Copyright © 2002 Simon Rogerson, Richard Howley
Originally published as ETHIcol in the IMIS Journal Volume 12 No 6 (December 2002)
Document Also Available in PDF (60 kbytes), PS (44 kbytes), Printer-friendly HTML (10 kbytes) Rich Text Format (17 kbytes) DocBook source (9 kbytes)
Increasing attention is being given to the contribution that information systems (IS) staff can make to the implementation of the 1998 Data Protection Act and the 2001 Freedom of Information Act in the UK. A focus of this attention has been on the contributions that can be made in the systems design process and in the application of privacy enabling technologies (PETs).
Recent research by the Centre for Computing and Social Responsibility (CCSR) found considerable evidence that IS staff are promoted as key providers of privacy and data protection (PDP) both within organisations and within information systems areas. Literature from Europe, the USA and the UK highlights the importance of designing systems for PDP compliance, encouraging the application of PETs and relating data management strategies to the provision for PDP. Whilst witnessing the emergence of PDP legislation CCSR wanted to know the extent to which this responsibility, that was increasingly being articulated, was known about and accepted by IS staff in UK based organisations. If IS staff are becoming increasingly responsible for PDP in organisations the extent to which they are aware of their perceived contribution and the degree to which they support it will be critical to its realisation. The research addresses these issues by focusing on three key questions.
- 1. Are IS staff aware that the responsibility for PDP is increasingly being devolved to them and is it perceived by them as legitimate extension to their role?
Ninety five percent of respondents regard involvement in PDP as a legitimate activity for IS staff and 85% believe that it is an increasingly important part of their work. The acceptance of PDP as a legitimate part of their work is further evidenced by the nature of the involvement reported. Staff report considerable involvement in the area of PDP management and strategy. In more than 54% of organisations represented in the sample IS staff were 'prominent in formulating and implementing PDP polices'. In 30% of organisations IS staff are 'primarily responsible for PDP within [their] organisations'. This involvement evidences a considerable acceptance by IS professionals of their role in the provision for PDP. It also suggests that their involvement is much wider than that proposed in the literature.
- 2. Which IS roles do IS staff consider to have the greatest contribution to make to the provision for PDP?
Systems design and the application of PETs are widely reported in the literature as areas in which IS staff can contribute to PDP provision. The views of IS staff were sought with regard to which staff roles offer the greatest opportunity to contribute to the provision for PDP. The roles and number of times they were identified are given in the Table 1.
Table 1. IS roles in the provision for PDP
IS Role Number of respondents identifying role IT/MIS/Systems Manager 23 Systems Analyst 15 Systems Developers 9 Database Administrator 9 Network Manager 6 Systems Administrators 6 Project Manager 7 Programmers 3 IT Security Personnel 5 Support and Training 2 The single most important finding was the extent to which staff identified the role of management as critical in the provision for PDP. Indeed, some respondents felt so strongly about this, they annotated their response to add greater emphasis to their answers. The role of the systems analyst (including requirements analysis) is also prominent in findings and it is interesting to relate this to the prominence of 'systems design' as opposed to 'systems analysis' in the literature. We should not be seduced into thinking that we can 'design for compliance' if we are failing to manage the capture and realisation of requirements that are in themselves PDP compliant.
- 3. What stages in a systems development process do IS staff feel offer the greatest potential for embedding PDP compliance in information systems?
In the introduction it was reported that systems design and the application of PETs are frequently identified in the literature as key areas in which IS staff can contribute to PDP within organisations and their systems. The views of IS staff were sought with regard to the stages of the systems development process that they feel offer the greatest opportunities for PDP leverage. Table 2 presents the findings.
Table 2. Stages in the systems development lifecycle that offer opportunities for PDP enhancements
Stage Number of respondents identify stage Project Initiation and Planning 7 Feasibility Study 3 Systems Analysis 18 Systems Design 23 Coding/Programming 4 Testing 8 Implementation 6 Training users 3 Embed in the whole process 11 The role of management, which was identified so frequently in response to the previous question, may support the further identification of 'project planning' and 'embed in the whole process' in the responses to this question. Systems (and or requirements) analysis is prominent in these findings offering further support for the roles identified earlier. This is interesting in that this is a stage that may be presumed to occur before design, even in 'rapid' and or 'iterative' development environments, and as such the prominence of design in the compliance strategy may be inadequate without an equal emphasis on the analysis process. Whilst design is important, IS staff feel that systems/requirements analysis and project management are equally important, and they should not therefore be neglected by a focus on systems design in isolation of requirements analysis and overall project management.
Conclusion. There is considerable support by IS staff for their involvement in the provision for PDP. Indeed, they already occupy important strategic PDP positions in many organisations. IS staff are able to identify the stages in a systems development process which offer potential for PDP enhancements and the staff that have the greatest contribution to make. However there is evidence that certain issues need to be addressed if we are to benefit fully from the contribution of IS staff. Levels of PDP awareness amongst IS staff is felt to be low; more than 50% of respondents felt that IS staff awareness of the 1998 Data Protection Act is not high. IS staff feel that the level of training in PDP issues offered by organisations was low; only 3% of respondents felt that organisations are providing suitable training in PDP issues for their employees. Regarding support offered by professional bodies only 29% of respondents felt that they provide appropriate guidance for members. Could such bodies do more?
There is a management challenge that extends beyond the role of IS staff; management have a responsibility to create and maintain a PDP culture within organisations that positively impacts on all stages of IS development, the operation of information systems and all staff. IS staff alone cannot bring about PDP compliance through some form of technical wizardry, and nor can management. The provision for PDP in organisations and within information systems has to be the result of a holistic cultural and structural commitment to PDP that is bought about and maintained by senior management within organisations. No one group of staff can affect PDP alone - it has to be an organisational wide commitment and be embodied in the very core of the organisation; this is the management challenge that must be addressed.
Please send your views on ethical and social responsibility issues and cases of ethical dilemmas to:
Professor Simon Rogerson
Director
Centre for Computing and Social Responsibility
Faculty of Computing Sciences and Engineering
De Montfort University
The Gateway
Leicester
LE1 9BH
Tel:(+44) 116 257 7475
Fax:(+44) 116 207 8159
Email:<srog@dmu.ac.uk>
Home Page:http://www.ccsr.cse.dmu.ac.uk