Approach to Develop and Evaluate a Storytelling Game on Personal Data Protection Rights and Privacy Risks

. This paper describes the participatory approach chosen to develop and evaluate a new serious game called Cyber Chronix developed in the format of a digital comic strip with storytelling branches. The aim of the story entitled “Finding Data” is to raise awareness about the privacy risks and the data protection rights in the new European Union (EU) General Data Protection Regulation (GDPR), whilst delivering a pleasant and enjoyable experience. In the evaluation phase, students acted as assessors with the assignment of looking at the key factors contributing to engage in reading, to enhance curiosity and to raise awareness of EU GDPR concepts. Here we report on how students perceived the diﬀerent dimensions of the story and how the game can help to disseminate knowledge of EU GDPR rights and raise awareness of privacy risks.


Introduction
Storytelling [1] is a winning formula for engagement [2] as narrative can help human beings in making sense of the world around them. Everyone has listened to fairy tales told either by grandparents or parents and, if we simply look back to history, we immediately realise the impact that stories have had on shaping our lives. We initiated this development from the assumption that learning through serious games provides situated learning and has educational values that are based on intrinsic motivation [3] and learning concepts advocated by constructivist psycho-cognitive theories [4]. Storytelling is the approach that we chose to design a new game, Cyber Chronix ( Fig. 1), created to raise awareness on privacy risks and data protection rights stated in the new EU General Data Protection Regulation (GDPR) [5]. Its main goal being to empower data subjects, namely citizens, to better control their personal data and to mitigate privacy risks. Reading and understanding a regulation is not an easy task, especially at a young age. To ensure the success of the EU GDPR, it is important that citizens are aware of their data protection rights and understand how to exercise them to control their data and mitigate privacy and security risks. In Cyber Chronix, players are taken to a futuristic planet several light years from Earth. The player's aim is to help the main character to make it to a party, while he encounters several data protection-related obstacles along the way. As the player progresses through the game, she/he has to make choices that will affect the storyline and eventual outcome. Several storylines are possible depending on the branches that the player's choice has developed. The game is also designed to introduce young people to EU GDPR concepts with an informal educational approach. Concepts such as the "Right to be forgotten", "Personal Data Breach", "Data Portability", can be unusual terms for those new to this language. In Cyber Chronix, some of these terms are firstly introduced in an informal way during the dialogues and interactions among characters. Additionally, quiz questions called XRay add gaming elements and appear unexpectedly (Fig. 2) to challenge the player during the game session. Moreover, a dedicated educational part called XRay+ (Fig. 3) is always available for the player who wishes to know more. Behind the choice of the XRay term, there is the idea that Cyber Chronix XRay can provide a "picture of knowledge" as it happens with the medical x-ray imaging.

Theoretical Framework
Cyber Chronix edutainment contributes to the debate on how digital technology can support the enhancement of digital competences among youngsters. Cyber Chronix was conceived under a theoretical framework that takes grounds on digital competences framework (DigComp) [6][7][8], storytelling [1] and notions of  engagement in reading [2] with the aim to get concepts treated in the EU GDPR through to youngsters. The EU GDPR [5] from 25th May 2018 has replaced current data protection laws in the European Union. The EU General Data Protection Regulation is an essential step to strengthen citizens' fundamental rights for the protection and management of data in the digital age. To give some examples, individuals have significantly strengthened rights to obtain details about how their data is processed by an organisation or business (Right of Access); to obtain their data from an organisation and to have that data transmitted to another organisation (Right of Data Portability); to have incorrect or incomplete data corrected (Rights to Rectification); to obtain by the data controller report of any breaches of personal data (Personal Data Breach) to the National Data Protection Authority. Digital competences are fundamental to boost effective privacy safeguards strategies that also rely on the skills and attitudes of the people concerned. As defined in the EC Recommendation on Key Competences the notion of competence involves the confident and critical use of Information and Communication Technology (ICT) (i.e. the knowledge, skills and attitudes) for employment, learning, self-development and participation in society. In this work we refer to the Digital Competence framework (DigComp) [6][7][8] (Table 1) and more specifically, we focused on area one (1) "Information and data literacy", area two (2) "Communication and collaboration", with particular emphasis on the digital identity and reputation management, and area four (4) "Safety" for the protection of devices, content, personal data and privacy in digital environments. It is important to note that data literacy, including the understanding, articulation and usage of personal data have been included in the DigComp framework (Area 1-DigComp 2.0).

