of the Information Security Management System (ISMS) and audit (AU) mapping must be defined at the consortium levelPObservability and telemetry are available at the Orchestrator, but clinical audit requires explicit policies, storage definitions, and verification rulesPNo dedicated auditing subsystem is available beyond basic logging capabilities-ISMS/PIMS scope defined; Consent/Audit Agents enforce AU controls; CloudEvents logs tamper-evident
C2 Consent orchestrationISO/IEC TS 27560 [77]; EDPB GDPR revocationProvides site-level security and policy controls but does not implement ISO/IEC TS 27560 consent records, receipts, or runtime revocation; consent orchestration must be implemented externally-Manages access through granular data-level permissions, while end-user consent orchestration and GDPR revocation remain the responsibility of each organisation-Each server operates under the lawful basis defined by its controller, without a cross-site consent registry or runtime enforcement-Human approval steps and workflow gates can approximate consent handling, but no ISO/IEC TS 27560 model is implemented; consent records must be managed through an external servicePDoes not include a consent orchestration plane; consent management is delegated to upstream systems-JSON/JSON-LD consent records; runtime enforcement; revocation per EDPB
C3 Clinical interoperabilityHL7 FHIR (Capability Statement, FMM)As a federated learning framework, NVIDIA FLARE does not handle clinical data directly; instead, it trains models on data prepared from FHIR-compliant sources-Requiring a pre-processing pipeline to transform clinical data.PThe APIs return aggregate results rather than FHIR resources and are therefore not designed to function as an EHR interoperability layer-Provides connectors and workflow patterns for invoking FHIR endpoints within agent processesIncludes an MCP server that exposes FHIR services, enabling agents to access Electronic Health Record (EHR) data under declared capabilitiesCapability Statement published; profile tests (Consent, Patient, Observation)
C4 PETs (ENISA)ENISA Data Protection EngineeringAligning with ENISA’s PET guidelines, NVIDIA FLARE enables secure aggregation through technologies like homomorphic encryption and provides the essential security controls required for a complete risk assessment.Integrates PETs, enabling techniques such as differential privacy within compute plans to ensure data protectionThe assign architecture returns only non-disclosive summaries, achieving PbD at the server sidePrivacy controls need to be introduced through custom agents or other services-Interop tooling only- PETs integrated per ENISA principles (local processing, minimisation, aggregation)
C5 Edge performance and reliabilityISO/IEC 25002:2024Supports edge deployments aligned with ISO/IEC 25002Reliability is ensured by an orchestrator that manages the execution of compute plans, restarts failed tasks, and guarantees reproducibility of resultsPServers operate behind institutional firewalls, and resilience derives from local operations, with inherent fault tolerance since computation remains local.FL capabilities are not included and must be provided externally-Performance is platform dependent, with no explicit guarantees regarding latency or offline operationPp95 latency measured; offline mode supported; uptime, resource use, recovery documented
C6 Local explainability (HITL)IEEE 7001 [125]; NIST AI RMF [126]Allows local experts to apply preferred XAI tools to validate models, perform human-in-the-loop review, and generate explanations for individual decisions.PIt facilitates local explainability by allowing trained models to be evaluated and interpreted at each node using external XAI libraries, without providing native functionality. No native XAIPGenerates statistical aggregates rather than explanations for individual level decisions-No formal XAI library is included, although workflows can incorporate human approval stepsPAgents may expose rationale through reasoning traces or tool outputs, but no dedicated local XAI module is providedP XAI Agent; human-in-the-loop review enforced; explanation logs recorded
C7 Federated lifecycleNIST AI RMF; CRISP-ML(Q) [127]Provides the technical foundation for a structured federated lifecycle, allowing organisations to manage the ML process (CRISP-ML(Q)) and AI risks (NIST AI RMF) in a decentralised, privacy-preserving environment.The federated lifecycle is explicitly defined and orchestrated through compute plans, which structure the entire process from data registration to final evaluation.Implements a distributed, non-federated learning lifecycle in which analysts orchestrate server side analytics with provenance, without model aggregationPFunctions as an agent orchestrator. Integration is achieved through gateway services connected to the enterprise busFHIR tool agent on MCP bridge; Bus handled by host platformP Federated learning with client orchestration, aggregation, update, rollback; personalisation without centralising data
✓ = Fully met; P = Partially met; - = Not provided.

Appendix C

Table A3. Data-Flow Diagrams (DFDs).
Table A3. Data-Flow Diagrams (DFDs).
LINDDUN CategorySystem (Agent/Transport)Principal Control(s)Evidence for DPIAResidual Risk/Monitoring
LinkabilityConsent Agent; Redis personal streams to Kafka exportPurpose-scoped consent enforcement; minimisation at ingress; timestamp coarsening; session pseudonym rotation; strict telemetry export policy (Redis trim ≤ 24 h; Kafka stores metadata only)CloudEvents: trace_id + policy_version + consent_version where applicable; consent decision indexLink ability via auxiliar datasets; monitor with periodic linkage analysis and preserve privacy-accountant logs
IdentifiabilityIngest/RAG retrievals; VDB retrieval artefactsPseudonymisation at source; inline DLP (Named Entity Recognition (NER) + redaction); confine personal embeddings to secure VDB; RBAC to VDBsDLP redaction logs; pseudonymisation attestations; VDB access auditRare PII patterns may escape detectors; schedule revalidation of DLP models and update redaction rules
Non-repudiationPCP to agents (Kafka/gRPC control plane)Signed, versioned policy manifests; cryptographic signing of audit CloudEvents; short-lived tokens; mutual TLSSigned policy manifests and CloudEvents; Vault audit trailsKey compromise; enforce automated key rotation and attestation; monitor Vault logs for anomalies
DetectabilityNATS heartbeats/TTLs; monitoring telemetrySuppress presence flags absent consent; group aggregation; calibrated noise on exported telemetryMonitoring traces with provenance; masked telemetry exportsPresence inference from side channels; run detectability probes using realistic auxiliary assumptions
Disclosure (information leakage)LLM escalation paths; RAG outputs; API endpoints, Hallucination risk mitigated by evidence groundingRate limiting; query auditing; output sanitisation; restrict escalation to pseudonymised artefacts; analytics governed by differential privacy with a privacy accountant; evidence grounding +fail-closed KB-only fallbackRed-team reports; privacy-accountant ledger (per-subject ε); sanitised output logs; hallucination gate logsMisconfigured DP budgets; enforce composition rules, reject queries when budget is exhausted [101]
Unawareness (lack of informed consent)UI/Consent Agent; Orchestrator gatingMachine-readable, purpose-specific consent (FHIR-aligned); synchronous consent validation at Orchestrator; fail-closed rejection when consent missingConsent records; UI acceptance traces; orchestrator validation logsUX misinterpretation; conduct periodic user testing and consent audits
Non-compliance (policy conflicts)PCP decision logic; Orchestrator routingDeterministic pre-deploy policy checks; versioned policy propagation; fail-closed enforcement of policy_version; record policy resolution tracePCP decision logs; rejected event traces with policy_version tagConflicting obligations (multi-jurisdiction); adopt formal conflict-resolution engines and keep resolution traces [90,128]

Appendix D

Table A4. LINDDUN matrix.
