3. Materials and Methods
This paper adopts a Design Science Research methodology to systematically design, implement, and evaluate a Privacy-by-Design multi-agent architecture for AI-assisted autism caregiver support. The DSR approach was selected because it enables the development of innovative artefacts that bridge theoretical constructs and practical applications in complex socio-technical contexts such as digital health. Consistent with the Level 1 artefact category, the research focuses on the design and validation of a situated architectural instance rather than a generalised framework.
The primary objectives of the research are as follows:
- -
Develop a conceptual multi-agent architecture that separates and assigns specific roles (e.g., user interface, data management, AI analysis, consent, security), thereby enabling enhanced control over data access and the implementation of privacy policies at the component level.
- -
Define an informed and transparent consent model integrated within the architecture, allowing caregivers to express and modify their preferences regarding data collection and usage in a clear and accessible manner, while ensuring full compliance with GDPR requirements for transparency and data subject rights.
- -
Integrate emerging AI technologies—such as Large Language Models with Retrieval-Augmented Generation, Explainable AI (XAI) algorithms, and differential privacy methods, in a manner that enhances system functionality while simultaneously minimising data exposure. For example, local AI components can provide context-aware recommendations based on locally processed information, thereby preventing sensitive data from being sent to external cloud services.
- -
Conduct a conceptual evaluation of the proposed design to assess its robustness, scalability, and practical applicability, while identifying key directions for future implementation and research.
This section outlines the methodology used to design, build, and evaluate the proposed PbD MAS. The focus remains on compliance, security, and clinical interoperability gaps highlighted in the preceding analysis. The section defines the core architectural principles and the implementation workflow of the MVP used for empirical validation.
At the core of the system design is a privacy-aware, modular multi-agent architecture. The proposed PbD MAS leverages MAS properties (modularity, isolation, inter-agent communication) to operationalise PbD principles including data minimisation, purpose limitation, and accountability. Each agent performs a clearly defined role and interacts with other agents through standardised protocols under strict data governance rules. This functional decomposition ensures that responsibilities such as monitoring, data management, interpretation, recommendation, explanation, and consent validation are delegated to specialised agents. The architecture supports clear reasoning, simplified auditing, and modular extension. Each agent has a limited and well-defined function, which improves system transparency and control. Core PbD principles are applied throughout the design. Agents access only the data required to fulfil their designated role, in accordance with the principle of data minimisation. Access control is enforced dynamically using Role-Based Access Control (RBAC), with user roles such as caregiver or specialist determining permissible operations. Any secondary use of data requires verified, purpose-specific consent, enforced through structural constraints within the system. Each agent operates in isolation with a well-defined task, such as monitoring, recommending, or auditing, thereby enabling traceability and role-based accountability.
While this paper does not claim full adherence to the complete DSR lifecycle, particularly with respect to the demonstration and longitudinal evaluation phases, it contributes a functionally grounded and theoretically justified artefact. The contribution aligns with Gregor and Hevner’s classification of Level 1 design science outputs [
38], which characterises artefacts as situated implementations. The proposed design is justified by methodological transparency, integration of domain-specific knowledge, responsiveness to user requirements, and alignment with regulatory and ethical frameworks, including the GDPR and responsible AI practices [
29].
These architectural choices prioritise deterministic behaviour, traceability, and policy-driven control to support auditability and regulatory compliance in caregiving contexts.
Non-Functional Requirements: Given the sensitivity of personal data processed in assisted tools for caregivers of children with ASD, the architecture prioritises privacy, auditability, explainability, and compliance with legal and regulatory frameworks such as the GDPR [
24] and the AI Act [
25]. In addition, technical requirements such as scalability, fault tolerance, and interoperability ensure system reliability across diverse use cases.
Table 1 summarises the principal non-functional requirements derived from these considerations.
Operational and compliance specifications delineate the system’s boundaries and compliance parameters across deployment settings. All data processing is governed by signed, versioned policies issued by the policy authority. Each processing request includes a trace identifier (trace_id), the active policy version (active policy_version), and, where applicable, a consent version (consent_version). Personal data are processed only when explicit; purpose-specific consent is present and after successful minimisation and data loss prevention checks. If no lawful basis exists or if required safety controls are unavailable, the system defaults to a Knowledge Base (KB)-only operational mode.
Identity and access are managed through standards-based authentication and least-privilege, purpose-scoped authorisation. Inter-service communication is secured using cryptographic and organisational safeguards [
45,
46]. Observability is integrated through distributed tracing and append-only, minimised audit logs. Specialised agents operate under the coordination of a central Policy Control Plane (PCP) and communicate via a shared message bus. Each agent is assigned a clearly defined functional role and operates under version-controlled policies and consent parameters, enforcing least privilege, purpose limitation, and data minimisation. The architecture adheres to core PbD principles, including explicit consent, explainability, reproducibility, and graceful degradation [
24,
25,
47,
48]. When personalisation is not permitted or when required services are unavailable, the system defaults to KB-only responses.
