Data Privacy, Ethics and Education in the Era of Al - AUniversity  Student  Perspective
Rebekah Rousi 2, Hanna-Kaisa Alanen 1,2and Anne S. Wilson 3
1 University of Vaasa, Vaasa, Finland2 University of Jyväskylä, Jyväskylä, Finland3 Deakin University, Melbourne Burwood Campus, Australia

AbstractIn today’s world nothing has been left untouched in relation to artificial intelligence (Al). Al is used foreverything from mowing lawns to reporting news. One field in which its presence is highly complex andmultifaceted is education. Discussions regarding both the role of Al and the role of learning in educationhave taken center stage. The field of tertiary education has proven particularly problematic in terms of Aladoption. Ethical issues have arisen across the domain including whether or not generative Al should beused in education and how, the ethicality of learning analytics, and privacy concerns. With the aim ofgaining insight into the sentiment of tertiary level students towards privacy in the era of widespread Al, theauthors conducted an interview study with nine university student participants. The interviewsconcentrated on: privacy in studies and student life; data privacy advocacy; level of protection provided bytertiary institutions (universities); understandings of the General Data Privacy Regulation (GDPR); andbodily sensations linked to privacy. The results reveal differences of opinion regarding concern for privacy,yet there was overall consensus that GDPR aided in protection against privacy violation. Findings indicatea tendency towards resignated acceptance and genuine concern for the ethics of university technology-related data practices.
KeywordsEthics, privacy, higher education, technology, universities, experience, artificial intelligence, trust

1. In t roduct ion
There are no sectors of modern societies that have not been affected by the wide spreadimplementation and adoption of artificial intelligence (Al). From cooking to surgery, the applicationof AI-driven systems and machine learning (ML) are either being designed or implemented in waysthat transform the ways that services and goods are delivered, as well as the ways in which peoplework. Along with healthcare, education has been a core field in which the use of Al has beendeliberated for the last few decades. Whether early childhood or tertiary education, Al has beenconsidered for a range of use contexts and applications: learning (e.g., virtual tutoring and tailorededucational delivery, see [1][2]); learning analytics [3]; grading and feedback; accessibility [4];facilities management; cooperation and collaboration; as well as safety and security (Al-enabledphysical and cyber security systems). Connected to data privacy and trust in the higher educationalsetting is the idea of organizational trust. Organizational trust refers to the ways in which individualsfeel they can trust or depend on an organization to act in a responsible and reliable way, with theindividual’s interests in mind [5]. There are numerous factors that erode trust such as organizationalprofits over customer, student or other stakeholder’s best interests, manipulation, and lack oftransparency - communicating one message while acting in a different way. These are issues that arerife in our current global surveillance society, particularly regarding data privacy and data policy.Universities are organizations in which trust is paramount for the promotion of learning andwellbeing via nurturing psychological safety [6]. Unfortunately, current discussions andadvancements on data privacy - the use, collection, storage and trade of personal data (identifiableinformation such as names, addresses, email addresses preferences etc.) - neglect the impact of
7th Conference on Technology Ethics (TETHICS2024), November 6-7, 2024, Tampere, FinlandQ Rcbckah.rousi@uwasa.fi (R. Rousi); hanna-kaisa.h-k.alancn@studcnt.jyu.fi (H-K. Alanen); annc.wilson@dcakin.cdu.au (A. Wilson)® 0000-0001-5771-3528 (R. Rousi); 0000-0002-8797-3432 (H-K. Alanen); 0000-0001-7369-0258 (A. Wilson)

© 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).

CEUR
Workshop
Proceedings

ceur-ws.org
ISSN 1613-0073



 

privacy concerns such a mistrust, stress and anxiety, on the ability to learn within socio-technicalenvironments such as universities and schools. Therefore, in light of current Al developments anddata privacy discussions we pose the research question: How do tertiary students experience dataprivacy in the context of their university lives?The current paper aims to ascertain an understanding of the core concerns university studentshave regarding data privacy in the context of universities - learning and student life. It explores therelationship between the experience of data privacy, conceptualization of policy and regulation (i.e.,in reference to the General Data Privacy Regulation), and higher education. The participants (N=9)were university students (8 females; 1 male) who responded to a text-based interview (qualitativequestionnaire) in which they could anonymously and candidly express their feelings and experiencestowards matters of privacy in the university context. The study focused on emergent privacy issuesin studies and student life, feelings of protection in relation to data privacy, and personalconceptualizations (interpretations) of GDPR among students. The paper begins by describingprevious efforts in researching Al and privacy in university settings and among students. The text-based interview method (qualitative questionnaire) is then described in light of participants,procedure, ethical research practices, and analysis. The results are reported according to the questionthemes, which are subsequently divided into salient themes emerging in the responses. Thediscussion deliberates the findings in light of the salient themes. Here, new considerations are raisedthat illustrate the complexity of ethics, privacy and information technology in the university contextas a whole.

