The role of information systems personnel in the provision for privacy


Richard Howley, Simon Rogerson, N. B. Fairweather and Lawrence Pratchett (UK)


Many societies throughout the world are currently designing or implementing national schemes for privacy and data protection (PDP). The European provision for PDP is seen by many as a model to follow and or emulate. It is argued here that in order to provide for effective PDP, organisations will need to transform the way they analyse data requirements and design systems. Fundamental to this process is the role of the information systems (IS) professional. This paper reports the findings of a research study into the relationship between IS staff and the provision for PDP within both organisations and information systems.

The study was designed to explore the precise relationship between IS staff roles and the provision for PDP. In order to facilitate this, a research instrument was designed, piloted and applied to distinct groups of IS personnel. In order to define and measure the relationship between IS roles and PDP, the study required respondents to define what roles IS staff perform and to map these roles to particular contributions they can make in supporting the data protection principles found in the United Kingdom 1998 Data Protection Act.

The research instrument was designed for use in focus group sessions and was piloted before being used with respondent groups. In order to seek a broad understanding with regard to IS roles and the relationship between particular staff and particular data protection principles different respondent groups were involved in the study. This provided insight into distinct views of what IS staff actually do and what their relationship is with regard to the data protection principles. As well as seeking input from different staff groups the study also used different techniques for data gathering and analysis. The main research method was to apply the research instrument within focus groups, this was supported by semi-structured interviews with particular staff to gain detailed and or specialist insights. Data analysis was undertaken using content analysis.

Findings are presented from groups and compared, with suggested explanations for differences noted. The main findings presented include:

  1. That all eight data protection principles are supported by IS staff.
  2. Some principles are reported as being marginal to the IS role whilst others are seen as fundamental responsibilities of the IS profession. Evidence is presented to inform and explore this finding.
  3. Some IS staff have a strong relationship to a highly specific, and sometimes small, sub-set of the principles whilst the relationship of other staff is more generic in nature and applied to a wider range of principles. These variations are reported in the paper and the implications at an organisational level considered.
  4. Both organisational and technical aspects of PDP provision must be considered and aspects of each are identified and considered.

The increasing pressure on organisations to provide for PDP has led to the identification of IS staff as key contributors. It is suggested in this paper that whilst it is accepted that the IS profession has a contribution to make; the precise nature of that contribution has yet to be articulated. This paper provides a starting point in that process and identifies future research areas and themes in this important field. A precise mapping between IS staff and the particular data protection principles they have a responsibility to support emerges out of the research. IS staff and the systems they produce are increasingly seen as key organisational providers of PDP; this study identifies strategies that can be employed to support both IS staff and organisations meet their PDP obligations and in doing so it highlights significant implications for the transformation of the organisations in the information age.