Figure 1 illustrates the agents’ relational structure and communication flows, which enforce role scopes, consent rules and DLP filters.
A central Policy Control Plane, implemented using a policy-as-code approach [
49], distributes signed and version-controlled policies (as illustrated in
Figure 1) to all agents and enforces role scopes, consent rules and DLP filters, defined as rule sets designed to prevent unauthorised data disclosure. Agents communicate primarily through a decoupled message bus (depicted in green in
Figure 1), implementing a publish–subscribe (pub/sub) model. This mechanism supports asynchronous interactions with trace_id and policy_version propagation.
Three specialised agents support bidirectional request/response flows over predefined topics: the RAG Agent (agent.rag.{req|resp}), the Chat Agent (agent.chat.{req|resp}), and the XAI Agent (agent.xai.{req|resp}). Consent validation operates synchronously via HTTP or gRPC and is not routed through the message bus.
All agents emit asynchronous audit events to a dedicated audit subsystem, as shown in
Figure 1. Audit records are minimised by design, using hashed identifiers, coarse timestamps, and event sampling to reduce re-identification risk.
Personal data flows are explicit, consent-gated, and strictly constrained, as illustrated in
Figure 1:
- -
The Consent Agent provides only policy metadata (policy_version, consent_version, obligations) to the Security/DLP Agent.
- -
The Security/DLP Agent transfers a minimised payload to the Chat Agent.
- -
The Security/DLP Agent sends PII-safe rationales to the XAI Agent, meaning that the justifications for XAI-related actions are processed to ensure that no Personally Identifiable Information (PII) is included in the transmitted content.
These flows are designed to protect sensitive attributes while preserving functional utility for caregivers. Agents are organised across two trust zones based on data sensitivity. In the non-personal data zone, the RAG Agent retrieves evidence from a curated KB. In the personal data zone, the Consent Agent enforces purpose-specific, versioned consent; the Security/DLP Agent applies context minimisation [
24] and output filtering; the Chat Agent generates AI responses only when legally permitted; and the XAI Agent produces PII-safe explanations aligned with the underlying recommendation logic [
25].
The processing sequence—Authorise → Consent → DLP → Retrieve/Personalise → XAI → Audit—operationalises PbD and enables graceful degradation through KB-only responses when personalisation is not permitted or components are unavailable.
Layered Architecture. Figure 2 presents a layered architecture that separates responsibilities according to both functional roles and trust boundaries. Privacy, safety, and auditability are treated as core system properties. The architecture is technology-agnostic and adopts a fixed-policy, non-adaptive control model. All components operate under PCP issued policies.
The visual encoding distinguishes interaction types as follows:
- -
Purple lines represent policy distribution and access control.
- -
Green lines denote asynchronous publish/subscribe communication.
- -
Blue lines indicate synchronous request–response interactions (gRPC/HTTP).
- -
Red lines mark personal data flows gated by consent and minimisation.
- -
Brown dashed lines represent asynchronous audit events.
These visual markers represent enforceable runtime invariants that are validated through tracing and audit mechanisms to ensure conformance with PbD principles and regulatory requirements.
The
User Interface (UI) layer provides RBAC for all users. It includes a dashboard for managing data subject rights (opt-in/out, data export, deletion). All ingress traffic is protected by Transport Layer Security (TLS) 1.3 [
42] ensuring confidentiality and data integrity against interception and tampering. Authentication is implemented through OpenID Connect (OIDC)/OAuth 2.0 using short-lived tokens to enhance security [
50,
51].
Clients do not store sensitive data unless explicitly permitted. When local storage is required, all data are encrypted and bound to the device’s secure keystore. User interface components are filtered according to the active role and consent scope, thereby enforcing purpose limitation at the point of use.
Control and Orchestration Layer mediates system interactions. The API Gateway handles TLS termination, request validation, and trace propagation, with each request carrying a trace_id header and scopes validated by an RBAC service against policies issued by the PCP. The Orchestrator coordinates the processing flow:
Authorise → Consent → Minimise (DLP) → Retrieve (RAG) → Personalise → Explain (XAI) → Deliver
If the preconditions for personalisation are not satisfied, the Orchestrator falls back to a KB-only pathway and informs the user. The message bus handles asynchronous communication with retries and backpressure; synchronous requests are restricted to low-latency control paths. The Orchestration logic is non-adaptive and policy pinned, and it does not trigger behaviourally driven actions. Although adaptive orchestration was initially considered to increase flexibility, it was ultimately rejected in favour of deterministic orchestration, whereby identical inputs consistently yield identical outputs. This design choice simplifies compliance auditing and reinforces legal accountability. Prior research on explainable AI indicates that stakeholders, particularly auditors and caregivers, are more likely to trust systems that exhibit predictable and transparent behaviour [
52,
53]. While this approach may reduce optimisation opportunities, it strengthens auditability and aligns with the transparency requirements of GDPR (Accountability) [
24] and the EU AI Act (Logging and Traceability) [
25].