2. Perceptions of Privacy in Tertiary Education
Issues of privacy at the level of tertiary education have been ongoing for decades. Prevalent issuesarising in relation to privacy perceptions of students in higher education institutional settings haveincluded: questions of power and power relations; data (information, knowledge) ownership; policy;vulnerabilities through access to health and performance data; ineffective, inconsistent and unsecuredata management practices; and emerging issues related to technological advancements includingsocial media and Al, such as social implications and inaccuracy in predictive algorithms (see e.g.,[7][8] [9]). Thus, the contemporary tertiary landscape is riddled with traditional concerns related toownership, security and power dynamics of who has access to what (and whom), combined with thenewer complexities introduced by recent advancements in information technology. Coupled with theimplementation of automated data-driven systems such as Al, is the rising awareness of privacymatters through policy (i.e., GDPR regulation and practices), scandals (misuse of data and new threatsto safety and security, e.g., deep fake fraud), and renewed discussions on agency and fairness ineducation during the era of Al [10].The rapid uptake of Al in education that is characterized by formal (i.e., organizational e-learningplatforms, learning analytics etc.) and informal (i.e., Large Language Models and generative Al suchas Open Al’s ChatGPT) adoption has added to interests in delving into issues pertaining to privacyand ethics (e.g., intellectual property, biases, plagiarism and learning etc.). Research articles anddiscussion papers are growing in numbers as scholars, teachers, administrators and even studentsalike struggle to grasp the elements, dynamics and impact of Al implementation in specific usecontexts. Studies focus on a number of aspects relating to both the education itself, as well as how Aland its ethical implications affect the overall university ecosystem. This demonstrates the complexityof the area, and calls for attention towards gaining detailed insight on a more personal level regardingindividual (students’, teachers’ and other stakeholders) experiences and conceptions across the levelsof university involvement. For instance, one study by Irfan, Aldulaylan and Algahtani [10] forinstance examined the influence of Al from the perspective of ethics and privacy in Irish highereducation. Their findings indicate slight differences in the understanding and perceived severity ofdata privacy concerns between science and technology-focused students as compared to studies insocial sciences, law, public administration and the humanities. They observed that science andtechnology-focused students harbored greater levels of concern for privacy in the informationsystems as compared to other students.



 

Lan Huang [11] [11] analyzed the implementation of Al in higher education in light of ethical Alprinciples identified by the Ministry of Science and Technology of China’s “Ethical Rules for New-generation Artificial Intelligence” [12], and UNESCO’s Recommendation on the Ethics of ArtificialIntelligence [13] [13], Huang’s study showed a coupling of challenges posed by the increase in massdata collection in universities, with threats to student autonomy and imminent data monopoly. Thesefindings demonstrate longer-term implications for mass data collection at tertiary education level thataffect not only individual students and their future lives, but additionally ownership and control oflarge data sets. These data sets comprise, among other things, intellectual property, identities,learning analytics and predictive models to name some. Other studies such as those by Köbis andMehner [14] [14] and Li, Dhruv and Jain [15], as well as Slimi and Carballido [16] focus more on otherethical questions such as data bias, openness and transparency, trust, human displacement and issuesof social-emotional support in AI-enhanced higher education. The issue of privacy once more wasraised in terms of future career prospects based on data profiling of students. The current paperprobes more into the experiential realm of students - how they have encountered and how theyconceptualize data privacy in the context of university studies and university life (the social and lifeecosystem surrounding the student and university). It delves into issues of trust, safety and thefeelings of being protected, while probing understandings of GDPR and what it means to thempersonally.Thus, the subjective experience of privacy in the field of tertiary education among students ismultifaceted - mingled with personal experiences and diverse understandings of policies, regulationsand practices. These sentiments affect not only the experience of learning and being on campus andwithin educational information systems, but play out in other areas of life as ripple effects such asfuture workplaces, interpersonal relationships, and overall views of trust in society [17], Theconsideration of these aspects of privacy in a hands-on creative arts course for non-arts students thatventured through the development and philosophy of photographic technology (from camera obscurato Al and 3D printings) meant that these days commonly discussed issues were embodied, andexpressed in non-verbal ways. This makes the current study unique from previous tertiary studentprivacy research.

3. Method
The study was carried out as a written interview, or open-question (qualitative) questionnaire thatwas issued to a group of Communication Studies students (N=9) during a workshop course on artisticprocess with the theme privacy. All student participants were of Finnish nationality and were agedbetween 20 and 50 years of age. The students come from diverse backgrounds - some fresh schoolleavers in the first and second year of bachelor education, while two were undertaking their secondundergraduate degree, re-skilling from other professions. The second-degree students hadbackgrounds in professional communication and marketing, as well as information technology ande-commerce. The university in question, is traditionally an engineering (particularly energy andsoftware engineering), and business school. Creative practice has not been a part of the formalcurriculum in any of the degree programs offered. Therefore, the context of this study was that of apilot workshop course in art and creative thinking. The students performed exercises designed toincrease their sensitivity to the phenomena, the environment, and their own inner voice. The themeof privacy directed the students’ work and reflections towards a specific phenomenon.In compliance with GDPR, all students were supplied with information about the study, itspurpose and the subsequent publication of results. They were also given a privacy notice stating thetype of data that could be collected, where it would be stored, how it would be used, and who wouldbe in charge of storage. Then, in compliance with GDPR and the university’s research ethicsguidelines, all participants signed an informed consent form. Participants were also made aware ofthe voluntary nature of the study, which included another part in which they had the option of ‘dataownership’ and ‘attribution of ideas’ in which their insight would be made public through privacy-related blogs. All participants agreed to use of their data for the purpose of this study, some (four)agreed to attribution of ideas.



 

 

 

3.1. Procedure
The data for this study was collected via written interview (open field questionnaire) that was issuedto the students at the beginning of the workshop course. The questionnaire itself was a part of asensitization exercise designed to strengthen reflective and embodied awareness of phenomena - inthis case, privacy and its relationship to them within their studies and university life. The precisequestions are as follows:
Table 1Interview questions

No. Question Description of aim
1 How do issues of privacyemerge within your studiesand student life?

Gain an overview of the state ofprivacy consciousness in universitystudent life
2 Is there any point toadvocating data privacy in theera of surveillance economyand machine learning?

Perceived agency in relation to datasurveillance

3 What do you feel we’re beingprotected from in relation todata privacy?
Conceptualization of data gatheringpractices and consequences of them

4 What does the GDPR mean toyou? (e.g., as a student) Perceived level of protection gainedfrom GDPR

As seen in Table 1, the written interview comprised four questions focusing on: privacy issues instudies and student life; data privacy advocacy; the feeling of protection; and conceptualizing GDPR.Another two questions pertaining to bodily feelings of privacy and the boundaries between socialcuriosity and stalking were also asked. Yet, for brevity sake, we discuss those results in another paper.The study was conducted at the beginning of the workshop course in preparation of delving into thetopic at a deeper level through arts-based methods. The study was implemented via Webropol, fromwhich data was stored and processed on excel files. Tables were then constructed and summarieswritten in Microsoft Word that were then reviewed among the three researchers.