Table A4. LINDDUN matrix.
dfd_idElement LINDDUNThreat Control Evidence LocationResidual Risk
DFD-L1-CONSENTConsent AgentLinkabilitytrace_id and timestamps can be correlated with auxiliary dataconsent_version enforced; minimise before export; timestamp coarseningCloudEvents on Kafka audit.*; consent index—this pattern is standard for EDA auditing and machine-readable consent (FHIR) integration [100]. Using Kafka’s distribution CLI extract CloudEvent JSON fields: id, time, trace_id, policy_version, consent_id/consent_version, decision, reason, signature/kid re-identification via external datasets
DFD-L2-PR-STREAMRedis personal streamsIdentifiabilityPII in stream or later reconstructedDLP (NER + redaction); pseudonymisation at source; Redis trim ≤ 24 h [62,91]DLP logs; Redis stream metadata. Evidence can be obtained from DLP logs and Redis stream metadata corresponding to the relevant trace identifier. [103] rare PII patterns escaped by DLP
DFD-L1-PCPPCP/policy planeNon-complianceconflicting policies lead to wrong routingsigned/versioned policies; deploy checks; fail-closed gatingPCP manifests; policy resolution logs. A PCP uses policy-as-code [49]cross-jurisdiction conflicts need formal resolution
DFD-L1-AUDITKafka audit topicNon-repudiationaudit logs misused for over-attributionaudit vs operational separation; cryptographic signing of CloudEvents Signed CloudEvents topics; Vault audit—Export a signed event from kafka:topic = audit.* [78]key compromise to high impact
DFD-L2-RAGRAG/LLM escalationDisclosureprompt-injection/model-extraction leaks PIIrate limiting; output sanitisation; restrict escalation to pseudonymised artefacts; DP for analyticsAPI gateway logs; privacy-accountant ledger. Export gateway logs for a trace_id that led to an escalation DP misconfiguration; model-extraction residual risk
DFD-L2-MONNATS heartbeats/monitoring (IoTs Devices)Detectabilitypresence inference from heartbeatssuppress presence flags without consent; group aggregation; calibrated noisemasked telemetry exports; monitoring traces [129]side-channel leakage (timing)
DFD-L2-VDBVector DB (secure vs non-secure)Identifiability/Disclosureembeddings + provenance reconstruct the identitypersonal VDB secured; RBAC; no raw text in non-personal VDBVDB access logs; retrieval provenance. Export the lines from vdb/access_audit.log and the file vdb/retrieval_provenance/<query_id>.json for a test trace_id. Verify whether raw document identifiers or provenance linkages could expose sensitive information [130]accidental escalation/misconfigured ACLs
The asterisk (*) denotes a wildcard pattern referring to all audit-related Kafka topics within the audit namespace.

References

  1. Zeidan, J.; Fombonne, E.; Scorah, J.; Ibrahim, A.; Durkin, M.S.; Saxena, S.; Yusuf, A.; Shih, A.; Elsabbagh, M. Global Prevalence of Autism: A Systematic Review Update. Autism Res. 2022, 15, 778–790. [Google Scholar] [CrossRef]
  2. Gentles, S.J.; McLaughlin, J.; Schneider, M.A. Stress among Caregivers of Autistic Children: Conceptual Analysis and Verification Using Two Qualitative Datasets. PLoS ONE 2024, 19, e0312391. [Google Scholar] [CrossRef]
  3. Sánchez Amate, J.J.; Luque De La Rosa, A. The Effect of Autism Spectrum Disorder on Family Mental Health: Challenges, Emotional Impact, and Coping Strategies. Brain Sci. 2024, 14, 1116. [Google Scholar] [CrossRef] [PubMed]
  4. Okoro, D.J.; Inyang, U.E. Psychological Distress Among Informal Caregivers of Children with Autism: A Thematic Analysis. Int. J. Res. Sci. Innov. 2024, XI, 1098–1108. [Google Scholar] [CrossRef]
  5. Daharlı, E.; Yılmaz, S.; Koşan, Z. A Cross-Sectional Study of Caregiver Burden Levels and Associated Factors Among Parents of Individuals with Autism Spectrum Disorder. J. Psychosoc. Rehabil. Ment. Health 2025, 1–9. [Google Scholar] [CrossRef]
  6. Tang, C.S.-K.; Yu, I.C.-Y.; Ng, K.; Kwok, H.S.-H. An Ecological Approach to Caregiver Burnout: Interplay of Self-Stigma, Family Resilience, and Caregiver Needs among Mothers of Children with Special Needs. Front. Psychol. 2025, 16, 1518136. [Google Scholar] [CrossRef]
  7. Baghdadli, A.; Pry, R.; Michelon, C.; Rattaz, C. Impact of Autism in Adolescents on Parental Quality of Life. Qual. Life Res. 2014, 23, 1859–1868. [Google Scholar] [CrossRef] [PubMed]
  8. Hayes, S.A.; Watson, S.L. The Impact of Parenting Stress: A Meta-Analysis of Studies Comparing the Experience of Parenting Stress in Parents of Children with and Without Autism Spectrum Disorder. J. Autism Dev. Disord. 2013, 43, 629–642. [Google Scholar] [CrossRef]
