Exploring mental models of the right to informational self-determination of office workers in Germany

Page created by Melanie Ramirez
 
CONTINUE READING
Proceedings on Privacy Enhancing Technologies ; 2021 (3):5–27

Jan Tolsdorf*, Florian Dehling, Delphine Reinhardt, and Luigi Lo Iacono

Exploring mental models of the right to
informational self-determination of office
workers in Germany
Abstract: Applied privacy research has so far focused
mainly on consumer relations in private life. Privacy
                                                                1 Introduction
in the context of employment relationships is less well
                                                                During regular employment, employees disclose large
studied, although it is subject to the same legal pri-
                                                                amounts of personal data, much of which is known to
vacy framework in Europe. The European General Data
                                                                be sensitive [39, 56]. The digitization of work processes
Protection Regulation (GDPR) has strengthened em-
                                                                results in the omnipresence of information systems and
ployees’ right to privacy by obliging that employers
                                                                extends the disclosure and processing of personal data.
provide transparency and intervention mechanisms. For
                                                                The increasing vulnerability to privacy violations poses
such mechanisms to be effective, employees must have
                                                                a challenge to the preservation and protection of the
a sound understanding of their functions and value.
                                                                fundamental right to privacy [10, 30, 55]. Different
We explored possible boundaries by conducting a semi-
                                                                to the definition of privacy as the right to freedom
structured interview study with 27 office workers in Ger-
                                                                from intrusion, as used in the U.S. [30], privacy in Ger-
many and elicited mental models of the right to informa-
                                                                many is tantamount to the right to informational self-
tional self-determination, which is the European proxy
                                                                determination. It guarantees individuals transparency
for the right to privacy. We provide insights into (1) per-
                                                                and personal control over the collection, use, and dis-
ceptions of different categories of data, (2) familiarity
                                                                closure of personal data in all aspects of life. With the
with the legal framework regarding expectations for pri-
                                                                GDPR coming into force in 2018, the foundations of
vacy controls, and (3) awareness of data processing, data
                                                                informational self-determination were incorporated into
flow, safeguards, and threat models. We found that le-
                                                                national legislation of all member states of the European
gal terms often used in privacy policies used to describe
                                                                Union (EU). The difference in power between data pro-
categories of data are misleading. We further identified
                                                                cessors (e.g. employers) and data subjects (e.g. employ-
three groups of mental models that differ in their pri-
                                                                ees) are balanced by making both jointly responsible for
vacy control requirements and willingness to accept re-
                                                                privacy protection. Employers have several obligations,
strictions on their privacy rights. We also found igno-
                                                                including: making transparent which personal data are
rance about actual data flow, processing, and safeguard
                                                                processed and for what purposes; providing information
implementation. Participants’ mindsets were shaped by
                                                                on risks and rights in a way that is comprehensible to
their faith in organizational and technical measures to
                                                                employees; providing intervention options; ensuring that
protect privacy. Employers and developers may bene-
                                                                these rights are respected and can be exercised with the
fit from our contributions by understanding the types
                                                                implementation of adequate organizational and techni-
of privacy controls desired by office workers and the
                                                                cal measures; weighing up their interests against em-
challenges to be considered when conceptualizing and
                                                                ployee privacy and protection needs. For their part, em-
designing usable privacy protections in the workplace.
                                                                ployees are expected to exercise their rights.
Keywords: informational self-determination, privacy at              We argue that the current situation poses a
work, mental models, usable privacy controls                    dilemma: Privacy controls, which employers have to pro-
DOI 10.2478/popets-2021-0035
                                                                vide and guarantee for but which are to be used by em-
Received 2020-11-30; revised 2021-03-15; accepted 2021-03-16.   ployees, can only protect privacy to the extent that em-

                                                                Delphine Reinhardt: University of Göttingen, E-mail:
*Corresponding Author: Jan Tolsdorf: Bonn-Rhein-Sieg            reinhardt@cs.uni-goettingen.de
University of Applied Sciences, E-mail: jan.tolsdorf@h-brs.de   Luigi Lo Iacono: Bonn-Rhein-Sieg University of Applied
Florian Dehling: Bonn-Rhein-Sieg University of Applied          Sciences, E-mail: luigi.lo_iacono@h-brs.de
Sciences, E-mail: florian.dehling@h-brs.de
Exploring mental models of the right to informational self-determination of office workers in Germany   6

