IEEE Access (Jan 2022)
Organisational Privacy Culture and Climate: A Scoping Review
Abstract
New regulations worldwide are increasingly pressing organisations to review how they collect and process personal data to ensure the protection of individual privacy rights. This organisational transformation involves implementing several privacy practices (e.g., privacy policies, governance frameworks, and privacy-by-design methods) across multiple departments. The literature points to a strong influence of the organisations’ culture and climate in implementing such privacy practices, depending on how leaders and employees perceive and address privacy concerns. However, this new hybrid topic referred to as Organisational Privacy Culture and Climate (OPCC), remains poorly demarcated and weakly defined. In this paper, we report a Scoping Review (ScR) on the topic of OPCC to systematically identify and map studies, contributing with a synthesis of the existing work, distinguishing core and adjacent publications, research gaps, and pathways of future research. This ScR includes 36 studies categorised according to their demographics, research types, contribution types, research designs, proposed definitions, and conceptualisations. Also, 18 studies categorised as primary research were critically appraised, assessing the studies’ methodological quality and credibility of the evidence. Although published research has significantly advanced the topic of OPCC, more research is still needed. Our findings show that the topic is still in its embryonic stage. The theory behind OPCC has not yet been fully articulated, even though some definitions have been independently proposed. Only one measuring instrument for privacy culture was identified, but it needs to be further developed in terms of identifying and analysing its factors, and evaluating its validity and reliability. Initiatives of future research in OPCC will require interdisciplinary research efforts and close cooperation with industry to further propose and rigorously evaluate instruments. Only then OPCC would be considered an evidence-based research topic that can be reliably used to evaluate, measure, and embed privacy in organisations.
Keywords