  9. Aiello, S.; Leonardi, E.; Cerasa, A.; Servidio, R.; Famà, F.I.; Carrozza, C.; Campisi, A.; Marino, F.; Scifo, R.; Baieli, S.; et al. Video-Feedback Approach Improves Parental Compliance to Early Behavioral Interventions in Children with Autism Spectrum Disorders during the COVID-19 Pandemic: A Pilot Investigation. Children 2022, 9, 1710. [Google Scholar] [CrossRef] [PubMed]
  10. Chistol, M.; Turcu, C.; Danubianu, M. Autism Assistant: A Platform for Autism Home-Based Therapeutic Intervention. IEEE Access 2023, 11, 94188–94204. [Google Scholar] [CrossRef]
  11. Scoglio, A.A.; Reilly, E.D.; Gorman, J.A.; Drebing, C.E. Use of Social Robots in Mental Health and Well-Being Research: Systematic Review. J. Med. Internet Res. 2019, 21, e13322. [Google Scholar] [CrossRef] [PubMed]
  12. Zhang, J.-J.; Wang, E.-N. Enhancing Autism Care through Remote Support: A Family-Centered Approach. World J. Psychiatry 2025, 15, 102645. [Google Scholar] [CrossRef] [PubMed]
  13. Lu, J.-H.; Wei, H.; Zhang, Y.; Fei, F.; Huang, H.-Y.; Dong, Q.-J.; Chen, J.; Ao, D.-Q.; Chen, L.; Li, T.-Y.; et al. Effects of Remote Support Courses on Parental Mental Health and Child Development in Autism: A Randomized Controlled Trial. World J. Psychiatry 2024, 14, 1892–1904. [Google Scholar] [CrossRef]
  14. Ogourtsova, T.; Boychuck, Z.; O’Donnell, M.; Ahmed, S.; Osman, G.; Majnemer, A. Telerehabilitation for Children and Youth with Developmental Disabilities and Their Families: A Systematic Review. Phys. Occup. Ther. Pediatr. 2023, 43, 129–175. [Google Scholar] [CrossRef]
  15. Liu, S.; Wu, D.; Li, J.; Yin, H. Latent Profile Analysis of Parental Burnout among Parents of Children with and without Autism Spectrum Disorder. Front. Psychol. 2025, 16, 1581321. [Google Scholar] [CrossRef]
  16. Alabbas, N.A.; Miller, D.E. Challenges and Assistive Technology during Typical Routines: Perspectives of Caregivers of Children with Autism Spectrum Disorders and Other Disabilities. Int. J. Disabil. Dev. Educ. 2019, 66, 273–283. [Google Scholar] [CrossRef]
  17. Rouzbahani, H.M.; Karimipour, H. Application of Artificial Intelligence in Supporting Healthcare Professionals and Caregivers in Treatment of Autistic Children. arXiv 2024, arXiv:2407.08902. [Google Scholar] [CrossRef]
  18. Iannone, A.; Giansanti, D. Breaking Barriers—The Intersection of AI and Assistive Technology in Autism Care: A Narrative Review. J. Pers. Med. 2023, 14, 41. [Google Scholar] [CrossRef]
  19. Cobigo, V.; Czechowski, K.; Chalghoumi, H.; Gauthier-Beaupre, A.; Assal, H.; Jutai, J.; Kobayashi, K.; Grenier, A.; Bah, F. Protecting the Privacy of Technology Users Who Have Cognitive Disabilities: Identifying Areas for Improvement and Targets for Change. J. Rehabil. Assist. Technol. Eng. 2020, 7, 2055668320950195. [Google Scholar] [CrossRef]
  20. NVIDIA FLARE Overview—NVIDIA FLARE 2.4.0 Documentation. Available online: https://nvflare.readthedocs.io/en/main/flare_overview.html (accessed on 22 July 2025).
  21. Galtier, M.N.; Marini, C. Substra: A Framework for Privacy-Preserving, Traceable and Collaborative Machine Learning. arXiv 2019, arXiv.1910.11567. [Google Scholar] [CrossRef]
  22. Dritsas, E.; Trigka, M. Federated Learning for IoT: A Survey of Techniques, Challenges, and Applications. J. Sens. Actuator Netw. 2025, 14, 9. [Google Scholar] [CrossRef]
  23. Belcak, P.; Heinrich, G.; Diao, S.; Fu, Y.; Dong, X.; Muralidharan, S.; Lin, Y.C.; Molchanov, P. Small Language Models Are the Future of Agentic AI. arXiv 2025, arXiv:2506.02153. [Google Scholar] [CrossRef]
  24. European Union. General Data Protection Regulation; Regulation (EU) 2016/679; Publications Office of the European Union: Luxembourg, 2016. [Google Scholar]
  25. EU AI Act: First Regulation on Artificial Intelligence. Available online: https://www.europarl.europa.eu/topics/en/article/20230601STO93804/eu-ai-act-first-regulation-on-artificial-intelligence (accessed on 22 July 2025).
  26. Cavoukian, A. Privacy by Design The 7 Foundational Principles; Information and Privacy Commissioner of Ontario: Toronto, ON, Canada, 2011. [Google Scholar]
  27. Office for Civil Rights (OCR). Summary of the HIPAA Security Rule. Available online: https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html (accessed on 22 July 2025).
  28. 16 CFR Part 312—Children’s Online Privacy Protection Rule (Coppa Rule). Available online: https://www.ecfr.gov/current/title-16/part-312 (accessed on 22 July 2025).