ployees’ perceptions of their rights and obligations are
sufficient. From Human Computer Interaction (HCI) re-
                                                                  2 Research foundations
search, it is well known that one’s internal perceptions
                                                                  Our contributions are guided by the overall research
(i.e. mental models) of a system (i.e. informational self-
                                                                  question “what are the mental models of the right to
determination) considerably influence behavior. If em-
                                                                  informational self-determination from office workers in
ployees have false or significantly limited perceptions,
                                                                  Germany?”. We focused on three key research topics:
simply providing privacy controls would reduce the prin-
                                                                      (T1) Perceptions of categories of data: The
ciples of the GDPR to absurdity [24]. To shed light on
                                                                  right to informational self-determination stipulates dif-
this matter, we explored the boundaries of the percep-
                                                                  ferent rules for the processing of different categories of
tions of informational self-determination by conducting
                                                                  data. Legal texts use different terms both to refer to
a mental model study with 27 office workers in Germany.
                                                                  such categories and to express rules for processing. In
The key insights are:
                                                                  practice, office workers are often confronted with legal
     (1) We found that terminology rooted in legislation
                                                                  terms when interacting with data protection guidelines
that is used in privacy statements and tools to define dif-
                                                                  or software. However, the terms are used inconsistently
ferent categories of data are ambiguous, and perceptions
                                                                  and are attributed with different meanings in different
diverge among individuals. However, the understanding
                                                                  contexts. For example, privacy policies use terms inter-
may be aligned by making the attributes relation to a
                                                                  changeably or add non-privacy related terms. Also soft-
person, sensitivity, access, and relation to work explicit.
                                                                  ware often use the same terms to describe access rights
     (2) We found high demands for control over the dis-
                                                                  without considering the exact legal meaning. Based on a
semination and use of data. We identified three groups
                                                                  review of the GDPR, the Federal Data Protection Act,
with different views regarding the level of ex-ante and
                                                                  and expert group discussions (cf. Sec 4), we describe
ex-post privacy control. The groups also differed in their
                                                                  below the most common (legal) terms in Germany:
desire for control over (1) the disclosure of data, or
(2) the flow of data, or (3) unrestricted control. Only           Data (ger.: Daten)
the third group recognized transparency as a key ele-             Unspecific in the context of privacy legislation but often
ment for privacy. Yet, informational self-determination           used in practice to refer to various categories of data.
is seen as a burden in the face of current control options.
                                                                  Information (ger.: Informationen)
     (3) We found low awareness about the entities in-
                                                                  Like “data”, often synonymous use.
volved in data processing, whether data existed, how
data are transferred, where data are stored, and how              Personally Identifiable Information (PII)
data are protected. Nevertheless, we found confidence             (ger.: Personenbezogene Daten)
in organizational and technical measures to protect pri-          Official legal term in German legislation that refers to
vacy, but also a tendency to over- or underestimate the           “any information relating to an identified or identifiable
level of protection. Ignorance is compensated for by high         natural person” (Art. 4 GDPR). It is widely used in
levels of trust in electronic data processing and in the          privacy statements to inform about rights and process-
conduct of employers. Also, hackers and internal attack-          ing activities. Examples: all data with personal reference
ers are believed to pose a great threat to privacy.               incl. name, nationality, IP address, personnel number.
     We consider our results a valuable contribution to           Individual-Related Information (IRI)
the privacy debate by extending existing U.S.-biased              (ger.: Personenbeziehbare Daten)
views with insights from the most dominant privacy                A subcategory of PII solely referring to data with in-
framework in Europe. By exposing misconceptions and               direct personal reference but from which an individual
limitations in employees’ mental models, we provide in-           can be identified. Today, referred to as PII in practice.
sight into which privacy controls employees desire.               Examples: IP address, personnel number.
     The rest of this paper is structured as follows: first,
we present our research foundations, followed by related          Private data (ger.: Private Daten)
work on privacy, and mental models of privacy at work.            If employees are allowed to use work tools (e.g. IT de-
We then provide details on our procedure and methods              vices) for private use, law forbids employers to access
for designing and conducting our study, along with de-            data marked as private by employees. In practice, the
tails on the analysis and limitations. We then present            term is also inconsistently used in privacy statements
the results of our study for each topic. We finally sum-          and privacy settings of software to refer to data or ac-
marize our findings and give an outlook to future work.           cess rules. Examples: private files, private emails.
Exploring mental models of the right to informational self-determination of office workers in Germany   7

