We study the problem of jointly designing the sensor and controller for a dynamical system driven by a privacy-sensitive input process. This problem is motivated by the modern thermostat control example where home's occupancy is continually monitored and leveraged to tailor thermostat behaviors for better energy savings and comfort, which, however, arouses users' concern over privacy. We start by quantifying the instantaneous privacy loss in a control system under standard inference attacks. We present the closed form of privacy loss for linear Gaussian systems and propose a sampling-based method to approximate privacy loss for general dynamical systems. The optimal control and sensor query strategy for a private-input-driven system is then characterized, and we further prove the validity of separation principle for a linear system with Gaussian disturbance and quadratic cost under the privacy loss proposed in this paper. We close the paper by demonstrating the flexibility of the joint sensor-controller policy in the occupancy-based thermostat control example and providing some insights on the tradeoff among energy, comfort, and privacy.