  29. Du, H.; Thudumu, S.; Vasa, R.; Mouzakis, K. A Survey on Context-Aware Multi-Agent Systems: Techniques, Challenges and Future Directions. arXiv 2024, arXiv.2402.01968. [Google Scholar] [CrossRef]
  30. Li, X.; Wang, S.; Zeng, S.; Wu, Y.; Yang, Y. A Survey on LLM-Based Multi-Agent Systems: Workflow, Infrastructure, and Challenges. Vicinagearth 2024, 1, 9. [Google Scholar] [CrossRef]
  31. Wooldridge, M.J. An Introduction to Multiagent Systems, 2nd ed.; repr.; Wiley: Chichester, UK, 2012. [Google Scholar]
  32. Dodig-Crnkovic, G.; Burgin, M. A Systematic Approach to Autonomous Agents. Philosophies 2024, 9, 44. [Google Scholar] [CrossRef]
  33. Bandi, A.; Kongari, B.; Naguru, R.; Pasnoor, S.; Vilipala, S.V. The Rise of Agentic AI: A Review of Definitions, Frameworks, Architectures, Applications, Evaluation Metrics, and Challenges. Future Internet 2025, 17, 404. [Google Scholar] [CrossRef]
  34. Hughes, L.; Dwivedi, Y.K.; Malik, T.; Shawosh, M.; Albashrawi, M.A.; Jeon, I.; Dutot, V.; Appanderanda, M.; Crick, T.; De’, R.; et al. AI Agents and Agentic Systems: A Multi-Expert Analysis. J. Comput. Inf. Syst. 2025, 65, 489–517. [Google Scholar] [CrossRef]
  35. United States Government Accountability Office. Science & Tech Spotlight: AI Agents|U.S. GAO. Available online: https://www.gao.gov/products/gao-25-108519 (accessed on 22 July 2025).
  36. Wang, L.; Ma, C.; Feng, X.; Zhang, Z.; Yang, H.; Zhang, J.; Chen, Z.; Tang, J.; Chen, X.; Lin, Y.; et al. A Survey on Large Language Model Based Autonomous Agents. Front. Comput. Sci. 2024, 18, 186345. [Google Scholar] [CrossRef]
  37. Sulis, E.; Mariani, S.; Montagna, S. A Survey on Agents Applications in Healthcare: Opportunities, Challenges and Trends. Comput. Methods Programs Biomed. 2023, 236, 107525. [Google Scholar] [CrossRef] [PubMed]
  38. Gregor, S.; Hevner, A.R. Positioning and Presenting Design Science Research for Maximum Impact1. MIS Q. 2013, 37, 337–355. [Google Scholar] [CrossRef]
  39. Satyanarayanan, M. The Emergence of Edge Computing. Computer 2017, 50, 30–39. [Google Scholar] [CrossRef]
  40. Ortiz, G.; Boubeta-Puig, J.; Criado, J.; Corral-Plaza, D.; Garcia-de-Prado, A.; Medina-Bulo, I.; Iribarne, L. A Microservice Architecture for Real-Time IoT Data Processing: A Reusable Web of Things Approach for Smart Ports. Comput. Stand. Interfaces 2022, 81, 103604. [Google Scholar] [CrossRef]
  41. Rudin, C. Stop Explaining Black Box Machine Learning Models for High Stakes Decisions and Use Interpretable Models Instead. Nat. Mach. Intell. 2019, 1, 206–215. [Google Scholar] [CrossRef]
  42. Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.3; Internet Engineering Task Force: Fremont, CA, USA, 2018; RFC 8446. [Google Scholar]
  43. ISO/IEC 27001:2022; Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements. IT Governance Publishing: Ely, UK, 2022.
  44. ISO/IEC 27701:2025; Information Security, Cybersecurity and Privacy Protection—Privacy Information Management Systems—Requirements and Guidance. ISO: Geneva, Switzerland, 2025. Available online: https://www.iso.org/standard/27701 (accessed on 16 February 2026).
  45. Timofte, E.M.; Dimian, M.; Graur, A.; Potorac, A.D.; Balan, D.; Croitoru, I.; Hrițcan, D.-F.; Pușcașu, M. Federated Learning for Cybersecurity: A Privacy-Preserving Approach. Appl. Sci. 2025, 15, 6878. [Google Scholar] [CrossRef]
  46. Theodoropoulos, T.; Rosa, L.; Benzaid, C.; Gray, P.; Marin, E.; Makris, A.; Cordeiro, L.; Diego, F.; Sorokin, P.; Girolamo, M.D.; et al. Security in Cloud-Native Services: A Survey. J. Cybersecur. Priv. 2023, 3, 758–793. [Google Scholar] [CrossRef]
  47. Data Protection Impact Assessments. Available online: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/data-protection-impact-assessments/ (accessed on 22 July 2025).
  48. European Union Agency for Cybersecurity. Engineering Personal Data Protection in EU Data Spaces; Publications Office: Luxembourg, 2024. [Google Scholar]
  49. Chuprikov, P.; Eugster, P.; Mangipudi, S. Security Policy as Code. IEEE Secur. Priv. 2025, 23, 23–31. [Google Scholar] [CrossRef]
  50. Lodderstedt, T.; Bradley, J.; Labunets, A.; Fett, D. Best Current Practice for OAuth 2.0 Security; RFC Editor: Fremont, CA, USA, 2025; RFC 9700. [Google Scholar]
  51. Campbell, B.; Bradley, J.; Sakimura, N.; Lodderstedt, T. OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens; Internet Engineering Task Force: Fremont, CA, USA, 2020; RFC 8705. [Google Scholar]
  52. Doshi-Velez, F.; Kim, B. Towards A Rigorous Science of Interpretable Machine Learning. arXiv 2017, arxiv.1702.08608. [Google Scholar] [CrossRef]
  53. Barredo Arrieta, A.; Díaz-Rodríguez, N.; Del Ser, J.; Bennetot, A.; Tabik, S.; Barbado, A.; Garcia, S.; Gil-Lopez, S.; Molina, D.; Benjamins, R.; et al. Explainable Artificial Intelligence (XAI): Concepts, Taxonomies, Opportunities and Challenges toward Responsible AI. Inf. Fusion 2020, 58, 82–115. [Google Scholar] [CrossRef]