Personal data (ger.: Persönliche Daten)
Unlike in English, the literal translation of “personal
                                                                  3 Related work
data” into German means such data with a strong “per-
                                                                  We discuss related work with a focus on information
sonal” reference and distinguishing characteristic of an
                                                                  privacy in the employment context and the use of men-
individual (cf. GDPR). Personal data in the legal sense
                                                                  tal models for privacy research. Given the contextual
is referred to in German as PII. In practice, the term
                                                                  dependency of privacy, we focus on work related to the
is inconsistently used in privacy statements and privacy
                                                                  employment relationship.
settings of software to refer to data or access restrictions.
Examples: personal preferences, interests, behavior.
To date, it is unknown how office workers perceive these          3.1 Information privacy at work
terms and the implied legal meanings. Since legislation
obliges employers to “provide any information [..] in             Privacy is a multidimensional concept that is highly con-
a concise, transparent, intelligible and easily accessible        textual with little agreement in the literature regarding
form, using clear and plain language” (Art. 12, GDPR),            its definition. For the purpose of our research, we focus
identifying potential misconceptions is of high practical         on information privacy [60], of which vital elements are
relevance. We provide first insights by examining office          (1) the control over giving access to information [6, 68],
workers’ perceptions and familiarity with these terms.            (2) the appropriate flow of information [46], and (3) the
    (T2) Concepts of informational self-                          uniqueness of privacy perceptions and demands in differ-
determination: The employment context grants ex-                  ent contexts [45, 62]. Privacy at work is thus (at least) a
tensive information rights to employees, but only lim-            tripartite concept comprising control over (1) the gath-
ited self-determination. Data processing is permitted             ering of personal information (e.g. collection), (2) the
without employees’ formal consent if the processing is            handling of personal information (e.g. processing) as
either indispensable, or permitted by the national laws           well as (3) the perceived legitimacy of the employer to
or collective agreements. Compliance with legal obliga-           process data (e.g. expected usage) [3, 16].
tions can be audited by employee representatives. Also,                Concerning control and the handling of data, peo-
organizations that exceed a certain size or for which the         ple willingly disclose personal information in an employ-
processing of personal data constitutes a core activity           ment context, and do so in awareness of possible pri-
must designate a Data Protection Officer (DPO), who               vacy invasions [9]. The factual knowledge of the data
verifies the lawfulness of processing operations. Employ-         kept by employers is limited [69]. However, employees
ees may also turn to DPOs in case of privacy violations           have been shown to express satisfaction with the grant-
or questions. We reveal office workers’ perceptions of            ing of indirect consent by providing or withholding re-
the current organizational and legal frameworks, as well          quested data on the basis of a “relevancy” criterion for
as their requirements for transparency and intervention,          determining their suitability [65, 69]. Data may be de-
which they derive from their right to privacy at work.            liberately withheld when employees anticipate benefits
    (T3) Awareness of personal data processing:                   or fear adverse consequences [9, 61]. To date, the influ-
Past studies revealed that people have a poor under-              ence of technology-supported control mechanisms has
standing of the data flow and infrastructure of sys-              only been considered in connection with the protection
tems they use every day [27, 29]. However, adequate               of customer data [21].
awareness is vital in drawing accurate conclusions re-                 Concerning the perceived legitimacy of data pro-
garding security and privacy. Law even mandates that              cessing, employees deduce implicit privacy policies from
people “should be made aware of risks, rules, safeguards          legal regulations and develop certain data handling ex-
and rights in relation to the processing of personal data         pectations for different data [61]. Employees may per-
and how to exercise their rights” (Recital 39, GDPR).             ceive an invasion of their privacy if employers’ ac-
Employees are known to expect their personal data to              tual data processing do not meet their expectations.
be protected [15]. It remains unknown however, what               Whether or not the release of personal data by employ-
employees believe with respect to which precise safe-             ers to others without the consent of employees consti-
guards are implemented and which threat models exist.             tutes an invasion of privacy remains a topic of academic
We therefore investigated office workers’ perceptions of          debate [64, 65, 69].
(a) data storage and data flow as well as (b) safeguards               Previous research has focused on employee mon-
and threat models.                                                itoring and workplace surveillance [8] as well as ac-
Exploring mental models of the right to informational self-determination of office workers in Germany   8

ceptance and impact of technology [10]. Studies have              a tool for effective communication between expert and
been largely based on quantitative methods using causal           ordinary users [31, 52, 67, 70], or (3) to capture and
modeling [36]. In comparison, fewer qualitative stud-             explore concerns, expectations, and understandings of
ies have been conducted to explore privacy at work.               technology [20, 23, 27, 38, 54, 71]. Previous research has
Those studies that do exist are mainly rooted in aca-             elicited mental models of privacy in general [48] and in
demic frameworks of privacy, including Communication              the context of specific technical solutions, with a partic-
Privacy Management (CPM) theory [50] and privacy                  ular emphasis on online services [13, 19, 33, 37, 51, 58].
as contextual integrity [45]. CPM theory describes the            From the results of these studies, it is already evident
tension between the desire to reveal and the desire to            that the nature of privacy does not permit a mental
withhold information based on ownership, control, and             model that is universally true. Instead, individuals use
turbulence. Ownership refers to the belief that one owns          highly simplified models [2] and rely on several incom-
information, the disclosure of which would make one               plete and poorly formed sub-models [51].
vulnerable. If information is disclosed, other entities be-            Mental models of wearables at work were found to
come co-owners. Control refers to managing access to in-          be biased by anxiety of privacy intrusions and the fear
formation. Access rules must be negotiated for co-owned           of limited self-determination [41]. High levels of concern
information and are based upon boundary spheres. Pri-             regarding the misuse of information by employers are
vacy turbulence occurs when such rules are violated.              reasons that hinder adoption of wearables. Simultane-
Contextual integrity emphasizes on the appropriate flow           ously, some employees are generally willing to disclose
of information. Different transmission principles apply           data if they receive adequate gratification in return.
to information, taking into account social norms for a                 To the best of our knowledge, we are the first to cap-
particular context. Previous studies have made use of             ture and present office workers’ perceptions of personal
open-ended online surveys [61], semi-structured inter-            data in the employment context, and gain in-depth in-
views [5] or mixed methods approaches based on stan-              sights into their understandings of data processing, data
dardized questionnaires [9].                                      flow, safeguards, and threat models.
     Our work complements research on information pri-
vacy at work, by presenting holistic insights from office
workers’ privacy perceptions in relation to existing leg-
islation. To the best of our knowledge, we are the first
                                                                  4 Methodology
to examine employee requirements for privacy controls
                                                                  We conducted a mental model study based on semi-
based on the right to informational self-determination.
                                                                  structured interviews with 27 office workers from Ger-
With this focus, we expect our results to be highly prac-
                                                                  many during the period July until September 2019, and
tical and to contribute towards a modern understanding
                                                                  in August 2020. In the following, we provide details on
of privacy in employment relationships in Europe.
                                                                  the applied methodology, the interview guidelines, the
                                                                  participants’ recruitment and demographics, the evalua-
                                                                  tion, the study’s limitations, and ethical considerations.
3.2 Mental models of privacy at work