Knowledge and Non-Personal Data Layer supports information retrieval without processing personal data. The curated KB stores validated content with metadata (source, licence, freshness). The RAG service performs semantic search with cited results. All KB modifications are recorded immutably to ensure data provenance and traceability. This layer provides useful functionality without exposing personal data and ensures the system remains operational even when components fail.
Personal Data Layer is responsible for consent-gated processing of identifiable information. The Consent Service manages revocable, purpose-bound decisions with versioning and audit support. Personal data are encrypted and accessible only through controlled interfaces. Ingested data is pseudonymised and minimised at source. A rule-based Analysis Agent operates within this trust zone exclusively on derived signals produced by the monitoring pipeline; it performs no statistical prediction, emitting only policy relevant alerts. Personalisation is executed solely when permitted by active consent and RBAC rules. Aggregate analytics employ fixed-query differential privacy under ε-budgets, maintained separately from interactive services to preserve predictability.
Security and Observability Layer enforces system-wide safeguards. The DLP service applies input minimisation and output filtering, including checks on explanations. Keys and secrets are managed through environment-isolated configuration with restricted access controls [
54]. Data at rest are encrypted (e.g., Advanced Encryption Standard with Galois/Counter Mode—AES-GCM), and all connections use Mutual TLS (mTLS). The Audit subsystem records append-only, hashed logs with coarse-graining timestamp and sampling. Each event is tagged with the corresponding policy_version and, where applicable, consent_version.
Each horizontal layer defines a trust boundary. Transitions from non-personal to personal layers require explicit consent and confirmed minimisation. All inter-layer calls carry trace_id, policy_version, and consent_version. Requests with missing or outdated context are rejected. Failure cases are handled explicitly. If consent or DLP checks fail, the system defaults to a KB-only path and records the fallback event. If RAG functionality is degraded, cached or hedged queries reduce latency. If a KB version is invalid, the controller reverts to the most recent stable snapshot. The user interface reflects current state (e.g., “personalisation unavailable—general guidance shown”), thereby maintaining user trust and system utility. This layered separation also supports the explainability requirement. Aggregate outputs are generated using fixed query templates with defined ε-budgets. The system avoids post hoc approximations of opaque models, maintaining consistency between internal logic and the explanations presented to users. The layered architecture implements PbD through structural and policy-based constraints. Data minimisation is enforced by default. Most requests are handled entirely within the non-personal layer. Personal data are accessed only when consent is active and features have been minimised. Purpose limitation and least privilege are ensured through signed policies, RBAC scopes, and strict validation of context at every processing step. Explainability and accountability are integral to the design. The RAG Agent retrieves cited evidence, while the XAI Agent generates reproducible, symbolic outputs filtered for PII. All actions are logged to support auditing and compliance. The result is a system that provides functional value under constrained conditions, degrades safely when requirements are unmet, and remains auditable, predictable, and aligned with regulatory and ethical standards.
Agent Typology and Control Framework. The proposed architecture is organised around specialised agents, each assigned a narrow-defined mandate and operating under the principle of least privilege. This design minimises the overall attack surface, simplifies compliance verification, and ensures that accountability can be attributed to individual components. The PCP functions as the central governance authority, distributing signed and version-controlled policies to all agents. This mechanism ensures that inter-agent interactions remain consistently regulated and that changes in regulatory or organisational requirements are traceable throughout the system lifecycle. The Consent Agent enforces purpose-bound consent by validating requests against HL7 FHIR Consent resources. For each authorised interaction, it appends policy_version and consent_version metadata, embedding compliance with regulated legal requirements directly into operational workflows. The Security/DLP Agent safeguards the system by detecting and redacting PII, minimising payloads, and generating PII-safe rationales. It enforces deny-by-default access controls and isolates high-risk services, such as code execution modules, thereby preventing data leakage and mitigating adversarial exploitation. The RAG Agent manages access to curated, version-controlled knowledge bases through policy-scoped queries. It integrates provenance logging and attaches citation guarantees, reducing hallucination risks and strengthening the factual basis for downstream explainability. The Chat Agent provides contextual recommendations derived from policy-validated and DLP-filtered inputs. Within this architecture, SLMs serve as the default reasoning engine for tasks involving personal data, thereby supporting data minimisation principles and enabling sub-second response times. The invocation of LLMs is restricted to pseudonymised, knowledge-based artefacts, and occurs only when tasks require reasoning capabilities beyond those of SLMs. The allocation between SLM and LLM follows a deterministic routing policy governed by sensitivity, task complexity, latency, and faithfulness checks, with each routing decision rendered auditable through trace identifiers and policy metadata. The Orchestrator deterministically routes inputs to SLMs or LLMs by sequentially applying sensitivity, task complexity, latency/resource, and faithfulness gates. It defaults to SLMs for personal or low-complexity tasks within strict latency bounds and escalating to LLMs only when inputs are pseudonymised artefacts, tasks demand higher reasoning capacity, or SLM outputs fail accuracy or evidence-alignment checks [
55]. The XAI Agent transform decision traces into human-readable explanations. By generating symbolic, rule-based rationales and evidence chains from CloudEvents and retrieval outputs, it avoids opaque black-box justifications and reinforces transparency and stakeholder trust [
56]. The Audit Agent enables system-wide accountability by asynchronously recording all events in CloudEvents format. Each event is enriched with signed metadata, including trace_id, policy_version, and consent_version, enabling tamper-evident logging that supports both real-time monitoring and post hoc Data Protection Impact Assessments (DPIA) [
47]. Finally, the message bus facilitates inter-agent communication through a decoupled publish/subscribe mechanism. It provides scalability, fault tolerance, and resilience while maintaining observability through W3C Trace Context propagation.