  54. Vault|HashiCorp Developer. Available online: https://developer.hashicorp.com/vault (accessed on 22 July 2025).
  55. Pham, N.T.; Kieu, T.; Nguyen, D.-M.; Xuan, S.H.; Duong-Trung, N.; Le-Phuoc, D. SLM-Bench: A Comprehensive Benchmark of Small Language Models on Environmental Impacts—Extended Version. arXiv 2025, arxiv.2508.15478. [Google Scholar] [CrossRef]
  56. Haas, S.; Hegestweiler, K.; Rapp, M.; Muschalik, M.; Hüllermeier, E. Stakeholder-Centric Explanations for Black-Box Decisions: An XAI Process Model and Its Application to Automotive Goodwill Assessments. Front. Artif. Intell. 2024, 7, 1471208. [Google Scholar] [CrossRef]
  57. Joint Task Force Interagency Working Group. Security and Privacy Controls for Information Systems and Organizations, 5th ed.; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar]
  58. Barker, E. Recommendation for Key Management: Part 1—General; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar]
  59. JetStream|NATS Docs. Available online: https://docs.nats.io/using-nats/developer/develop_jetstream (accessed on 17 August 2025).
  60. Apache Kafka 4.0 Documentation. Available online: https://kafka.apache.org/documentation/ (accessed on 22 July 2025).
  61. Redis Persistence. Available online: https://redis.io/docs/latest/operate/oss_and_stack/management/persistence/ (accessed on 22 July 2025).
  62. Trace Context-W3C Recommendation. Available online: https://www.w3.org/TR/trace-context/ (accessed on 27 August 2025).
  63. CloudEvents Specification. Available online: https://github.com/cloudevents/spec/blob/ce@v1.0.2-branch/cloudevents/spec.md (accessed on 22 July 2025).
  64. Production-Grade Container Orchestration. Available online: https://kubernetes.io/ (accessed on 22 July 2025).
  65. Carrión, C. Kubernetes Scheduling: Taxonomy, Ongoing Issues and Challenges. ACM Comput. Surv. 2023, 55, 138. [Google Scholar] [CrossRef]
  66. Network Policies. Available online: https://kubernetes.io/docs/concepts/services-networking/network-policies/ (accessed on 22 July 2025).
  67. Pod Security Standards. Available online: https://kubernetes.io/docs/concepts/security/pod-security-standards/ (accessed on 22 July 2025).
  68. Sharvari, T.; Sowmya Nag, K. A Study on Modern Messaging Systems- Kafka, RabbitMQ and NATS Streaming. arXiv 2019, arxiv.1912.03715. [Google Scholar] [CrossRef]
  69. Enterprise Power Without Enterprise Complexity. Available online: https://linkerd.io/ (accessed on 22 July 2025).
  70. Istio. Available online: https://istio.io/latest/ (accessed on 22 July 2025).
  71. Li, W.; Lemieux, Y.; Gao, J.; Zhao, Z.; Han, Y. Service Mesh: Challenges, State of the Art, and Future Research Opportunities. In Proceedings of the 2019 IEEE International Conference on Service-Oriented System Engineering (SOSE), San Francisco, CA, USA, 4–9 April 2019; IEEE: San Francisco, CA, USA, 2019; pp. 122–1225. [Google Scholar]
  72. Hierarchical Navigable Small Worlds (HNSW)|Pinecone. Available online: https://www.pinecone.io/learn/series/faiss/hnsw/ (accessed on 22 July 2025).
  73. Milvus and 10x faster. Get Started IVF_PQ|Milvus Documentation. Available online: https://milvus.io/docs/ivf-pq.md (accessed on 22 July 2025).
  74. Das, B.C.; Amini, M.H.; Wu, Y. Security and Privacy Challenges of Large Language Models: A Survey. arXiv 2024, arxiv.2402.00888. [Google Scholar] [CrossRef]
  75. SmartNoise—OpenDP SmartNoise. Available online: https://docs.smartnoise.org/ (accessed on 22 July 2025).
  76. ISO/IEC TS 27560:2023; Privacy Technologies—Consent Record Information Structure. ISO: Geneva, Switzerland, 2023. Available online: https://www.iso.org/standard/80392.html (accessed on 22 July 2025).
  77. Kafka Logs—Concepts, Configurations and Policies. Available online: https://www.redpanda.com/guides/kafka-performance-kafka-logs (accessed on 22 July 2025).
  78. Documentation. Available online: https://opentelemetry.io/docs/ (accessed on 22 July 2025).
  79. Elasticsearch: The Official Distributed Search & Analytics Engine|Elastic. Available online: https://www.elastic.co/elasticsearch (accessed on 22 July 2025).
  80. Logstash: Collect, Parse, Transform Logs. Available online: https://www.elastic.co/logstash (accessed on 22 July 2025).
  81. OpenSearch Dashboards. Available online: https://docs.opensearch.org/latest/dashboards/ (accessed on 22 July 2025).
  82. Stanza—A Python NLP Package for Many Human Languages. Available online: https://stanfordnlp.github.io/stanza/ (accessed on 22 July 2025).
  83. LangChain. Available online: https://www.langchain.com (accessed on 22 July 2025).
  84. Qdrant. Available online: https://qdrant.tech/documentation/ (accessed on 22 July 2025).
  85. Scikit-Learn: Machine Learning in Python—Scikit-Learn 1.7.1 Documentation. Available online: https://scikit-learn.org/stable/ (accessed on 22 July 2025).
  86. Salih, A.; Raisi-Estabragh, Z.; Galazzo, I.B.; Radeva, P.; Petersen, S.E.; Menegaz, G.; Lekadir, K. A Perspective on Explainable Artificial Intelligence Methods: SHAP and LIME. Adv. Intell. Syst. 2025, 7, 2400304. [Google Scholar] [CrossRef]
  87. Grafana: The Open and Composable Observability Platform. Available online: https://grafana.com/ (accessed on 22 July 2025).
  88. Jaeger: Open Source, Distributed Tracing Platform. Available online: https://www.jaegertracing.io/ (accessed on 22 July 2025).