3.2. Analysis
Thematic analysis [18] was undertaken ad hoc (see e.g., [19]) to extract salient themes emerging inrelation to the relevant questions. These were then entered into excel. Themes emerging in responseto each question were firstly categorized by one researcher, then reviewed by the others. Consensuswas made in an iterative online discussion until the researchers were satisfied with the categories.The themes were categorized according to ‘approach’ (how they approached answering the questions- i.e., personal, general, universal, informative etc.), privacy issue, nature of the privacy issue andexamples used within the responses. All three researchers discussed the final results presented in aMicrosoft Word document in which summaries and tables were subsequently made. Given theinductive exploratory nature of the study, researchers sought to go beyond the known generalconcerns of data privacy (i.e., threats of leak, cyber security, misuse of data etc.) and delve deeper intothe subjective personal insight of the participants.
3.3. Results
The results present the salient thematic categories of the question responses. The tables explain theapproach taken by the participant when identifying and explaining issues. They then note the



 

perspective of the factor in question, how many participants considered these matters, the nature ofthe perspective and examples. A total of 22 thematic categories were derived from the responses:privacy issues in studies and student life (eight); data privacy advocacy (six); the feeling of protection(four); and conceptualizing GDPR (five).
3.3.1 . The emergence  of privacy issues in studies and student life
The responses reveal concern for privacy issues related to digital interaction. These varied in naturebetween participants (see Table 2). Six out of nine participants approached the question from a purelypersonal perspective. Two participants interpreted it from a more generic perspective, and one exhibitednon-recognition of any privacy issues in relation to their studies or student life.
Table 2Privacy issues in studies and student lifeApproach Privacy Issues No. Nature of Privacy Issue Examples

Personal University personal datacollection 3/9 Sensitive personal data Personal informationAcademic recordsLibrary records
Personal Online university feedbackand evaluation 4/9 Confidentiality SurveysQuestionnairesPersonal Diverse mandatory digitallearning platforms 1/9 Confidentiality Learning platforms
Personal Academic communication andmessaging 1/9 Confidentiality EmailsSocial messaging appsPersonal Participating academicresearch 1/9 Confidentiality Thesis researchparticipantGeneral Privacy as educational subject 2/9 Privacy-related learning andskills Communication studiesMarketing studiesUX design courses
General Copyright knowledge in socialmedia imagery 1/9 Privacy-related knowledge IPR laws in visual mediamarketingNon-recognition Absence of privacy awareness 1/9 - -

The themes arising from the responses are described below. The themes are: university personaldata collection; online university feedback and evaluation; diverse mandatory digital learningplatforms; academic communication and messaging; participating in academic research; privacy aseducational subject; copyright knowledge on social media imagery; and the absence of privacyawareness.University Personal Data Collection. Two participants expressed their concerns about theuniversity's extensive collection of personal data, which includes, in addition to other personalinformation, academic records (grades) and other administrative information. One was worried aboutlibrary records, including borrowed books and research activities, which were considered highlysensitive from a privacy perspective. Another expressed concern for the collected health-related data.Online University Feedback and Evaluation. Four participants highlighted the importance ofmaintaining anonymity in online university surveys and questionnaires, where students are highlyencouraged to provide, for example, feedback and evaluations. This issue raised the most attentionamong respondents. The confidentiality was perceived as highly critical.Diverse Mandatory Digital Learning Platforms. One participant expressed concern for the growinguse of diverse digital learning platforms and mandatory digital accounts in usage within education.These accounts necessitate logging in with personal user information. This concern extended tostudies in digital environments in general, with particular attention paid to the privacy protection invarious group projects. These require collaboration and communication through several platforms,and the privacy was not perceived as trustworthy.Academic Communication and Messaging. One participant expressed concerns pertaining to emailsand other forms of messaging as part of the university student life. This means, for example,



 

information exchange between students and faculty, encompassing both formal communication andinstant informal messaging as well as group discussions through various digital platforms.Increasingly, this kind of messaging may also cover messaging across different locations and timezones due to "remote students".Participating Academic Research. One participant expressed that privacy-related concerns mostcommonly arise when participating as a student in various university research initiatives, such asthesis projects. This is an issue that has been addressed in recent times both in university policy acrossinstitutions, as well as in ethical research discussions (see e.g., [20]).Privacy as Educational Subject. Two participants focused on the integration of privacy concernswithin their academic learning and course content, thus having a general approach to the question.They highlighted how, in certain areas of their studies, a significant emphasis is placed onunderstanding and applying privacy-related knowledge and skills. This perspective was seenparticularly relevant in fields such as communication studies, marketing studies and user experience(UX) courses, especially considering how marketing and UX design heavily rely on understandingthe user, or human dimension in general. Another respondent noted the challenges posed by darkweb patterns in UX design.Copyright Knowledge in Social Media Imagery. One participant highlighted the practical applicationof copyright laws in the creation and sharing of visuals for student events on social media. Thisdemonstrates an awareness of intellectual property rights in image usage. They were also aware ofthe social responsibilities involved in creating and sharing content, especially in a public domain likesocial media. This comes with an understanding of the related ethical and legal considerations withina university student life environment.Absence of Privacy Awareness. One participant revealed a lack of engagement with privacy issuesand an absence of privacy awareness, suggesting that not all students are equally informed of orconcerned about these matters. This could also be interpreted as either a relaxed attitude towardsprivacy or a gap in understanding its significance or value.
3.3.2. Opinions towards data privacy advocacy in the surveillance economy andmachine learning
In response to the question of whether there is any point in advocating for data privacy in the era ofsurveillance economy and machine learning, participants collectively acknowledged the complexity ofdata privacy issues and emphasized the necessity for multifaceted advocacy approaches. Allparticipants unanimously supported the advocacy of data privacy. They highlighted various aspectsranging from viewing privacy as a fundamental right to implementing regulatory strategies andadaptation in digital disruption, with approaches that were informative, value-based, pragmatic orforward-looking. Despite this support, responses from two participants revealed underlyingsentiments that questioned the effectiveness of such advocacy, thus expressing slight skepticism in anera dominated by surveillance economy and machine learning.
Table 3Opinions towards data privacy advocacyApproach Data Privacy Advocacy No. Nature of Privacy Advocacy Examples