Minimum requirements. All components must satisfy the following constraints: TLS 1.3 exclusively, restricted to TLS_AES_128_GCM_SHA256 or TLS_CHACHA20_POLY1305_SHA256 in accordance with NIST SP 800-53 AU and IETF RFC 8446 [
42,
57,
58]; mTLS for Agent-to-Agent (A2A) and gRPC interactions, consistent with the OAuth 2.0 mutual TLS profile [
51]; OAuth 2.0 BCP with least-privilege scopes, access-token Time to Live (TTL) ≤ 5 min, and no refresh tokens for server-to-server interactions [
50]; certificate and key rotation every ≤ 90 days [
59]; NATS JetStream max_age ≤ 24 h for minimised PII (7–30 days for non-PII) [
60]; Kafka retention.ms ≤ 24 h for PII, with audit topics compacted and retained 365 days without PII [
61]; Redis Streams trimmed to 24 h where PII exists [
62]; and fail-closed enforcement if policy_version, consent_version, or purpose_id are missing [
63,
64]. Retention and TTL constraints for message buses are defined in the Security and Retention Profile (
Appendix A).
The PCP governs protocol usage by binding each data flow to policy, consent, and purpose constraints, ensuring that transport-layer decisions remain auditable and legally compliant.
Deployment.
Containerisation and Namespace Isolation. The deployment of the privacy-aware MAS is designed to combine modular scalability with strict compliance guarantees. The architecture is implemented in a containerised environment orchestrated by Kubernetes [
65], which provides automated scheduling, scaling, fault recovery, and namespace isolation [
66]. Each agent (Orchestrator, Consent and Policy Control, DLP, RAG, Chat, XAI and Audit) is deployed in an independent pod, while supporting subsystems enforce cross-cutting requirements for policy management, secure communication, and data protection.
Personal and Non-Personal Zones. The secure zone is protected by Kubernetes Network Policies, which restrict inter-namespace traffic and prevent personal data flows from being routed into non-personal domains [
67]. In this scenario runtime isolation is enforced with Pod Security Standards and kernel-level profiles, reducing the risk of container breakout attacks [
68]. All processing involving personal data is confined to a secure zone, where low-latency reasoning tasks are executed. Personal data never leaves this zone in raw form: identifiers are removed or minimised before artefacts are transferred to the non-personal domain. This design ensures strong isolation and direct alignment with data minimisation principles. The non-personal zone hosts LLM escalation, knowledge retrieval, recommendation, and XAI Agents. LLMs process only pseudonymised artefacts or non-personal knowledge. SLMs handle personal data solely within the secure zone, under consent and data minimisation controls. The PCP distributes signed, versioned policies, and every message carries a trace_id, policy_version and consent_version, validated by each agent. This mechanism enforces purpose-bound processing and produces a reproducible evidence trail that supports system-wide accountability [
24,
25,
63,
64].
Communication Layer. A hybrid message bus underpins inter-agent communication, balancing durability, latency, and control. Apache Kafka provides durable, auditable streams [
69]; Redis Streams supports low-latency ephemeral channels with short retention; and NATS JetStream carries lightweight control signals [
60]. This layered design ensures operational resilience while supporting privacy-driven data minimisation.
Service Mesh. A service mesh (Linkerd at baseline [
70], Istio at scale [
71]) intercepts all inter-agent traffic through sidecar proxies [
72]. It enforces mutual TLS, context propagation, retries, and policy checks at the network layer, while exporting telemetry via W3C Trace Context [
63] and CloudEvents [
64]. This approach provides uniform observability and fault isolation without modifying agent logic.
Vault Subsystem. A dedicated Vault subsystem manages cryptographic material. It issues short-lived OAuth2/OIDC [
51] tokens, performs automatic TLS certificate rotation, and records lifecycle events. This centralised approach reduces exposure windows for secrets and aligns with controls on key management [
43].
RAG Subsystem. RAG is supported by a Vector Database (VDB) that enables Approximate Nearest Neighbour (ANN) search across embeddings. For small and medium deployments, embedded solutions such as pgvector or FAISS [
73] are sufficient, while large-scale workloads use dedicated engines such as Milvus or Qdrant [
74]. This subsystem delivers evidence retrieval with provenance guarantees. Personal embeddings are stored exclusively in the secure zone, while the non-personal VDB manages only pseudonymised artefacts, maintaining strict separation between sensitive and non-sensitive data [
75].
Event Logging and Compliance. All agents emit CloudEvents [
64] enriched with compliance metadata, which are consolidated into tamper-evident logs. This ensures traceability, supports regulatory audits, and provides a verifiable accountability layer across the entire system.
Fallback Strategy. If DLP or consent validation fails, the system defaults to KB-only mode, preventing any personal data processing outside lawful conditions. If RAG services degrade or fail, the system returns cached responses from the most recent stable KB snapshot. If the Consent Agent, Security/DLP Agent, and Chat Agent become unavailable, processing continues exclusively through the non-personal path, with outputs restricted to generalised guidance derived from the KB [
25,
26,
63,
64].
Audit and DP. The Audit Agent incorporates a logically separated analytics tool that applies OpenDP/SmartNoise [
76] under differential privacy. The deployment strategy ensures graceful degradation, with fallback to generic retrieval when personalised agents are unavailable, fault tolerance through Kubernetes rescheduling and message bus replay, and comprehensive observability. All fallback mechanisms follow a fail-closed posture: if required metadata (consent_version, policy_version) is missing or invalid, personal data processing is blocked, and KB-only responses are returned.
Observability and Tracing. The proposed MAS integrates a comprehensive observability subsystem to ensure that operational behaviour remains transparent, auditable, and diagnosable in real time. Tracing is implemented using OpenTelemetry, with Jaeger as the backend. The W3C Trace Context standard ensures that spans originating in the Consent Agent propagate consistently across downstream agents, enabling reconstruction of end-to-end workflows. Retention policies limit logs to compliance-mandated durations. Non-PII metadata is stored for up to 365 days. PII is excluded from observability data by design [
24,
25,
47,
64]; detailed mappings are provided in
Appendix A. Each agent within the MAS is deployed as an independent Kubernetes pod, with strict namespace isolation and integration into the hybrid message bus. The Orchestrator, implemented as a FastAPI service connected to Kafka and NATS, coordinates the lifecycle of other agents and enforces orchestration policies. The Consent Agent, a microservice handling JSON-LD consent records [
77], enforces runtime consent, processes revocation requests, and applies purpose limitation; its events are routed through Kafka and Redis adapters [
78]. The Audit Agent, built on OpenTelemetry [
79] and Elasticsearch [
80] (scalable search and storage engine for logs and events), Logstash [
81] (pipeline for log collection and transformation), and OpenSearch Dashboards [
82] (visual interface for querying and dashboards). It collects and signs audit logs, stores CloudEvents in Kafka. The DLP, equipped with Named Entity Recognition (NER) models and a redaction engine (Stanza [
83]), performs pseudonymisation and minimisation prior to storage or retrieval of personal data. Its access to the VDB is restricted through RBAC policies. The RAG Agent uses frameworks such as LangChain [
84] with Qdrant [
85] to perform knowledge retrieval under privacy-preserving filters. It falls back to KB-only responses when metadata such as policy_version or consent_version are missing or invalid. The Chat Agent, implemented as a ML service (Framework ML: scikit-learn [
86]), delivers personalised outputs through Redis and NATS channels but reverts to KB-only outputs when consent or DLP validation fails. The XAI Agent integrates libraries such as LIME [
87] to generate explanations and enforce Human-in-the-Loop (HITL) reviews, recording all explanation events as CloudEvents. The RBAC Service, integrated with a Vault service (HashiCorp Vault [
54]), manages secure generation, rotation, and revocation of cryptographic material, and distributes signed policy manifests across the system. Observability is implemented as a cross-cutting subsystem that combines Grafana dashboards [
88] with Jaeger tracing [
89] to provide unified monitoring of metrics, logs, and traces to support Service Level Agreement (SLA) compliance and fault diagnosis.
The layered model integrates Orchestrator hub coordination, Kafka-based audit trails, Redis low-latency exchanges, and NATS control signals, balancing compliance with resilience and scalability.
Threat modelling and validity threats. The LINDDUN framework [
90] is applied to the architecture’s concrete Data-Flow Diagrams (DFDs), enabling linking of identified threats to controls and to verifiable evidential artefacts of the MAS (
Appendix C).
Each identified threat is linked to a control and to a verifiable artefact, such as a signed CloudEvent containing traceparent, policy_version, and consent_version when applicable, a consent snapshot, a DLP rule_id with model_version, or a differential privacy ledger entry [
47,
63,
64]. Data retention is bound to transport class: Redis stores personal data for ≤24 h, Kafka retains non-PII for 365 days, and NATS is used for ephemeral control traffic [
60,
61,
69,
91].
Assumptions. The analysis assumes a controlled deployment with mutual TLS across all communication [
92], rotating short-lived certificates [
59], preserved vault integrity [
43], clock synchronisation across nodes [
93], and an active DLP subsystem.
Adversary model. Three categories are considered: external attackers targeting network interfaces and APIs [
46], authorised insiders with curious access [
48,
75], and third-party tool or service providers [
48]. Out of scope are endpoint compromise, operating-system root-level attacks, and hardware backdoors.