  89. Sion, L.; Van Landuyt, D.; Wuyts, K.; Joosen, W. Robust and Reusable LINDDUN Privacy Threat Knowledge. Comput. Secur. 2025, 154, 104419. [Google Scholar] [CrossRef]
  90. Redis Streams. Available online: https://redis.io/docs/latest/develop/data-types/streams/ (accessed on 22 July 2025).
  91. Rose, S.; Borchert, O.; Mitchell, S.; Connelly, S. Zero Trust Architecture; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020. [Google Scholar]
  92. Newman, C.; Klyne, G. Date and Time on the Internet: Timestamps; Internet Engineering Task Force: Fremont, CA, USA, 2002; RFC 3339. [Google Scholar]
  93. Brauer, A.; Mäkinen, V.; Ruotsalainen, L.; Oksanen, J. Time Will Not Tell: Temporal Approaches for Privacy-Preserving Trajectory Publishing. Comput. Environ. Urban Syst. 2024, 112, 102154. [Google Scholar] [CrossRef]
  94. Bender, D.; Sartipi, K. HL7 FHIR: An Agile and RESTful Approach to Healthcare Information Exchange. In Proceedings of the 26th IEEE International Symposium on Computer-Based Medical Systems, Porto, Portugal, 20–22 June 2013; IEEE: Porto, Portugal, 2013; pp. 326–331. [Google Scholar]
  95. Taipalus, T. Vector Database Management Systems: Fundamental Concepts, Use-Cases, and Current Challenges. Cogn. Syst. Res. 2024, 85, 101216. [Google Scholar] [CrossRef]
  96. Huang, Y.-H.; Tsai, Y.; Hsiao, H.; Lin, H.-Y.; Lin, S.-D. Transferable Embedding Inversion Attack: Uncovering Privacy Risks in Text Embeddings without Model Queries. arxiv 2024, arxiv.2406.10280. [Google Scholar] [CrossRef]
  97. Pseudonymisation Techniques and Best Practices|ENISA. Available online: https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices (accessed on 22 July 2025).
  98. AI Privacy Risks & Mitigations Large Language Models (LLMs)|European Data Protection Board. Available online: https://www.edpb.europa.eu/our-work-tools/our-documents/support-pool-experts-projects/ai-privacy-risks-mitigations-large_en (accessed on 22 July 2025).
  99. Consent-FHIR v5.0.0. Available online: https://hl7.org/fhir/consent-definitions.html (accessed on 28 August 2025).
  100. Azam, N.; Chak, A.; Michala, A.; Ansari, S.; Truong, N.B. A Practical Solution for Modelling GDPR-Compliance Based on Defeasible Logic Reasoning. Expert Syst. Appl. 2025, 277, 127140. [Google Scholar] [CrossRef]
  101. Near, J.P.; Darais, D.; Lefkovitz, N.; Howarth, G.S. Guidelines for Evaluating Differential Privacy Guarantees; National Institute of Standards and Technology (U.S.): Gaithersburg, MD, USA, 2025. [Google Scholar]
  102. REDIS-Recommended Security Practices. Available online: https://redis.io/docs/latest/operate/rs/security/recommended-security-practices/ (accessed on 22 July 2025).
  103. Data Loss Prevention—An Overview|ScienceDirect Topics. Available online: https://www.sciencedirect.com/topics/computer-science/data-loss-prevention (accessed on 22 July 2025).
  104. International Organization for Standardization and International Electrotechnical Commission Systems and Software Engineering—Systems and Software Quality Requirements and Evaluation (SQuaRE)—Quality Model Overview and Usage; International Organization for Standardization and International Electrotechnical Commission: Geneva, Switzerland, 2024.
  105. Sheffer, Y.; Saint-Andre, P.; Fossati, T. Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS); RFC Editor: Fremont, CA, USA, 2022; RFC 9325. [Google Scholar]
  106. Azure-Samples/Healthcare-Agent-Orchestrator. Available online: https://github.com/Azure-Samples/healthcare-agent-orchestrator (accessed on 22 July 2025).
  107. Mandel, J. Jmandel/Health-Record-Mcp. Available online: https://github.com/jmandel/health-record-mcp/blob/main/package.json (accessed on 22 July 2025).
  108. Es, S.; James, J.; Espinosa Anke, L.; Schockaert, S. RAGAs: Automated Evaluation of Retrieval Augmented Generation. In Proceedings of the 18th Conference of the European Chapter of the Association for Computational Linguistics: System Demonstrations, St. Julians, Malta, 17–22 March 2024; Association for Computational Linguistics: St. Julians, Malta, 2024; pp. 150–158. [Google Scholar]
  109. American Psychiatric Association. Diagnostic and Statistical Manual of Mental Disorders, 5th ed.; American Psychiatric Association: Washington, DC, USA, 2013. [Google Scholar]
  110. Gu, J.; Jiang, X.; Shi, Z.; Tan, H.; Zhai, X.; Xu, C.; Li, W.; Shen, Y.; Ma, S.; Liu, H.; et al. A Survey on LLM-as-a-Judge. arxiv 2024, arXiv:2411.15594. [Google Scholar] [CrossRef]
  111. Manning, C.D.; Raghavan, P.; Schütze, H. Introduction to Information Retrieval, 1st ed.; Cambridge University Press: Cambridge, UK, 2008. [Google Scholar]
  112. Carbonell, J.G.; Goldstein, J. The Use of MMR and Diversity-Based Reranking in Document Reranking and Summarization. In Proceedings of the 21st Annual International ACM SIGIR Conference on Research and Development in Information Retrieval (SIGIR ’98), Melbourne, Australia, 24–28 August 1998; ACM: Melbourne, Australia, 1998; pp. 335–336. [Google Scholar] [CrossRef]
  113. Carbonell, J.G.; Goldstein, J. The Use of MMR and Diversity-Based Reranking in Document Reranking and Summarization; Carnegie Mellon University: Pittsburgh, PA, USA, 1997; pp. 335–336. [Google Scholar] [CrossRef]
  114. Zada, T.; Tam, N.; Barnard, F.; Van Sittert, M.; Bhat, V.; Rambhatla, S. Medical Misinformation in AI-Assisted Self-Diagnosis: Development of a Method (EvalPrompt) for Analyzing Large Language Models. JMIR Form. Res. 2025, 9, e66207. [Google Scholar] [CrossRef]
  115. Zhao, W.; Strube, M.; Eger, S. DiscoScore: Evaluating Text Generation with BERT and Discourse Coherence. In Proceedings of the 17th Conference of the European Chapter of the Association for Computational Linguistics, Dubrovnik, Croatia, 2–6 May 2023; Association for Computational Linguistics: Dubrovnik, Croatia, 2023; pp. 3865–3883. [Google Scholar]
  116. Fang, F.; Bai, Y.; Ni, S.; Yang, M.; Chen, X.; Xu, R. Enhancing Noise Robustness of Retrieval-Augmented Language Models with Adaptive Adversarial Training. arXiv 2024. [Google Scholar] [CrossRef]