Universal Unanimous support for dataprivacy advocacy 9/9 A positive attitude Important and essentialsubjectUniversal need foractionInformative Promoting data privacyliteracy 2/9 Informative educationEmpowerment Education on risksPromoting online safetyRecognizing data's valuein the digital economy



Value-based Privacy as a fundamentalright 4/9 Non-negotiable right Privacy as a basicprincipleUpholding individualprivacy rightsEssential strong dataprivacy practicesTransparency; Trust
Pragmatic Regulatory strategies andadaptation in digitaldisruption

1/9 Achieving balance Creation for reasonablerules and prohibitionsto manage the datacollection
Forward-looking Rapid technological evolutionand emerging challenges 1/9 Future implications and yetunknown concerns Rising data privacyissuesPotential copyright andidentity theftSlightskepticism Cautious realism in dataprivacy advocacy 2/9 Ambivalent sentiments inrapid technological change Losing the battleCynicism about theeffectiveness

Unanimous Support for Data Privacy Advocacy. All participants support the advocacy of dataprivacy. This emphasizes the overall affirmative stance of the respondents towards the significanceof advocating for data privacy despite the challenges posed by modern technology and data practices.Four participants described the need for advocacy as “important”, one as “essential”, another as a“basic principle”, and one noted that “there is a point” to it. Two participants expressed direct anddefinitive support by starting their responses with “yes”. Overall, these responses indicate thatadvocating for data privacy is perceived as a critical issue that needs attention. Labelling advocacy as“important” can also be seen as a need for action, implying that it is not just a theoretical concern,suggesting that this is an area where meaningful impact can be made. It might also reflect a sense ofresponsibility, suggesting an understanding of the broader implications of data privacy for individualrights and societal norms.Promoting Data Privacy Literacy. Two participants emphasized the relevance of people having aclear understanding of information, data security, and privacy concerns in digital environments, andthe importance of being informed about these topics. This suggests the rising significance of digitalliteracy. One participant expressed concern that people might not sufficiently understand thesematters, highlighting the need for educating people about the extent of data collection, its potentialuses and risks, and how to stay safe online. Another participant stressed the importance ofrecognizing data as a valuable asset, or “currency”, in the digital economy. This emphasis underlinesthe need for individuals to be aware of how their data is used and its significance, suggesting that itis worth protecting. Based on participants’ responses, advocacy for data privacy encompassesinformative education, knowledge gathering, and even empowerment.Privacy as a Fundamental Right. Four participants shared insights that intertwined the advocacyfor data privacy with the belief of privacy as a fundamental right, reflecting a deep connection tovalues related to personal autonomy and control over one's information. These principles also touchon broader social values and are associated with ethical guidelines, social responsibility norms,cultural values, democratic principles, and human rights standards, for example, that are foundationalto societal functioning and governance. One participant described data privacy as a “basic principle,”which implies that privacy should be an inherent and non-negotiable aspect of digital usage. Anotherparticipant emphasized the importance of upholding individual privacy rights in everyday onlineinteractions, regardless of the digital context, suggesting an awareness of the privacy concerns inroutine online activities. One participant argued that the necessity for data transparency and robustprivacy practices, especially as digitalization advances, drew attention to the importance ofadvocating for data privacy.Regulatory Strategies and Adaptation in Digital Disruption. One participant highlighted the rapidchanges and evolution in the digital realm, emphasizing the need for regulatory strategies that areboth adaptive and responsive. The participant pointed out the necessity of finding “reasonable rulesand prohibitions for gathering and using sensitive information”, indicating the importance of



 

balanced and effective regulation. Additionally, the participant's concern about the potential of“losing this battle” highlights the challenges in regulating a rapidly advancing digital world. Thisparticipant also stressed the importance of bridging the knowledge gap in this evolving landscape,suggesting ongoing efforts are essential for protecting privacy in the face of digital disruption.Rapid Technological Evolution and Emerging Challenges. One participant expressed a direct linkbetween advancements in technology and increased concerns for data privacy. As the participantnoted, new technologies, such as Al, bring novel challenges to personal data security, makingadvocacy in data privacy a dynamic and continually evolving necessity. The participant highlightedspecific issues raised by emerging technologies, like voice replication and identity theft through Al,emphasizing the need to keep pace with these transformative technologies. This might includeupdating laws and regulations to safeguard data privacy and ensuring forward-looking preparednessto address the evolving nature of technology and its implications for privacy.Cautious Realism in Data Privacy Advocacy. Two participants expressed a certain degree of realismin advocating for data privacy, which may reflect the tone of the question “is there any point”. Theyacknowledged the rapid changes and potential challenges. One participant expressed a belief in losingthe battle against the surveillance economy, yet maintained a strong hope for continued advocacy.Another participant conveyed a more skeptical view, expressing “cynicism” about the effectivenessof data protection measures, but still recognized the significance of data privacy efforts. Bothresponses reflected ambivalent sentiments, combining a mild acceptance of potential defeat withintrinsic optimism and engagement in advocacy for broader benefits.