Method, scope, and traceability. DFDs include sensitivity labels and transport/retention assignments. Each element is evaluated against the seven LINDDUN categories and all identified threats are recorded in a traceability register (
Table 2). The register links DFD element, LINDDUN threat, controls to evidential artefact. It employs a standardised vocabulary based on formal taxonomies, supports automated cross referencing to DFD artefacts, and provides input for evidence extraction and audit replay [
90]. References to
Appendix C and
Appendix D point to supporting artefacts. These appendices exemplify the artefacts that substantiate the conceptual threat assessment.
Appendix C presents the reproducibility-bundle schema together with a representative export comprising an audit event, consent snapshot, DLP entry, PCP resolution, VDB provenance, and privacy-accountant excerpt.
Appendix D documents the complete LINDDUN mapping, qualitative risk scores, and the validation checklist, including sensitivity analyses, PCP continuous-integration tests, and portability smoke tests.
Within the LINDDUN categories of Disclosure and Content Unawareness, hallucination is treated as a combined disclosure and misinformation risk. Mitigation strategies rely on the systematic tracking of trace_id, policy_version and consent_version tracking, DLP-based minimisation, RAG provenance records, and fail-closed. On detecting deviations, the system triggers auditing and returns a non-personalised fallback response.
Validity threats. Construct validity risks arise from proxy measures (timestamp coarsening, hashing, privacy budget in differential privacy). Internal validity is affected by policy drift [
102]. External validity depends on middleware defaults (Kafka, Redis, NATS) [
69,
78,
103]. Conclusion validity is contingent on the availability of a complete reproducibility bundle (signed audit event, consent snapshot, DLP entry, PCP resolution, VDB provenance data) [
76,
98,
102]. The complete reproducibility-bundle schema and the sample artefacts used in the assessment of conclusion validity are presented in
Appendix C. The full LINDDUN mapping together with the associated validation checklists is provided in
Appendix D.
DFD identifiers. Each element has a stable dfd_id of the form DFD-L<level>-<component>-<seq>. L1 denotes context diagrams; L2 identifies detailed sub-flows [
90]. The complete registry and version history are provided in
Appendix D.
Evidence captures must be both deterministic and minimal. For each trace, only the following artefacts should be collected: (i) signed audit CloudEvent [
64], (ii) consent snapshot [
95], (iii) DLP/redaction entry [
104], (iv) PCP resolution [
49], (v) VDB provenance [
97], and (vi) privacy-accountant excerpt [
76]. All artefacts must include canonical attributes (traceparent or mapped trace_id [
63], policy_version, consent_id, consent_version, decision/action, timestamp) as well as provenance metadata [
43]. Where raw content cannot be shared, redacted copies should be provided alongside hash commitments [
102]. A sampled trace should include: the signed audit event with its offset; the corresponding consent database row or snapshot; the DLP log line with rule_id, model_version, and action; the PCP-resolution log with applied policy_version; the VDB retrieval_provenance file for the relevant query_id; and the privacy-accountant ledger excerpt. This bundle supports DPIA validation and remains compliant with GDPR requirements, provided that retention guarantees are enforced [
24,
43,
105].
Comparison with other frameworks. We evaluate the proposed architecture against alternative frameworks using seven criteria (C1–C7) (
Table 3) derived from established international standards and regulatory guidance. The criteria cover governance and auditability, consent orchestration, clinical interoperability, privacy-enhancing technologies, edge performance, local explainability, and federated lifecycle management. Each criterion is assessed using verifiable technical and procedural controls aligned with GDPR and EU AI Act accountability requirements.
Privacy-preserving analytics in healthcare have shifted from centralised data lakes to distributed paradigms such as “algorithm-to-data” approaches and federated learning. Contemporary frameworks illustrate this transition: NVIDIA FLARE [
20] integrates audit logging and PETs [
20]; Substra applies a “data never leave the node” model with ledger-backed traceability [
21]; DataSHIELD enables non-federated assign/aggregate statistics. Agentic enablers such as Microsoft Healthcare Agent Orchestrator [
107] and Model Context Protocol (MCP)-FHIR connectors bridge multi-agent workflows to FHIR endpoints [
108]. Despite these advances, two gaps remain in clinical assisted settings: (1) limited production-grade FHIR conformance and (2) the absence of consent orchestration aligned with ISO/IEC TS 27560 [
77]. ENISA further emphasises that PETs should be integrated as engineered controls within governance frameworks rather than appended in an ad hoc manner. The proposed architecture addresses these gaps by combining a secure MAS (supporting consent management, audit/DLP, local explainability) with a hybrid message bus and a SMART-on-FHIR perimeter, encapsulating FL runtimes and non-FL distributed analytics as agents. This design preserves the strengths of PET- and FL-based approaches while resolving critical governance and conformance gaps (C2–C3–C6), thereby supporting deployment in autism-care settings. A detailed criterion-based comparison (C1–C7) is presented in
Appendix B.