  117. Ragas. Available online: https://docs.ragas.io/en/stable/ (accessed on 22 July 2025).
  118. Security Best Practices. Available online: https://modelcontextprotocol.io/specification/2025-06-18/basic/security_best_practices (accessed on 22 July 2025).
  119. RabbitMQ: One Broker to Queue Them All|RabbitMQ. Available online: https://www.rabbitmq.com/ (accessed on 22 July 2025).
  120. Henning, S.; Hasselbring, W. Benchmarking Scalability of Stream Processing Frameworks Deployed as Microservices in the Cloud. arXiv 2023, arxiv.2303.11088. [Google Scholar] [CrossRef]
  121. Loechel, L.; Akbayin, S.-R.; Grünewald, E.; Kiesel, J.; Strelnikova, I.; Janke, T.; Pallas, F. Hook-in Privacy Techniques for gRPC-Based Microservice Communication. arXiv 2024, arXiv:2404.05598. [Google Scholar]
  122. Niswar, M.; Arisandy Safruddin, R.; Bustamin, A.; Aswad, I. Performance evaluation of microservices communication with REST, GraphQL, and gRPC. Int. J. Electron. Telecommun. 2024, 70, 429–436. [Google Scholar] [CrossRef]
  123. Auditing—NVIDIA FLARE 2.6.0 Documentation. Available online: https://nvflare.readthedocs.io/en/2.6.0/user_guide/security/auditing.html (accessed on 22 July 2025).
  124. DataSHIELD—Opal Documentation. Available online: https://opaldoc.obiba.org/en/latest/web-user-guide/administration/datashield.html (accessed on 22 July 2025).
  125. IEEE Std 7001-2021; IEEE Standard for Transparency of Autonomous Systems. IEEE: New York, NY, USA, 2021. [CrossRef]
  126. NIST. National Institute of Standards and Technology Artificial Intelligence Risk Management Framework (AI RMF 1.0); NIST: Gaithersburg, MD, USA, 2023. [Google Scholar]
  127. CRISP-ML(Q) Working Group. CRISP-ML(Q): Cross-Industry Standard Process for Machine Learning Quality Assurance; CRISP-ML(Q) Working Group: Sindelfingen, Germany, 2019. [Google Scholar]
  128. Ayala-Rivera, V.; Portillo-Dominguez, A.O.; Pasquale, L. GDPR Compliance via Software Evolution: Weaving Security Controls in Software Design. J. Syst. Softw. 2024, 216, 112144. [Google Scholar] [CrossRef]
  129. Redacting Sensitive Data with the OpenTelemetry Collector|Better Stack Community. Available online: https://betterstack.com/community/guides/observability/redacting-sensitive-data-opentelemetry/ (accessed on 22 July 2025).
  130. Liu, T.; Yao, H.; Wu, T.; Qin, Z.; Lin, F.; Ren, K.; Chen, C. Mitigating Privacy Risks in LLM Embeddings from Embedding Inversion. arXiv 2024, arXiv:2411.05034. [Google Scholar] [CrossRef]
Figure 1. Agent interaction diagram.
Figure 1. Agent interaction diagram.
Applsci 16 02157 g001
Figure 2. Layered Architecture for privacy-aware Multi-Agent System.
Figure 2. Layered Architecture for privacy-aware Multi-Agent System.
Applsci 16 02157 g002
Table 1. Non-functional Requirements of the privacy-aware MAS.
Table 1. Non-functional Requirements of the privacy-aware MAS.
Non-Functional RequirementsDescription
PrivacyAll components must apply data minimisation, pseudonymisation, and encryption [24]. Agent-level access is strictly conditional on verifiable, purpose-specific consent.
PerformanceAgent responses must be completed within ≤500 ms under normal operational load. End-to-end coordination across the message bus should not exceed 2 s [39,40].
ScalabilityThe architecture must support horizontal scaling of stateless agents using container orchestration platforms.
AuditabilityAll access events, policy checks, and agent outputs must be recorded asynchronously via an immutable audit trail. Logs should support traceability and forensic analysis [25].
InteroperabilityThe system must expose RESTful APIs, HL7 FHIR (for clinical integration), and stable agent-to-agent interfaces for context exchange.
ExplainabilityIn assisted systems for caregivers of children with ASD, outputs must be explainable in a way that is both human-interpretable and consistent with the system’s internal logic. To meet this requirement, the architecture employs symbolic, rule-based explanations generated locally by the XAI Agent, avoiding reliance on post hoc approximation methods. This design supports transparency and auditability, in line with the requirements for trustworthy AI [25], and mitigates concerns about the opacity and low fidelity of black-box explanation techniques [41].
SecurityCommunication must be secured using TLS 1.3 [42], mutual agent authentication, and encrypted storage for all secrets and personal identifiers. (ISO/IEC 27001:2022 [43]).
Deployment PortabilityThe system must be deployable in both cloud-native and on-premises environments, with no reliance on external third-party storage or analytics services.
Fault ToleranceUpon agent failure, orchestration must trigger retries or reroute tasks without data loss. Message processing must be idempotent and state-agnostic.
Compliance ReadinessThe system must conform to regulatory obligations (e.g., GDPR, EU AI Act, ISO/IEC 27701 [44]).