3.3.3. Feelings of protection in relation to data privacy
Addressing the question, what do you feel we’re being protected from in relation to data privacy,participants shared a convergence of views, particularly highlighting concerns around cybercrime,hacking, identity theft and misuse of information. Seven participants either focused both themes orfocused on one, highlighting the significance of these interrelated perspectives. The question alsoraised the question of personal boundaries and defense, emphasizing the need to shield frommanipulation and unwanted influence. Furthermore, three participants specifically pointed out thevital role of organizational institutions in ensuring responsible data privacy protection andmaintaining trust.
Table 4Feelings of protectionApproach Perceived Protection No. Nature of Feeling Protected Examples

Vigilant attitude Defense against cybercrimeand hacking 5/9 A heightened sense ofawareness, a proactivestance
Cybercrime: hacking,data breaches, anddigital extortion

Protective Preventing identity theftand misuse of information 5/9 Desire for comprehensivepersonal protection Personal security:shielded from thepotential financiallosses, personalviolations,exploitation, etc.Ensuring autonomy
Defensive Shielding frommanipulation and unwantedinfluence

3/9 Maintain intimacy, personalboundaries, and emotionalsecurity
Defense againstmanipulativemarketing tactics,inundation ofmisleading content,commercial persuasion



 

Organizationaltrust Academic andorganizational trust 3/9 Institutional obligation toprotect privacy, therebyenhancing trust
Organizationsensuring academicfreedom and fairness,protecting against datamisuse and preventingunauthorized access;compliance with laws

Defense Against Cybercrime and Hacking. Participants commonly acknowledged the threat ofcybercrime, emphasizing hacking, data breaches, and digital extortion. Four participants specificallyfocused on these aspects, highlighting the need to safeguard against cyberattacks. This shared viewhighlights the consensus on the critical importance of securing personal data and preventingunauthorized intrusions, aligning with the broader perception of "being protected from."Additionally, one participant, while not specifically mentioning hacking or cybercrime, emphasizedthe overarching aim of data privacy protections in shielding individuals from a range of potentialharms.Preventing Identity Theft and Misuse of Information. A significant concern among participants wasthe prevention of "identity theft," a topic that five participants explicitly highlighted. This concernsuggests a need for psychological safety and security in protecting oneself from a broad spectrum ofpotential harms. Responses also highlighted the risks associated with the misuse of personalinformation, identity falsifications, and improper use of personal data. Participants emphasized thecritical role of privacy measures in providing control over personal information and managing one'sdigital presence, thereby helping to prevent potential misuse for activities like stalking. Additionally,one participant noted the wider scope of data privacy protections, including safeguarding individualsfrom financial loss and violations of personal autonomy.Shielding from Manipulation and Unwanted Influence. Three participants highlighted thesignificance of regulatory measures, such as requiring consent for marketing, as crucial inempowering individuals to control the information they receive. This stance was viewed as a vitaldefense against manipulative marketing tactics and the inundation of misleading content. Theparticipants' use of phrases like “try to have influence,” “we are being manipulated,” and “reducingunwanted messages” conveys concerns about external control, deceit, and frustration. Theseresponses reflect not only a concern over the use of personal data but also an increasing awarenessand discomfort regarding the exploitation of personal information to influence decisions. Participants'responses suggest an aspiration to maintain intimacy, personal boundaries, and emotional security inthe digital sphere.Academic and Organizational Trust. Participants’ insights shed light on the pivotal role of academicand organizational institutions in protecting individuals from specific privacy-related threats. Thiscorresponds with results obtained in a study by Rousi, Piispanen and Boutellier [5] that observed thewillingness to trust publicly funded research institutions in the Nordic countries. One participantemphasized the significance of data privacy in academic settings, highlighting protection frompotential repercussions in freely expressing opinions, thereby safeguarding academic freedom andfairness. Another participant emphasized the broader role of secure environments in organizations,indicating protection from the risks of personal data misuse, thereby enhancing trust and safety. Athird participant noted comprehensive measures against cyberattacks and data breaches, illustratinghow institutions play a crucial role in defending against unauthorized access and ensuring thesecurity of personal information. This also encompasses the assumption of careful compliance withlaws.
3.3.4. Personal conceptualizations of GDPR
In exploring the question what does the GDPR mean to you (e.g., as a student), participants sharedinsights reflecting a combination of autonomy and control, assurance, legal trustworthiness, andpersonal sentiment of safety. Overall, responses demonstrated a positive view of the GDPR, withparticipants appreciating their increased control over personal data and the effectiveness of GDPRrights. They expressed trust that the GDPR ensures privacy, thus aligning with their expectations for



security in daily digital interactions. However, one participant also raised a more realistic view of therisks that come with the presence of digital data, along with a recognition of the limitations inherentin data privacy measures.
Table 5Conceptualizations of GDPRApproach Perspective on GDPR No. Nature of GDPR Examples

Sense ofagency Autonomy and control ininformed consent 4/9 Being informed of data usechoices, self-governance andpersonal autonomy
Right to choose to agreeor disagree of data useNeeded consent

Confidence Guaranteed privacy andsecurity 4/9 Comprehensive protection Safeguarding personalinformation in health,education, and workA tool for empoweringprivacy rightsProtecting against databreachesEnsuring theconfidentiality ofopinions
Underlyingoptimism Regulatory compliance anddata responsibility 4/9 Acknowledgment of legalcompliance, a sense ofresponsibility, andtrustworthiness

Requirement to followrules and regulationsControl andaccountability
Emotionalstability Psychological safety assurance 4/9 Confidence in digitalengagement Safety and trust in thehandling and protectionof personal dataInformation is not inwrong handsSafety as a basic need(Maslow's hierarchy)Realistic Inevitability of digitalfootprints 1/9 Challenge in achievingcomplete data security;acceptance of risks with datapresence