Research on mental models of privacy at work is thus
                                                                  4.1 Method selection
far limited. Mental models are simplified internal rep-
resentations of external reality that enable individuals
                                                                  The elicitation of mental models requires the extraction
to make sense of their environment, including but not
                                                                  of subjects’ internal representations and can be done
limited to simple actions, systems, or even complex phe-
                                                                  either directly or indirectly [49]. Direct methods as-
nomena [26]. Mental models are generally considered to
                                                                  sume that respondents are able to articulate their trains
be incomplete, incorrect, and highly context-dependent,
                                                                  of thought. Indirect methods are based on researchers’
making them unstable or rather inconsistent [47]. Irre-
                                                                  interpretations of a statement or observation. A com-
spective of their accuracy, mental models guide people’s
                                                                  mon procedure is using open-ended semi-structured in-
decision making process in both familiar and unfamil-
                                                                  terviews [66]. They allow participants to express them-
iar situations [17, 25]. In the context of HCI on topics
                                                                  selves freely and allow the interviewer to clearly work
of usable security and privacy, mental models are sur-
                                                                  out relevant aspects by asking targeted follow-up ques-
veyed (1) to construct a system in which cognitive effort
                                                                  tions. In contrast, focus groups may not allow for the
is optimised for usability [11, 58, 66], (2) to use them as
Exploring mental models of the right to informational self-determination of office workers in Germany   9

same insights, as participants may not share their per-               Procedure: In the interview, our participants were
sonal opinions or may adapt them due to group dy-                 welcomed and briefed about the study procedure and
namics [32]. We therefore decided to conduct individ-             conditions. We asked for their consent to elicit draw-
ual interviews. For these interviews, different method-           ings, hand writings, voice recordings, and questionnaire
ologies are available, including card-sorting tasks, ver-         answers. Each participant then summarized their job
bal, and graphical methods. All of these methodologies            profile and the technical tools used for work. We then
present different advantages and limitations [7]. In or-          presented six different categories of data and asked for
der to overcome the limitations, a combination of at              definitions and examples. Respondents were then asked
least two elicitation techniques is common [29, 52, 58].          to explain their abilities and liberties in disclosing data
Thus, we chose to conduct our interviews using both               to employers. We encouraged them to discuss ways in
verbal and graphical elements, as given that informa-             which their privacy could be violated. We then asked
tional self-determination is a highly abstract concept.           for explanations of the concept of informational self-
                                                                  determination and its relevance to the employment rela-
                                                                  tionship. Participants were then guided through a draw-
4.2 Interview guideline and procedure                             ing task. We presented a sheet with different data and
                                                                  asked them to indicate (1) how and where the data are
Guideline design: The main challenge in creating in-              stored, (2) who has access to them, and (3) which attack
terview guidelines is to ensure that they cover all topics        vectors and safeguards exist. At the end of the survey,
of interest. To the best of our knowledge, there is no            respondents filled out a demographic questionnaire and
comprehensive model available that could be used to               were asked if they wanted to add anything to the discus-
deduce questions on informational self-determination.             sion. Not including time spent briefing and debriefing,
Thus, to design an appropriate interview guideline, we            the interviews lasted between 29 and 97 minutes. Our
adopted an expert model approach [42], as it has been             interview guidelines are available in Appendix B.
proven to be valuable in eliciting mental models on com-
puter security and privacy [13]. With this approach, we
aimed to capture and sort relevant aspects of the sub-            4.3 Participants
ject area of interest. In order to ensure the quality of
the expert model, we executed an iterative development            Recruitment and enrollment: Since demographic
process: First, we derived an initial version from se-            variables correlate to different privacy perceptions [35],
lected themes on German and EU data protection laws.              we aimed to recruit a heterogeneous sample in terms of
We then conducted two expert group sessions with re-              professional and socio-demographic backgrounds. The
searchers from law, psychology, ergonomics, IT systems            sample was thus recruited to balance gender, work ex-
engineering, as well as security and privacy (N=8). In            perience, age, job profile, and organization size. We also
the first session, the initial model was presented and dis-       took into account whether or not the processing of per-
cussed. We adjusted the model based on the feedback               sonal data was a core activity of the participants’ job.
gathered, which involved adding aspects of general pri-               Initially, we contacted four organizations operating
vacy literature, as well as technical and organizational          in various business areas and presented the content of
circumstances of workplace environments. The revised              the study to the respective management. After the or-
model was discussed in a second session with the same             ganizations’ internal approval audits were completed,
group of experts. Subsequent changes were again indi-             one organization required us to involve the staff asso-
vidually reviewed. The final model was divided into four          ciation before approving recruitment. When required,
categories: (1) common privacy terminology and pro-               we also briefed the division managers to secure their
cesses that are relevant at the moment of data collec-            agreement and support for the study. We asked the dif-
tion; (2) steps of data processing; (3) negative and pos-         ferent managers not disclose the content of the study
itive consequences for both employees and employers;              in advance to their employees. We carried out targeted
(4) transparency aspects of interest to employees. The            recruitment via e-mail invitations sent to various organi-
expert model is available in Appendix A. We derived               zational units (using internal mailing lists) and by ask-
interview guidelines from the model and revised them              ing office workers directly to participate in the study if
with three researchers experienced in conducting inter-           their demographic details matched our recruitment tar-
views. We also conducted three pilot interviews with              get. To counteract demographic imbalance, we also con-
office workers to fine-tune the questions and wording.            tacted office workers outside these organizations. The
Exploring mental models of the right to informational self-determination of office workers in Germany   10