Cyber Chronix Development
Cyber Chronix development is the result of a process that can be summarized in the following steps: (1) Idea and proposal; (2) First dialogue writing; (3) Storyboard development; (4) Images and Sound creation; (5) Educational content creation and validation; (6) Assessment by users; (7) Feedback gathering and reflection; (8) Adjustment and re-testing; (9) First publication: 1. In the preliminary phase, the research team agreed on the project concept and main ideas. The theoretical framework was defined and the branching storytelling game format was chosen. The story tale was developed from scratch using basic tools such as Power Point and Word. Story scenes with branches and dialogues are now available in Dutch, English, French, Italian, Greek, Portuguese, Romanian and Spanish, and they are the result of the imagination of the authors and consultants helping with the development. 2. Text and dialogues were first tested internally among researchers.
3. This first test led us to develop a storyboard. 4. In this phase, in addition to the text, illustrations were added to the serious game (Figs. 1, 2 and 3). At first, the main character Iggy was designed. The development of other characters (Fig. 4) was carefully thought so that they could support the narrative understanding and recall familiar real roles for the reader (e.g. sister, policeman, hacker, famous singer, events organiser, friends). Sounds were chosen to give to the branching game a "light" suspense and some hypnotic atmosphere, avoiding either a too intense or noisy effect. The aim of this is to accompany the game in the reading and at the same time to distinguish musically different characters' personalities and game situations. 5. The educational section was developed with experts in privacy and data protection matters and digital education guided by the DigComp Area 1, 2 and 4 ( Table 1). The game presents 10 questions with a situation, conceived to recreate a possible real case, where a citizen could imagine and use critical thinking to exercise rights, control data and mitigate risks. In addition, there are dedicated sheets for each presented concept for in-depth information. 6. Cyber Chronix assessment was carried out with a participatory research approach with young citizens. More details are described under section "Result and discussion". 7. Feedback and suggestions were considered and analysed. 8. A new version of the tool was developed taking into consideration the results of the feedback and suggestions. 9. Cyber Chronix was published on 25th May 2018, the day on which the EU GDPR became applicable in all EU Member States. Cyber Chronix can be a versatile tool both for individual use and also to create an informal educational session within a community. An example is the live competition which was organised by JRC researchers to celebrate the EU GDPR day on 25th May 2018. On this occasion, ten Italian schools represented by the so-called "quartets" formed by a girl, a boy, a teacher and a parent attending the event, where the winner's team finished the challenge of recognising and describing the 10 EU GDPR concepts within the game. Such methodology can help to fill in generational gaps towards digital technology use and enhance discussion among actors (children and adults) on subjects related to the themes treated within the game (privacy, personal data protection, online safety, fair communication, etc.) [9][10][11].

Assessment and Analysis
Our game was tested following a participatory approach in two phases. First, we ran a pilot evaluation, involving 22 students (n = 22), aged 19 years, in their first year of ICT and Law studies at the Catholic University of Piacenza, Italy. Indeed, the students, while being at the end tail of our age range (12 to 19 years old), already had some background knowledge and understanding of the GDPR document, which was essential to provide us with their comments on how the various elements of the story contributed to the comprehension of concepts treated in the educational XRay and XRay+ sheets, to the quality of the reading and finally to the gamification experience [12]. The results of this first pilot evaluation were promising. Generated comments were taken into account and lead us to review the game and propose a second wave of testing (n = 39) with students aged 12 to 15 in schools of Friuli Venezia Giulia Region (Italy) in the frame of the Memorandum of Understanding signed with the Joint Research Centre. To gather and analyse data from the items and related dimensions listed in Table 2, we referred to the work developed by Rubegni and Landoni [2] concerning the evaluation of engagement in reading (narrative presence, continuous desire to read and/or explore new branches, etc.) and previously presented by Zagalo et al. [1]. Finally, the understanding of the concepts presented in questions 8 to 17 were evaluated against the DigComp framework (Table 1). While the first questionnaire was administered to a small sample of 22 students, as described above. The results of this first evaluation were the following, described following the structure of Table 2. Most of the sample considered the introduction as original and interesting, meaningful and clear (item 1). The Narrative was understood very positively by the sample (item 2) as was the Emotional Engagement (item 3). The Characters were considered in a positive way by almost the totality of the sample (item 4); Context with visual and descriptive elements were clear for the majority of the sample (item 5-6); Comprehension and narrative also received positive comments (item 7). The educational part presents a mixed evaluation (item 8-17). Students remembered the concepts presented, however some concept explanations remained not completely clear (i.e. Biometric data, Data Protection Authority). Overall, the evaluations remained positive. Nevertheless, as a general comment it was suggested we try a younger age target. These comments led us to reflect on the importance of different game elements and to propose a new assessment with a different age group. In this second wave of assessment, the beta-version of the game was tested with two different schools, we administered a questionnaire to children aged between 12-15. We present here the results of the second assessment considering that multiple answer solution to questions was chosen. From the first assessment, it appeared that an introduction was needed to better explain to end-users several game elements. Namely context, branching-game mechanism, characters, key-educational tools as XRay and XRay + (Plus) with prizes. Most of the students considered the introduction (item 1) as clear, meaningful, original and interesting.
Results show that more than two-thirds of students understood the proposed theme (item 2). From the theoretical point of view, this question would elicit information about Narrative Presence and the sense of realism children will get when reading. Emotional engagement received positive comments (item 3) (Fig. 5). According to our assessors, characters (item 4) were well developed and described and maintained their own identity throughout the story. Context-Environment (item 5) was also appreciated by the majority of the students. Visual and descriptive details in the text were considered important links to the treated theme. Story elements (i.e. main characters, antagonist, helper, etc.) (item 6) were recognised as partially present and interrelated. The narrative style and comprehension (item 7) was satisfying. Most of the concepts presented (items 8 to 17) were recognized and more than the half were considered as new learning with clear explanations. The evaluation was grounded within the DigComp theoretical framework (Table 1).

Results and Discussion
Developing a product that could satisfy both enjoyment and educational needs is a challenging task and the EU GDPR jargon added a layer of complexity to the entire process. We overcame this difficulty thanks to the participatory approach and the close collaboration between researchers and experts on Privacy, Data Protection and Digital Education. This allowed for the "translation" difficult concepts into more understandable terms, whilst maintaining the essence of the legal aims. While there are several online and offline guides to better understand the EU GDPR, we aimed at delivering a tool, for a participatory, jargon-free, informal, co-constructive and meaningful learning model. As anticipated, informal educational sessions were arranged and others are foreseen. Future works with broader samples and in countries other than Italy would be beneficial to better understand the validity of the tool at cross-national level. An added value would be a comparative analysis on the different artefacts proposed, namely digital (App and Web versions) and paper-based one. Future planning envisages the development of new tales under a more economic and sustainable format. From our previous work with the Happy Onlife [13] toolkit, it emerged that the versatility of the toolkit in its paper and digital versions is an added value to the learning and citizen engagement process. To meet paper-oriented gamer's needs, a comic strip version is under development. Cyber Chronix digital game is now available in Dutch, English, French, Italian, Greek, Portuguese, Romanian and Spanish. In collaboration with stakeholders, we are planning new informal educational sessions with the tool as it would be beneficial to re-test it with a broader sample to investigate cross-national findings.