Limitations of dataprivacy measures

Autonomy and Control in Informed Consent. Four participants clearly expressed a sense of agency.They indicated a strong recognition of their rights and an empowerment to actively make informedchoices regarding the use and management of their personal data under GDPR. This demonstrates anunderstanding that individuals are not merely passive subjects of data practices, but activeparticipants with the authority to make decisions about their personal information. The use of termssuch as “right to choose to agree or disagree”, “control”, and “consent” highlights the participants’focus on being well-informed about the data collected from them and possessing the autonomy toconsent to or reject how their data is utilized. This highlights the importance of transparency in datahandling. Participants reflected that GDPR not only protects data but also provide individuals withpsychological comfort about their personal information's safety. Knowing that their data is protectedand their privacy is respected under GDPR may reduce e.g., anxiety. For example, safety is one of thebasic needs in Maslow’s hierarchy [21], which must be satisfied before an individual can focus onhigher-level needs like belonging, esteem, and self-actualization, thus contributing to overall well-being and productivity, and in this case, learning.Guaranteed Privacy and Security. Four participants clearly highlighted the perceived effectivenessof great GDPR handling in providing a comprehensive shield for individual privacy and securityacross various personal and professional realms. Their perspectives, while diverse, highlighted therole of GDPR as a defining boundary in data privacy and protection, including enhancing awarenessof privacy rights and trust in the systems that manage personal data. One participant stressed the



 

significance of GDPR in allowing anonymous expression of opinions, thus preventing personal viewsfrom unwanted public exposure. Another participant focused on the protection offered by GDPRagainst potential data breaches, highlighting the security aspects. Further, the recognition of GDPR'scomprehensive role in protecting privacy in different life spheres, such as health, education, andwork, was noted by another respondent. Additionally, one participant reflected on the increasedawareness of individual data privacy rights fostered by GDPR. This suggests participants’ sense ofconfidence and trust in GDPR's ability to protect personal information.Regulatory Compliance and Data Responsibility. Four participants mentioned the significance ofGDPR as a framework for ensuring privacy and security. Among these, two specifically mentioned“rules”, highlighting their view of GDPR’s systematic regulation as essential for compliance andsafeguarding individual privacy rights. The participants' responses indicate an awareness of the needfor ethical data handling, involving both individuals and institutions. This draws attention totransparency and accountability, particularly from academic and other formal institutions.Descriptions such as “regulations are to be followed”, “rules need to be taken care of carefully”, and“required to handle” suggest the participants’ trust in the democratic processes and privacy policies,even reflecting loyalty in privacy settings. These responses illustrate how GDPR reinforces personalautonomy in a surveillance economy. The focus on adhering to GDPR regulations and its role inpromoting ethical data practices further demonstrates the participants' optimism about GDPR’sability to create a secure and responsible digital environment.Psychological Safety Assurance. Four participants’ responses illustrated the profound meaning ofGDPR on individuals' psychological well-being, providing an assurance of safety and trust in thehandling and protection of their personal data. Three participants used the word “safe”, whichsuggests a provision of mental and emotional security. Two participants expressed “feel safe” andanother one mentioned that GDPR “creates trust that my information is safe and not in wrong hands”,indicating a sense of protection against potential digital threats, and presumably also a sense of relief.One participant also pointed out a sense of long-term security and protection against unforeseen datamisuse.Inevitability of Digital Footprints. While the prevailing attitudes towards GDPR among theparticipants were characterized by trust, one participant offered a more nuanced, realistic perspective.This participant recognized the inevitability of digital footprints and the inherent challenges inachieving complete data security. This viewpoint aligns with findings from previous research [22],which underline that, despite GDPR protections, companies still manage to collect various types ofuser data. According to the study, this includes volunteered, observed, derived, and acquired data, aswell as metadata. This last category, metadata, essentially represents ‘data about data’, detailing howthe other types of data are processed and managed. The participant’s response indicates a level ofacceptance of the risks associated with digital data presence, merged with an awareness of thelimitations of data privacy measures, while choosing not to be overly anxious about it.
4. Discussion
Based on the diverse responses, it became evident that issues related to privacy in studies and studentlife within the university environment are omnipresent at multiple levels. These issues encompassboth formal academic settings and informal aspects of student life, all of which intertwine in digitalinteractions. The varied responses likely reflected the respondents' initial thoughts when asked aboutthe topic. However, all the themes that emerged were ones that affect every student in one way oranother. Additionally, while not explicitly outlined in the responses, they hinted towards a grey areawhere personal devices (such as computers and smartphones) and university privacy policies mightnot consistently align. For instance, communication often takes place via personal messaging servicesoperated by large international companies often based outside the European Union. The variedresponses highlighted the most crucial aspect: the pervasive nature of privacy concerns in theuniversity setting, influencing both academic studies and everyday student life, and the complexinterplay between individual, institutional, and societal factors in shaping perceptions and concernsabout privacy. Concerns about data handling, for example, highlighted the socio-cultural dimensionsof digital literacy and privacy awareness among students.



