The role of information systems staff in the provision for data protection and privacy. A subjective approach.


Richard Howley, Simon Rogerson, N Ben Fairweather and Lawrence Pratchett



The importance of privacy and data protection (PDP) is now well established as a right for European citizens. This presents significant challenges to data controllers and information systems professionals. The role of information systems (IS) staff has emerged as critical in meeting these challenges. Previous research has shown that IS staff are actively involved in the provision of PDP and that they are supportive of this involvement. The same research identified ‘low levels of awareness’ with regard to PDP that may limit the contribution that IS staff can actually make in the provision for PDP. This research seeks to build on earlier quantitative research findings by examining the subjective perceptions that IS staff have with regard to the contribution they can and do make to the provision of PDP.

The study and methodology

Many researchers and commentators have identified the important contribution to PDP that IS staff can make in the design and development of IS. These contributions are normally expressed in an abstract and top-down manner, primarily concerned with statements of principle rather than as guides to professional practice. Elizabeth France in her role as the UK Information Commissioner was frequently quoted as promoting the concept of the ‘ethical engineer’, designing PDP into systems. France goes on to add that IS staff need to be ‘part of the solution rather than part of the problem’. Anton and Earp promote the role of PDP in ecommerce applications and acknowledge that PDP is often an afterthought rather than a fundamental design principle. A major step forward in understanding how IS staff can better support the development of PDP sensitive systems was provided in the work of Macaulay and Watts. They undertook an investigation into the way in which IS staff can actually embed PDP into IS. Their ‘Best Practice in SD’ study presents a set of principles and activities that if followed and applied may lead to more privacy sensitive systems being developed. The research reported on in this paper builds on, yet is different from, the work of Macaulay and Watts. Their work focuses on Systems Design and was undertaken by means of a telephone survey. This research takes a broader view of IS staff roles and seeks to explore the opportunities within all lifecycle activities and roles. Another fundamental difference is that this research seeks subjective insights from all levels of IS staff rather than relying on telephone respondents. Given this, the data this research is based on may be regarded as qualitatively richer than previous studies. The qualitative nature of the research provides insights that were not identified in previous research in this field.

In seeking insights into the subjective perceptions of IS staff with regard to their role in providing PDP the research was conducted in organisations from different industry sectors. The main research approaches used were case studies, focus group exercises and interviews. The study will build upon earlier survey results into levels of awareness and activities within which IS staff can contribute to the provision of PDP.


Findings and analysis are presented under the following headings:

  • Levels of awareness: Implications and strategies.
  • Who does PDP, how and when?
  • Who can do PDP, how and when?
  • PDP: The IS professional challenge.
  • PDP: The organisational challenge.
  • PDP: A strategy for action.


The research reported on in this paper builds on earlier research reported to ETHICOMP 2002 and as such it represents a ‘next stage’ in understanding the role of IS staff in providing PDP for European citizens. The complexity and importance of PDP for all citizens is increasing at an unprecedented rate and as a consequence, understanding the developing role of IS staff is critical in supporting citizens in the information society.