invitations asked recruits to participate in an interview         4.4 Evaluation and data analysis
on “general practices in dealing with data at the work-
place”, but did not reveal the exact purpose of the               We conducted a qualitative analysis of our interview
study. Interested employees contacted the interviewers            data by carrying out inductive coding. We chose this
directly. If possible, the interviews took place on the or-       approach because the themes are generated based on
ganizations’ premises to prime participants to the work           the content of the interview itself. For coding, we fol-
context (N=19), or in our laboratories (N=3), or via a            lowed established guidelines and common practices for
web conferencing tool (N=5). Participants did not re-             semi-structured interviews [14, 40]. First, we segmented
ceive any compensation from the interviewers, but some            the transcribed audio recordings into thematic sec-
were allowed to participate during their working hours            tions based on our interview guidelines. Two coders (A,
and were exempted from normal duties.                             B) then reviewed the material several times in depth
     Demographics and fields of activity: We re-                  and discussed the topics and themes they encountered.
cruited 27 employees in total (13 female, 14 male) from           Coder A (the principal investigator [14]) then carried
nine different organizations. Participant age ranged be-          out line by line coding using a mixture of open cod-
tween 24 and 58 years (M=40.5, SD=10.4). Among                    ing and in vivo coding on the sections of interest. Next,
these participants, 6 worked in micro companies (< 10             codes of the same topic were merged. The remaining
employees), 7 in medium companies (< 250 employees),              codes were then grouped into related categories and or-
and 14 in large organizations (≥ 250 employees). Typical          ganized into hierarchies by coder A. The set of codes
for office workers, the level of education in our sample          that resulted therefrom was presented to coder B. Coder
was relatively high: the minimal educational level was            A and B then coded a randomly selected 30% subset
secondary school and 17 participants held an academic             of the interview sections related to each research topic.
degree. For our analysis, we divided our participants             By doing so, they identified coding conflicts and re-
into three groups of different professional backgrounds           solved any differences in code comprehension. The code-
and experience with data processing:                              book was reworked by reorganizing, adding, or removing
     The first group comprised administration employ-             codes in order to align to both coders’ understandings.
ees (N=9), who were mainly concerned with the man-                A final subsequent recoding of 100% of the material was
agement of financial resources and project controlling.           carried out by the two coders. The coders reached an
These participants mostly worked with central manage-             Inter-Rater Agreement (IRA) of 75% (Kappa = 0.81).
ment software and processed personal data of other em-            However, relying solely on Kappa values is debatable
ployees working for the same employer. Two participants           due to our complex coding system (214 codes) and the
held leadership positions with staff responsibility.              non-equal probability of code occurrence [14]. There-
     Computer scientists and software developers formed           fore, remaining differences were discussed and, if possi-
the second group (N=11). They were divided into areas             ble, resolved by negotiation. The final IRA is 91%. Full
of security engineering, requirements engineering, and            agreement was not reached due to remaining differences
B2B software for personnel management and stock con-              in the coders’ interpretations of individual statements.
trol. Three participants worked in academia and two
held a leadership or managerial position with staff re-
sponsibility.                                                     4.5 Limitations
     The third group comprised employees with activ-
ities other than the processing of personal data and              Although the study design intends to capture general
without a computer science background (N=7). This                 mental models of informational self-determination at
group included two participants who worked as techni-             work, generalization of results cannot be given due to
cal engineers in the field of construction who performed          the qualitative property of the study and the strong
mainly CAD-related tasks, two participants who worked             context dependence of privacy. While education does
as sales staff for B2B software, and three participants           not significantly impact privacy perceptions [36], it may
who worked in the field of communication and market-              nevertheless affected the understanding of our questions
ing, including media design and consulting (which in-             and the resulting answers. Despite individual demo-
volves exchanges with customers). One participant held            graphic differences in our small sample, our study also
a leadership position with staff responsibility.                  contains limitations which are well known in privacy
     A table compiling all participants’ demographic in-          research: our participants’ perceptions are biased by
formation is available in Appendix C.                             macro-environmental factors, particularly with regard
Exploring mental models of the right to informational self-determination of office workers in Germany   11

