Human-Centric Elicitation of Context-Oriented Personal Data Categories: An Exploratory Study in An Educational Institution

Abstract

Complying with data protection regulation is often considered a tedious task as they are generalized regulations that are applicable across domains. They guide acceptable behavior, rather than defining rules that impose specific conditions for a particular domain. Domain-specific context-oriented data categories that are to be protected in the domain of implementation need to be discovered for implementing data protection. We propose a human-centric approach to elicit such data categories causing privacy concerns to stakeholders in an educational institution. We conducted a study to understand the privacy concerns of the stakeholders related to different data categories to be protected. Using a combination of surveys and indepth interviews of the different stakeholders, we were able to gain insights into the privacy and data protection requirements that need to be incorporated into the associated information system design.