Table 2. The LINDDUN categories applied to the proposed architecture.
Table 2. The LINDDUN categories applied to the proposed architecture.
LINDDUN CategoryThreat LocationsControlsEvidenceBibliographic Refs
LinkabilityConsent Agent; telemetry export pathsPurpose-scoped consent; ingress minimisation; timestamp coarsening; session pseudonym rotationConsent indexes; signed audit events (Appendix D)[94,95]
IdentifiabilityIngest; retrieval; vector databasePseudonymisation at source; inline DLP (NER + redaction); RBAC on vector databasesDLP redaction logs; VDB access audits[96,97]
Non-repudiationPCP; audit Kafka topicsSigned and versioned policy manifests; cryptographically signed CloudEvents; short-lived credentialsSigned manifests; Vault audit trails[69,98]
DetectabilityMonitoring channels; heartbeat signalsSuppression of presence flags without consent; group aggregation; calibrated noiseMasked monitoring exports; detectability probe records[88]
DisclosureRAG paths; LLM escalation paths; API surfacesRate limiting; query auditing; output sanitisation; DP analytics with privacy accountantRed-team reports; privacy-accountant ledger[99]
UnawarenessMissing or opaque consent flowsPurpose-specific consent records; synchronous Orchestrator validation; fail-closed behaviourConsent DB snapshots; Orchestrator validation logs[24,95,100]
Non-compliancePolicy conflicts; routing errorsDeterministic PCP pre-deployment checks; policy resolution trace recordingPCP resolution logs; rejected event traces[49,101]
Table 3. Evaluation criteria for framework comparison.
Table 3. Evaluation criteria for framework comparison.
CriterionEvaluation FocusStandards/GuidanceVerification Checks
C1 Governance and auditAccountability, traceability, and security governanceISO/IEC 27001 (ISMS); ISO/IEC 27701 (PIMS); NIST SP 800-53 AU controlsISMS/PIMS scope defined; Statement of Applicability; mapping of log events to NIST AU controls; log retention and tamper-evidence procedures
C2 Consent orchestrationLawful basis, revocation, runtime enforcementISO/IEC TS 27560 [77]; GDPR; EDPB guidanceJSON/JSON-LD consent records; revocation workflow; synchronous runtime enforcement
C3 Clinical interoperabilityIntegration with clinical systemsHL7 FHIRPublished Capability Statement; successful profile conformance tests
C4 Privacy-enhancing technologies (PETs)Engineering of privacy-by-designENISA Data Protection Engineering guidanceDocumented PET selection; architectural integration; implementation evidence
C5 Edge performance and reliabilityDeployability in care settingsISO/IEC 25002:2024 [106]Latency bounds; offline operation; uptime targets; resource usage; error recovery
C6 Local explainability (HITL)Caregiver oversight and trustHuman-in-the-loop principlesExplicit HITL decision points; local explanations available to caregivers
C7 Federated lifecyclePersonalisation without centralisationFederated learning engineering practicesClient orchestration; aggregation; update rollout; rollback mechanisms
Table 4. Aggregate evaluation metrics by dataset.
Table 4. Aggregate evaluation metrics by dataset.
MetricDSM-5 QA (n = 100)Caregiver Notes (n = 150)Description
Answer Relevancy0.7670.750Query–response alignment
Answer Similarity0.7570.730Embedding cosine similarity
Context Precision0.5990.631Position-weighted relevance
Context Relevancy0.8620.858Query–context alignment
Coherence0.8880.927Logical structure
Harmfulness0.0000.000Safety violation rate
Recall@K0.4000.742Relevant document retrieval
MRR0.1950.546Mean reciprocal rank
Precision@K0.0700.241Retrieval precision
Faithfulness0.0200.178NLI-verified claim support
Table 5. Aggregate Evaluation Metrics by DSM-5 Category.
Table 5. Aggregate Evaluation Metrics by DSM-5 Category.
CategorynAnswer RelevancyRecall@K
Medical/Therapeutic470.7820.442
Communication130.7500.475
Behavioural130.8270.367
Sensory Processing80.7810.307
Social Interaction70.6790.281
Therapy Modalities60.7500.461
Diagnostic Criteria60.7080.346
Table 6. The metadata filter validation.
Table 6. The metadata filter validation.
Test CategoryTest CasesPass RateValidation Scope
Single Value Filter3100%child_id, category, source_type field matching
OR Condition3100%Multiple value matching per field
Combined Filters3100%AND logic across multiple fields
Owner Restriction2100%caregiver_id isolation + combined
Edge Cases4100%Empty results, malformed filters, null values
Use Case5100%Real-world caregiver/specialist scenarios
Category Test5100%Per-category filtering (transitions, communication, sensory, behavior, daily_living)
Performance2100%Multiple OR values, complex combined filters
Collection3100%Cross-collection filtering (global_knowledge, supporter)
Total30100%Full access control coverage
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Croitoru, I.; Turcu, C.E.; Turcu, C.O. Privacy-by-Design in AI-Assisted Systems for Caregivers of Children with Autism: A Secure Multi-Agent Architecture. Appl. Sci. 2026, 16, 2157. https://doi.org/10.3390/app16042157

AMA Style

Croitoru I, Turcu CE, Turcu CO. Privacy-by-Design in AI-Assisted Systems for Caregivers of Children with Autism: A Secure Multi-Agent Architecture. Applied Sciences. 2026; 16(4):2157. https://doi.org/10.3390/app16042157

Chicago/Turabian Style

Croitoru, Ionuț, Cristina Elena Turcu, and Corneliu Octavian Turcu. 2026. "Privacy-by-Design in AI-Assisted Systems for Caregivers of Children with Autism: A Secure Multi-Agent Architecture" Applied Sciences 16, no. 4: 2157. https://doi.org/10.3390/app16042157

APA Style

Croitoru, I., Turcu, C. E., & Turcu, C. O. (2026). Privacy-by-Design in AI-Assisted Systems for Caregivers of Children with Autism: A Secure Multi-Agent Architecture. Applied Sciences, 16(4), 2157. https://doi.org/10.3390/app16042157

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop