According to the statistics provided by the Office of the Communications Authority of the government of Hong Kong SAR, mobile subscriber penetration rate in Hong Kong is 286.6% (2021). This figure indicates that mobile devices have become ubiquitous as Hong Kong people are increasingly using them to surf the Internet. Although smartphones and tablets, the two most popular categories of mobile devices, provide prevailing features for users in this information age, they also become prevailing targets for collecting users’ personal data. As higher education institution (HEI) students are usually active users of mobile devices for surfing the Internet, visiting social networking platforms, using instant messaging applications (hereinafter ‘apps’) and making online purchases, this research, as an exploratory study, investigated their online privacy concerns.This study aims at providing background information and insight for educators to enhance existing privacy education and also for policymakers in developing privacy policy in tertiary level and thus elevate students’ concerns on protecting their online personal data privacy while using mobile devices.Communication privacy management theory developed by Petronio (2002, 2013) was employed in this study to design the teaching materials including teaching notes and student assignments. Design-based research (DBR) approach with convergent mixed method design was adopted in this study as the mixed methods approach is able to maximise the validity and increases the objectivity and reliability of the current research. In addition, most DBR literature agree that the mixed methods approach is proper for collecting and analysing data (Alghamdi & Li, 2013; Bell, 2004; Design-Based Research Collective, 2003; Wang & Hannafin, 2005). Therefore, in DBR methodology, qualitative and quantitative research methods were adopted to address the research questions (Bogdan & Biklen, 2006; Li & Chu, 2018; MacDonald, 2008). To collect quantitative