Experimental setup. The operational validity of the proposed PbD MAS was assessed through a structured empirical evaluation of complete Retrieval-Augmented Generation pipeline. The evaluation employed two complementary evaluation datasets (combined n = 250), covering clinically grounded knowledge and naturalistic caregiver communication. To assess practical feasibility, all experiments were conducted on consumer-grade edge hardware. Specifically, the system was deployed on a MacBook Pro M4 with 16 GB RAM, running a containerised microservices stack and a local language model runtime.
The system implements a modular multi-agent architecture composed of narrowly scoped agents, supporting PbD principles and end-to-end traceability. Processing begins with a DLP-first pipeline, in which caregiver or clinical text is processed by a dedicated Security/DLP Agent for pseudonymisation and personal data redaction. Raw identifiers are not stored; only sanitised text is subsequently chunked and indexed in the vector database by the RAG Agent. Consent enforcement, runtime policy checks, and residual PII validation operate across both retrieval and generation stages. Audit logging and distributed tracing provide accountability and traceability aligned with GDPR and EU AI Act requirements.
Scenario Evaluation. An MVP of the proposed system was evaluated under controlled conditions. In addition to the technical assessments of data processing and retrieval, reported in the Results section, we designed and implemented a representative MAS use case. The scenario models secure remote collaboration between a caregiver and a specialist, such as a therapist or special education teacher, who must review home-based progress. The use case verifies that the distributed agent architecture safeguards personal data while maintaining the required communication flow. The scenario covers an end-to-end cycle of sharing child’s observation records, from data ingestion to authorised access and consent revocation. A caregiver uploads a child’s observation note. The Security/DLP Agent processes the note using three detection layers. Regular expression (Regex) detects fixed patterns. NER from Presidio (2.2.360) identifies structured entities. A context-sensitive detector loads entries (e.g., the child’s name) from a local SQLite (3.50.4) context and marks them as PII. The DLP engine produces deterministic placeholders using salted SHA-256 hashes. A dual storage model in the note_registry table stores (i) the original text in encrypted form, (ii) an anonymised version for retrieval, and (iii) pii_spans_json to enable reconstruction when authorised.
The RAG Agent stores anonymised child’s observation records in Qdrant (v1.16.3). The retrieval strategy combines dense embeddings with sparse BM25 search. Maximal Marginal Relevance (MMR) filters the combined set. To prevent cross-user leakage, separate collections are maintained for each caregiver. Specialist access is managed through a token-based mechanism. After admin approval, the system issues a Universally Unique Identifier (UUID) token which is recorded as “active” in the assignments table. When a specialist accesses a record under an active token, the system reconstructs the original view by inserting values from the child context into the anonymised text. Once the token status becomes revoked, reconstruction is blocked and only the anonymised text is exposed. The Chat Agent performs local inference, using LM Studio (0.3.39—Build 2), to avoid cloud-based exposure.
The agent merges child’s observation records from the rag_collection with objective guidance retrieved from the global_knowledge collection. A system prompt constrains the agent to an Applied Behaviour Analysis (ABA) therapy assistant and explicitly prohibits diagnostic content. The MCP gateway performs consent and DLP checks prior to generating any output. All activities are logged by the Audit Agent to ensure GDPR-aligned accountability and compliance with EU AI Act traceability requirements.
Evaluation methodology: The empirical evaluation of the proposed Privacy-by-Design Multi-Agent System employs the RAGAs (Retrieval-Augmented Generation Assessment) framework proposed by Es et al. (2024) [
109], adapted for deployment with locally hosted LLMs to ensure reproducibility and eliminate dependencies on external API services. Two domain-specific evaluation corpora were developed to assess system performance across complementary linguistic and informational contexts.
The DSM-5 Knowledge QA Dataset (
n = 100) consists of question–answer pairs derived from the Diagnostic and Statistical Manual of Mental Disorders 5th Edition [
110] and evidence-based literature on autism interventions. The questions cover diagnostic criteria, behavioural indicators, therapeutic modalities (including applied behaviour analysis, speech therapy, and occupational therapy) and prognostic aspects. The dataset evaluates retrieval and synthesis of clinically grounded information using medical terminology.
The Caregiver Notes QA Dataset (n = 150) simulates naturalistic communication between caregivers and educational or therapeutic specialists. The notes cover eight behavioural categories, including daily transitions, communication patterns, sensory responses, social interaction, routine adherence, therapy observations, behavioural incidents, and health-related observations. The dataset assesses retrieval performance on informal observational language commonly used in caregiver documentation.
In addition, 30 metadata filter test cases were used to validate access control mechanisms, including single-value filters, OR condition queries, combined filter operations, owner-based restrictions, and edge case scenarios.
The evaluation framework implements 14 metrics organised into four methodologically distinct categories:
- (a)
LLM-as-a-Judge metrics—6 metrics
Answer Relevancy is a core evaluation metric that assesses the extent to which a generated response addresses the original user query. The metric is computed by reconstructing a set of synthetic questions from the generated answer using an LLM and measuring their semantic similarity to the original query embedding:
where
denotes the embedding of the original question and
represents the embeddings of the reconstructed questions derived from the generated answer. Lower values indicate reduced relevance, reflecting the presence of redundant, incomplete, or off-topic content in the generated response [
109].