to the cultural background and the existing strong gov-
ernmental regulation framework [36]. Findings may vary
                                                                  5 Results
for office workers from other organizations, because pri-
                                                                  The following subsections are organized around our re-
vacy perceptions correlate to the organization type [63].
                                                                  search foundations in Sec. 2. More precisely, Sec. 5.1
Nevertheless, our results constitute an important step
                                                                  is dedicated to T1, while Sec. 5.2 and 5.3 focus on T2
towards more complete views of privacy by complement-
                                                                  and T3, respectively. We translated relevant statements
ing the results of prior studies that had U.S.-biased sam-
                                                                  of our participants’ from German into English applying
ples [12, 36]. Our results also contribute to the diversity
                                                                  a forward-backward translation procedure with native
of meanings, values, and attitudes about privacy with
                                                                  speakers. In relevant cases, we report how many partic-
findings from an underrepresented context.
                                                                  ipants stated specific themes to indicate the frequency
     As participation was voluntary, sampling may be
                                                                  and distribution. These counts may serve as indication
affected by a self-selection bias and limited to the pop-
                                                                  and not as a basis for a quantitative analysis.
ulation of people employed at the organizations we con-
tacted. Although we recruited our sample one year after
the GDPR came into force, feedback we received dur-
                                                                  5.1 Perceptions of categories of data
ing recruitment suggests a “data protection” and “pri-
vacy” fatigue. While our invitations did not mention
                                                                  We presented the six different terms for categories of
these themes, the chosen wording of the invitations may
                                                                  data described in research topic T1 in a random order to
still evoked unintended associations. The salience bias
                                                                  our participants, and asked them to provide definitions
therefore probably intensified the self-selection bias with
                                                                  and examples with regards to their employment.
privacy fatigued individuals less likely to participate.
     The results of studies with a mental model approach
are limited by the study’s setting, tasks, and analy-
                                                                  5.1.1 Participants’ definitions of categories of data
sis [27]. However, our participants may in fact had rel-
atively advanced mental models of informational self-
                                                                  Data and information: Our respondents tended to
determination. Our sample was biased towards admin-
                                                                  arrange the terms hierarchically, where “first of all, ev-
istrative and IT staff, suggesting familiarity with (per-
                                                                  erything is ‘data’. ‘Data’ is at the top” (P15). They em-
sonal) data processing. Therefore, our results likely rep-
                                                                  phasized that “data” is a “generic concept [that de-
resent the more advanced mental models, serving as a
                                                                  scribes] all kinds of things” (P04) and whose compo-
sound basis for future quantitative research.
                                                                  sition generates information: “data are different items
                                                                  out of all this information [..], the single items that you
                                                                  can divide these [other] categories into” (P20). Our par-
4.6 Ethics
                                                                  ticipants agreed that their everyday working life is full
                                                                  of data and information. Yet, we found different associa-
Although we do not have a formal IRB process at our
                                                                  tions. While IT and administrative professionals linked
university, we made sure to minimize potential harm by
                                                                  mere factual knowledge without personal reference to
complying with the ethics code of the German Sociologi-
                                                                  these terms, other participants referred to data with a
cal Association as well as the standards of good scientific
                                                                  clear personal reference relevant to the job (e.g. cus-
practice of the German Research Foundation. Our study
                                                                  tomer data) when describing “information”.
complies with the strict national and European privacy
                                                                       PII and IRI: Half of participants identified the
regulations. We collected data anonymously when pos-
                                                                  implicit personal reference of IRI. Yet, all of our partic-
sible or when not possible, anonymized the data after
                                                                  ipants also identified a close relationship between IRI
the interview. Any contact information was stored sep-
                                                                  and PII or argued that there is no difference at all.
arately. Participants were informed about withdrawing
                                                                  A third of participants expressed difficulties describing
their personal data during or after the study. For this
                                                                  these terms. Overall, we found the greatest confirma-
purpose, we supplied a deletion token at the beginning
                                                                  tion that PII were perceived to directly relate to and
of the study. We particularly emphasized that abort-
                                                                  uniquely identify an individual: “[PII are] anything that
ing the interview would have no negative consequences
                                                                  only concerns me, that only I am, with which one could
and assured employees that neither their participation
                                                                  prove that this is my identity” (P22). Most participants
nor the interview’s content were to be reported back to
                                                                  primarily assigned all types of master data (e.g. name)
employers or management.
Exploring mental models of the right to informational self-determination of office workers in Germany           12