While the responses did not explicitly convey strong emotional or affective dimensions, theyrevealed some underlying sentiments and tones of concern. This was evident in the emphasis on theimportance of privacy in research and surveys, the handling of academic records, and communicationprivacy. The mention of anonymous feedback indicated an expectation for a safe space for honestexpression without repercussions, suggesting a cultural norm where open, critical feedback might besocially sensitive. Respondents appeared aware of and concerned about the potential risks andimplications of privacy breaches. For some, particularly those discussing the use of digital platformsand uncertainty about data storage and usage, there seemed to be a sense of discomfort, inferred fromtheir concerns about not knowing where data is stored, who has access to it, and its future uses.In cases where respondents stressed the need for permissions in social media and the handling ofacademic records, there was an implicit trust that these measures would ensure privacy and security.However, this also suggested a reliance on external systems and policies to safeguard their personalinformation. Furthermore, in responses focusing on marketing studies, UX design, and university datacollection, there was a critical awareness of how privacy issues can affect individuals. This awarenessmight be accompanied by a concern for ethical practices and the potential emotional impact of privacybreaches. Overall, the responses indicated students’ expectations that their privacy be protected inthe study context and handled responsibly and confidentially. This also assumed that the universityand its administrators act responsibly to protect sensitive information, ensuring safeguards againstunauthorized access or misuse.The participants’ responses to the question of advocating for data privacy in the surveillanceeconomy and machine learning era showcased a diverse yet primarily optimistic attitude. Despitemild skepticism from two respondents, the predominant sentiments included optimism, hope, and astrong motivation relevant to supporting data privacy advocacy. These views, while grounded in arealistic understanding of the challenges, also reflected a belief in the potential for positive changeamidst rapid technological evolution. This mindset reflected a conscious motivation to improve dataprivacy protections, acknowledging the broader socio-cultural implications of this issue. Theirambition for robust data privacy practices and effective regulation signaled a desire for tangibleimprovements in data management and safeguarding. Their commitment to the principles of dataprivacy suggested a deep, personal engagement with the cause. This emotional stance highlighted theimportance of advocating for and believing in the significance of data privacy. Furthermore, theconcern about the average person's understanding of data privacy issues touched on the socio-culturaldimension of the digital divide, indicating the need for advocacy efforts that are inclusive andaccessible to all. Collectively, the participants’ responses demonstrated a belief in the power of bothindividual and collective action in shaping the discourse on data privacy. They emphasized theimportance of understanding and informed participation, positioning individuals as capablecontributors to this critical conversation. Notably, the varied perspectives on advocacy highlightedthe multifaceted nature of data privacy in the digital era.In response to the question about feelings of protection and expectations in the context of dataprivacy, participants revealed a shared understanding of the need for security against various threats,including cybercrime, hacking, identity theft, misuse of information, and manipulation. Theseindicate the intricate nature of data privacy concerns and the importance of implementing protectivemeasures for psychological safety and personal autonomy. Participants anticipated proactive stepsagainst these threats, signaling a demand for reliable data protection policies. They emphasized theoverarching goal of shielding individuals from various potential harms, reflecting a proactive stancein protecting personal data and maintaining control over one's digital identity. The participants' viewsalso demonstrated an increasing awareness and unease about the exploitation of personalinformation. Additionally, their responses revealed emotional dimensions across the themes, withunderlying concerns ranging from fear and vulnerability (cybercrime, hacking), to frustration anddiscomfort (manipulation, unwanted influence). This suggests a desire for reassurance in theprotection of personal autonomy and boundaries, reflecting the importance of sensitive personalinformation. Expectations extended to the societal role of organizational institutions in maintainingdata privacy standards, highlighting how privacy is perceived and managed in broader societalcontexts.Many participants agreed that GDPR offers a significant degree of personal control over data, anessential aspect for students in managing their personal information. This highlights a keen



awareness and appreciation for the rights and protections provided by GDPR, particularly in thecontext of informed consent and the management of personal data. The sentiment underlying theparticipants’ views was predominantly one of satisfaction and confidence, albeit not overly emotionalbut rather pragmatic. This suggests a mature understanding of the implications of GDPR in their lives,viewing it as a tool that empowers them with agency and autonomy over their personal data. Theemphasis was not just on the systems’ abilities to protect data but also on a broader trust in datagovernance and privacy policies. This trust includes faith in the commitment of organizationalinstitutions upholding ethical practices and responsible data management.Participants’ responses indicate that GDPR has had a positive impact on their public confidence.By being better informed and having control over their personal data, participants felt safer in theirinteractions within the academic sphere. This sense of safety is not just internal but also extends totheir trust in governance systems and legislated laws. The discussions around GDPR highlighted anuanced understanding among students of their digital rights and privacy. It revealed how GDPR hasbecome intertwined with their daily lives, influencing their perception of personal data control, trustin institutions, and the relevance of privacy in their educational endeavors. The responses reflected ablend of satisfaction with the current state of affairs and a pragmatic approach towards data privacy,emphasizing the importance of personal agency, emotional well-being, and an increased awarenessof digital privacy issues, even one participant expressed calm awareness of inevitability of digitalfootprints.The study had several limitations. Firstly, the small and relatively homogenous sample sizeprevents the authors from making any generalizations. Furthermore, more attention should have beengiven to the demographics of the participants including gender[23], as previous studies have shownthat gender plays a role in the way people perceive and are concerned about privacy matters (see e.g.,[24][24]). This would be worthwhile testing, particularly in a large-scale quantitative survey. Asseveral of the findings in this study are novel, i.e., concerning the issues of feedback, multi-device andplatform utilization in communication and university learning tasks, and concern for the learningenvironments students are forced to interact with, the emergent categories should be tested forconstruct validity.This work provides a platform for future studies specifically focusing on the interaction ofpersonal experience, ethics and data privacy concerns in higher education settings. As Al becomeseven more infiltrated in the learning environment, i.e., via digital humans (generative Al createdhuman-like conversational agents), robotics and extended reality, the concerns posed now, maytransform into substantial problems in the future. The current study is one part of two larger projectsinvestigating the personal embodied experience of privacy in diverse contexts of pervasivecomputing. The results presented here are being used as the basis of a framework that explains thecomplex interaction between policy, practices and personal experience of privacy, aimed to enhancethe design of socio-technical systems from the perspectives of ethicality, fairness, and safety.

Acknowledgements
The authors of this paper would like to acknowledge the funders of the research, the Research Councilof Finland for its support of the “Emotional Experience of Privacy and Ethics in Everyday PervasiveSystems (BUGGED)” (decision number 348391) and the “Multifaceted Ripple Effects and Limitationsof Al in Work, Business and Society (SYNTHETICA)” (decision number 358714), as well as theEuropean Union’s Horizon 2020 research and innovation programme, within the OpenlnnoTrainproject under the Marie Sklowdowska-Curie (grant agreement no. 823971).