Faithfulness quantifies the proportion of answer claims that are supported by the retrieved context. The computation follows two steps: (i) atomic claims are extracted from the generated answer, and (ii) each claim is verified against the retrieved context using Natural Language Inference (NLI). Formally:
where
denotes the set of atomic factual statements extracted from the generated answer and
denotes the subset verified as entailed by the retrieved context [
109].
Context Precision measures the position-weighted relevance of retrieved documents:
where
∈ {0,1} indicates the relevance of the context at rank k, and Precision@k denotes the proportion of relevant contexts in the top-k retrieved results [
109].
Context Recall evaluates whether content from the reference answer is attributable to the retrieved context and is defined as:
where
denotes the set of sentences in the gold-standard answer, and S_supporteddenotes the subset of sentences that are verified as being supported by the retrieved context [
109].
Answer Correctness and
Context Relevance are assessed using direct LLM evaluation on a 1 to 5 ordinal scale, measuring factual accuracy against reference answers and alignment between the query and the retrieved context, following the LLM-as-a-Judge paradigm [
111].
- (b)
Answer Similarity measures the semantic similarity between generated and reference answers by computing the cosine similarity between their embedding representations:
where the embedding vectors
and
are generated using the mxbai-embed-large-v1 embedding model.
- (c)
Information Retrieval Lexical Metrics—4 metrics
Precision@K follows the classical definition in information retrieval [
112], measuring the proportion of relevant documents among the top-K retrieved results. Relevance is formalised as a binary predicate based on lexical overlap with the gold-standard answer:
where
denotes the set of the top-K retrieved documents, and
= 0.3 represents the minimum word-overlap threshold. The function
computes the proportion of shared significant terms (length > 3, excluding stopwords) between the retrieved context
d and the reference answer [
112].
Recall@K quantifies the coverage of gold-standard answer content by the retrieved documents:
where
significant lexical units through tokenization, stopword removal, and length-based filtering [
112].
Mean Reciprocal Rank (MRR) evaluates ranking quality by measuring how early the first relevant document appears in the ranked list:
where
is the set of evaluated queries,
denotes its cardinality, and
is the rank position of the first retrieved document deemed relevant for query
i. If no relevant document is retrieved within the top-K results, the reciprocal rank is defined as zero [
113].
HasHits indicates retrieval success as the proportion of queries for which at least one relevant context is retrieved:
where
denotes the set of evaluated queries,
is the set of top-K contexts retrieved for query i,
θ is the lexical overlap threshold, and
is the indicator function, which returns 1 if the condition is satisfied, and 0 otherwise [
112].
- (d)
Heuristic Quality Metrics
Harmfulness identifies healthcare misinformation with safety risk using deterministic pattern matching. The method applies five domain-specific regular expression patterns: (i) dangerous treatment language, (ii) anti-medical advice (e.g., “stop medication”), (iii) unsubstantiated cure claims, (iv) known harmful substances (bleach/Miracle Mineral Solution (MMS), unregulated chelation), and (v) anti-vaccination content. The metric is conservative. It favours safety over recall.
where
indicates whether harmful pattern
i is matched in the generated response and
corresponds to the predefined set of harmful content patterns. A score of 0.0 indicates no detected harmful content, while a score of 1.0 reflects the presence of multiple high-risk patterns. Lower values are preferable [
114].
Coherence metric measures structural organisation and linguistic quality. It combines sentence validity, discourse connectors, and lexical diversity for short, domain-specific outputs.
where
S = 0.3 if at least one sentence exceeds 10 characters (and 0 otherwise), C = 0.3 if at least one discourse connector appears (else 0), and
with
total number of tokens and
the number of unique tokens. Discourse connectors include examples such as because, therefore, however, and additionally [
115].
Noise Robustness measures reliance on retrieved context rather than speculative language. The metric rewards explicit evidence references and penalises uncertainty markers linked to hallucination.
where
) and
. Grounding phrases include expressions such as “according to”, “based on”, “as mentioned”, and “the context shows”, whereas hedging phrases include expressions such as “I think”, “probably”, “might be”, “could be”, and “generally speaking”. Higher scores indicate evidence-based, context-anchored responses, whereas lower scores suggest speculative or weakly grounded output [
116].
The evaluation judge, Meta Llama 3 8B Instruct, operates via local deployment through LM Studio ensuring deterministic reproducibility without reliance on external service dependencies. Embedding generation utilised the mxbai-embed-large-v1 model (text-embedding-mxbai-embed-large-v1). The vector database, Qdrant with HNSW indexing [
73], applied a minimum relevance threshold (min_score = 0.3) for context filtering, retaining the top-3 semantically similar chunks per query. This configuration prioritises precision over recall in context selection to minimise hallucination risk while maintaining response groundedness.