to PII. IT-staff also linked biometrics and passwords to
PII, and noticed PII’s generation by tools and their om-
nipresence in log files. All participants were aware that
PII become accessible to a variety of internal and exter-
nal parties during employment. Very few participants
expressed the need to protect PII from employers.
     Private data: Participants described private data
to be strongly non-work-related and as “something
that only [they] know, but the company does not
know” (P14). Participants stressed the high sensitivity
of the data and expressed the urgent need to keep them
confidential. Consequently, private data are disclosed re-
luctantly: “I hate to give these out, so I’m very careful
with them” (P02). Participants believed that once pri-
vate data are disclosed, access to them must be limited
to a small group of people with special rights. Partici-           Fig. 1. Identified coding themes: (G1) relation to a person; (G2)
pants were aware that employers do access private data             data sensitivity; (G3) access to data; (G4) relation to work. Circle
to at least a limited extent, whether due to socializing           size and saturation are proportional to the number of mentions.
activities, business routines, or device usage. Partici-
pants located the data on work devices and in calendars,                The first group (G1) describes the relation to a per-
and insisted on having “a right to expect [private data]           son. We found conflicting views on whether a personal
to be specially protected” (P01) by and from employers.            reference exists, and how data relate to a person for five
     Personal data: We encountered the most non-                   out of six terms. Also, colleagues working within the
uniform explanations for this term. Half of participants           same organization or team held diverging views.
described personal data as a superset that either in-                   The second group (G2) concerns the data sensitiv-
cluded, or was the same as private data. Some gave op-             ity. In line with contextual integrity, data marked as
posing explanations and declared that private data were            sensitive or secret were not perceived worthy protecting
the superset, whereas personal data were absolutely con-           from employers if they fit into the context. Also, data
fidential. A third of participants claimed that “personal          considered secret or confidential were not necessarily ex-
data” was a synonym for PII. The collected statements              pected to be sensitive and vice versa. We assume that
took fundamentally contradictory positions on a con-               participants recognized that some data served business
tinuum between the extremes of personal reference: one             purposes and therefore accepted the processing.
quarter reported that personal data “directly concern                   The third group (G3) relates to access of data. We
a person in their identity, which describe them, which             found that it played a crucial role if participants located
clearly identify them, which make up their personality” ;          data in the private or personal sphere. In these cases
in contrast, another quarter perceived personal data               participants believed that access to these data must be
simply as “information that is not personal at all” and            restricted to oneself and to small groups of entities.
without reference to an individual, but “which are sub-                 The last group (G4) describes data’s relation to
ject to [their] personal access”. Despite these differences,       work. Based on a code-co-occurrence analysis, we found
our participants agreed that personal data somehow be-             that data with no business relevance were expected to
long to a person and that access may be restricted: “per-          be secret and protected by but also from employers.
sonal data in the sense that they are not really public, or
that I do not want them to be public” (P17). Participants
agreed that personal data serves business purposes and             5.1.2 Discussion
must be available to employers. Still, personal data must
only be accessible by a small circle of people or an in-           Our results are somewhat ambivalent. On the one hand,
dividual. Few participants indicated that personal data            the answers we received indicate that the terms under
were worth protecting and should stay confidential.                question evoke adequate associations in a broader sense.
     Identified themes: We identified recurring themes             Based on accumulated answers, our coding suggests that
in the coding of our participants’ explanations which we           participants distinguished between three broader con-
arranged into four thematic groups (cf. Fig. 1):
Exploring mental models of the right to informational self-determination of office workers in Germany   13