Declaration on Generative Al
The authors have not employed any generative Al tools.



 
 
 
 
 

 
 
 
 

 
 
 
 
 
 
 
 
  
 
 

References
[1] W. Holmes, I. Tuomi, State of the art and practice in Al in education, Europ. J. of Edu., 57.4 (2022):542-570. doi: 10.111l/ejed.12533[2] R. Luckin, W. Holmes, Intelligence unleashed: An argument for Al in education. PearsonEducation, 2016.[3] S.J.B. Shum, R. Luckin, Learning analytics and Al: Politics, pedagogy and practices, Brit. J. of Edu.Tech. 50 (2019). 6: 2785-2793. doi: 10.111l/bjet.12880[4] E. Goldenthal, J., S.X. Liu, H. Mieczkowski, J.T. Hancock, Not all Al are equal: Exploring theaccessibility of Al-mediated communication technology, Comput. in Hum. Behav. 125 (2021):106975. doi: 10.1016/j.chb.2021.106975[5] R. Rousi, J.-R. Piispanen, J. Boutellier, I trust you Dr. Researcher, but not the company thathandles my data-trust in the data economy (2024), 57th Hawaii international conference onSystem Sciences, HICSS 2024, Hilton Hawaiian Village Waikiki Beach Resort, Hawaii, USA,January 3-6, 2024. ScholarSpace 2023, ISBN 978-0-9981331-7-1. URL:https://hdl.handle.net/10125/106941[6] A. Curzon-Hobson, A pedagogy of trust in higher learning, Teach, in Higher Edu. 7. 3 (2002):265-276. doi: 10.1080/13562510220144770[7] Y. Tao, W. H. Wang, Fair privacy: how college students perceive fair privacy protection in onlinedatasets, Information, Comm. & Soc. 26. 5 (2023): 974-989. doi: 10.1080/1369118X.2023.2166361[8] M. Brown, C. Klein, Whose data? Which rights? Whose power? A policy discourse analysis ofstudent privacy policy documents, The Journal of Higher Education 91. 7 (2020): 1149-1178. doi:10.1080/00221546.2020.1770045[9] A.J. Braunack-Mayer, J.M. Street, R. Tooher, X. Feng, K. Scharling-Gamba. Student and staffperspectives on the use of big data in the tertiary education sector: A scoping review andreflection on the ethical issues. Rev. of Edu. Res. 90. 6 (2020): 788-823. doi:10.3102/0034654320960213[10] M. Irfan, F. Aldulaylan, Y. Alqahtani, Ethics and privacy in Irish higher education: acomprehensive study of artificial intelligence (Al) tools implementation at University ofLimerick, Glob. Soc. Sci. Rev., VIII (2023): 201-210. doi: 10.31703/gssr.2023(VIII-II).17[11] L. Huang, Ethics of artificial intelligence in education: Student privacy and dataprotection. Science Insights Edu. Frontiers 16. 2 (2023): 2577-2587. doi: 10.15354/sief.23.re202[12] Ministry of Science and Technology of China, Ethical rules for new-generation artificialintelligence (2021). URL: https://cset.georgetown.edu/publication/ethical-norms-for-new-generation-artificial-intelligence-released/[13] UNESCO, Recommendation on the ethics of artificial intelligence (2021). URL:https://www.unesco.org/en/artificial-intelligence/recommendation-ethics[14] L. Köbis, C. Mehner. Ethical questions raised by Al-supported mentoring in highereducation. Frontiers in Artificial Intelligence 4 (2021): 624050. doi: 10.3389/frai-2021.624050[15] ZX. Li, A. Dhruv, V. Jain, Ethical considerations in the use of Al for higher education: Acomprehensive guide, in: Proceedings 2024 IEEE 18th international conference on SemanticComputing (ICSC), pp. 218-223. IEEE, 2024. doi: 10.1109/ICSC59802.2024.00041[16] Z. Slimi, B. Villarejo Carballido, Navigating the ethical challenges of artificial intelligence inhigher education: An analysis of seven global Al ethics policies, TEM J. 12. 2 (2023). doi:10.18421/TEM122-02[17] J. Polonetsky, O. Tene, The ethics of student privacy: Building trust for ed tech. InternationalRev. of Inform., Ethics 25 (2014). URL:https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2628902[18] V. Braun, V. Clarke, Thematic analysis. American Psychological Association, 2012.[19] B. Adams, G. McKenzie, M. Gahegan, Frankenplace: interactive thematic mapping for ad hocexploratory search, in: Proceedings of the 24th international conference on World Wide Web,pp. 12-22. ACM, 2015. doi: 10.1145/2736277.2741137[20] L. Shi, Students as research participants or as learners?, J. of Acad. Ethics 4 (2006): 205-220. doi:10.1007/sl0805-006-9028-y[21] A. Maslow, Motivation and Personality, second edition. Harper and Row, 1970.

https://doi.org/10.1016/j.chb.2021.106975


 
 
 

[22] A. Bowyer, J. Holt, J. Go Jefferies, R. Wilson, D. Kirk, J.D. Smeddinck, Human-GDPR interaction:practical experiences of accessing personal data, in: Proceedings of the 2022 CHI conference onHuman Factors in Computing Systems, pp. 1-19. ACM, 2022. doi: 10.1145/3491102.3501947[23] M.G. Hoy, G. Milne, Gender differences in privacy-related measures for young adult Facebookusers, J. of Interact. Advert. 10. 2 (2010): 28-45. doi: 10.1080/15252019.2010.10722168[24] G. Bansal, M. Warkentin, Do you still trust? The role of age, gender, and privacy concern ontrust after insider data breaches, ACM SIGMIS Database: the DATABASE for Advances inInformation Systems 52. 4. pp. 9-44. ACM, 2021. doi: 10.1145/3508484.3508487