(Designing a Telemonitoring System) In this problem, we will simulate designing a technology that allows doctors to monitor their patients` health status after discharge from the hospital. This field is generally referred to as telehealth or telemonitoring. Using this design exercise, we will utilize privacy by design to identify and thwart the various privacy threats that this technology may encounter. In addition to the design principles of the privacy by design framework, make sure to consider statistical inference and how it plays a role in creating privacy threats and risks (the inference threat). The general workflow of telemonitoring consists of health data collection about patients during their regular daily activities. The collected data from the patients are then submitted to the cloud. The cloud can potentially have access to environmental and population data. Using all collected data (patients, population and environmental), the cloud employs predictive models to assess the risk of clinical deterioration of patients. The output of the predictive analysis is presented to medical professionals who may also provide their input on the status of the patients. Whenever a specific patient is deemed to be at risk of clinical deterioration, medical intervention may be employed to reduce this risk. This workflow is depicted in Figure 1

For a range of health conditions, it is vital for medical personnel to monitor the activity levels of their patients. This includes the types of activities they perform and the levels at which they perform them. In our technology, we will focus on walking/jogging as an activity.

We would like to incorporate an activity monitoring component that logs

i) the estimated distance that the patient covers while walking or jogging; and

ii) a general description of the terrain in which the patient walks or jogs (e.g., elevation, elevation change, urban/non-urban).

For this problem, we assume that the activity monitor is the only component in the system.

(a) Identify the privacy threats and risks that are associated with including the described activity monitoring component to the telehealth technology we are designing.

(b) How would you design the activity monitoring component in a manner that mitigates these risks? Describe your design choices in terms of the 7 privacy by design principles. We are now interested in releasing the data collected from the telemonitoring technology to the public. The to-be-released dataset should include information about each walking/jogging session of each individual who is using the system, including the following pieces of information. • Demographic information (e.g., gender, date of birth, zip code); • Collected data, as designed in the previous parts; and • Medical information (e.g., medical condition/diagnosis, prognosis). We have two options for such a release: (a) non-interactive dataset; or (b) interactive database.

(c) Discuss the privacy threats related to the release of the dataset as a non-interactive dataset.

(d) What measures will you take in order to mitigate the risks identified in the previous part before releasing the dataset?

(e) Discuss the privacy threats related to the release of the dataset as an interactive database (access through an API).

(f) What measures will you take in order to mitigate the risks identified in the previous part before allowing users to access the database?