cepts: (1) The first concept arises from data and in-             The identified conflicting interpretations also strongly
formation, and largely lacks privacy related attributes;          question the use of common terms for labeling data to
(2) The second concept arises from PII and IRI, and               express access rights in particular.
symbolizes data with clear personal references; (3) The                Since the use of legal terms will not disappear in
third concept is defined by private data and symbolizes           practice, potential turbulences may be countered by
data with no business relevance and strong access re-             making meaning and interpretations explicit. A possible
strictions. On the other hand, however, the contradict-           approach is the explication of attributes based on the
ing statements about personal data symbolize the nu-              recurring themes that we found. In combination with
merous problems that our participants had with these              the clear set of three broader concepts that we identi-
terms. Half of participants explicitly asked for clarifi-         fied, we believe that the themes we captured may serve
cation or did not identify meaningful differences. One            as a basis for more intuitive descriptions in the future.
participant completely resigned: “I do not understand
these terms at all”. We obtained similar answers from
participants of different professions. Indeed, our results        5.2 Concepts of the right to informational
demonstrate that even employees who primarily process                 self-determination at work
(personal) data or hold leadership positions have diffi-
culties with legal terms found in practice. This coincides        To address research topic T2, we discussed various top-
with previous findings that technical or legal jargon can         ics of control over personal data with our participants
be misinterpreted both by laypersons and experts [53].            and concluded with the question “what is informational
     Furthermore, we identified elements of CPM theory            self-determination at work?”. A quarter of participants
in our participants’ answers. They intuitively referred           expressed their lack of familiarity with the term, but
to different privacy boundaries in their explanations of          their explanations did not differ from responses of par-
the different terms. Here, the assumed business rele-             ticipants who did not express this. Participants either
vance played a decisive role for whether data belong to           discussed new topics or summarized previous topics of
the public or private sphere. This was associated with            the interview which they considered essential for an-
expectations of control, claims to ownership, but also            swering this question. One participant had very differ-
rules for co-ownership: “If I receive [sensitive personal         ent associations: “[It is the right to] freely choose what
data] from others [..] it can be data that are really con-        I want to allow to influence my formation of opinion.
fidential, and that I have to safeguard, and that I’m not         That means that I can choose the media I consume.”
allowed to disclose to the outside world” (P22). How-                  We divided the aspects discussed by our partici-
ever, participants made conflicting assumptions about             pants into four thematic categories (cf. Fig. 2): (1) the
spheres, (co-)ownership, and control for the same data            objectives of informational self-determination; (2) the
concepts. Such conflicts also existed among participants          importance of self-determination; (3) the value of trans-
from the same organization. In some cases, the partic-            parency; and (4) practical restrictions and issues.
ipants themselves were also confused. Based on our re-
sults, office workers’ associations of common terms seem
to lack harmonized and clear boundaries. According to             5.2.1 Objectives of informational self-determination
CPM theory, such fuzzy boundaries tend to lead to un-
intentional privacy intrusions because access rules also          We extracted two distinct objectives that our partic-
become fuzzy [50]. Also, lack of familiarity with the             ipants associated with the right to informational self-
terms’ legal meanings favors boundary rule mistakes, as           determination. First they believed it to limit disclosure
employees either access data themselves without autho-            to such data that are absolutely necessary for the em-
rization or incorrectly assume no access because “they            ployment relationship. This was accompanied by abso-
do not understand the privacy rules” [50].                        lute claims for control: “Whenever I decide that my
     Prior work showed that employees create “implicit            employer is interested, that’s what he needs, he gets
rules [..] by implied meanings and understandings” for            the data, but everything else that goes beyond that, I
ownership and control [61]. Our results demonstrate this          refuse” (P05). The second objective was to protect one’s
strategy’s susceptibility to error. The use of common             privacy from others, whereby participants distinguished
terms is likely to leave office workers in an uninformed          between the protection from internals and externals
state, since they are unaware of the rights and obliga-           (e.g. customers). A secondary goal was the increased
tions that actually apply to, for example, “private data”.        overall control over non-personal data in work processes.
Exploring mental models of the right to informational self-determination of office workers in Germany   14

5.2.2 Self-determination                                           macy of data collection: “That I can clearly distinguish
                                                                   between legal requirements, data that must be collected,
Self-determination was recognized as the key aspect of             and data that are collected beyond that or linked together
the right to privacy, which was reflected in this topic            for different purposes, so that I can clearly identify at
filling over half of the discussions. It was defined as            this point what the actual objective is.” (P11).
having choice and the right that others, including em-
ployers, respect decisions to withhold personal data.
P06 explained it this way: “[enquiry forms have] in-               5.2.4 Restrictions and issues
credibly many fields, but not even half of them are nec-
essary. Self-determination would be how many fields I              Participants held different attitudes about the validity
fill out.” Our participants elaborated on the different            of the right to privacy in employment relationships. A
facets of control they derived from the right to informa-          third of participants expressed the unrestricted valid-
tional self-determination. We found demands for control            ity of this right. However, most participants noted at
over all kinds of manipulations and processing. Three              least minor restrictions due to the legal and occupa-
quarters of participants put emphasis on ex-ante con-              tional framework. In weighing the advantages of em-
trol options, asking for control over the receivers and            ployment against perfect privacy, we found traits of a
purposes in the disclosure process. A quarter of par-              privacy calculus [18]. Participants noted that the dis-
ticipants expected to be asked for explicit consent ev-            closure of personal data was indispensable, especially in
ery time their personal data got processed or transmit-            service-oriented professions.
ted: “[self-determination] would mean nothing else to                   Furthermore, participants discussed issues of men-
me than every time someone wants to pass on any per-               tal load. They noticed the high cognitive demand that
sonal data or whatever about me to a third party, be it            was necessary to truly capture the complexity of self-
the client, be it colleagues, be it anything, I will be the        determined privacy decisions: “I think [privacy] is a
first party asked if it is okay and if I give my blessing for      desirable ideal, but never quite attainable, as it would
it to happen” (P13). Unsurprisingly, self-determination            mean that one is actually fully aware of [all the data
was considered to be missing in practice. For some, it             processing] and that one can then actively take con-
was important to explicitly accept and reject data re-             trol” (P03). Participant P18 pointed out the associated
quests, while others aimed for simplified options, stat-           high time costs: “Many people probably feel the need
ing that (not) responding to requests was sufficient to            to say that they would like to have informational self-
(decline) accept data processing. A third of participants          determination, but are not willing to invest time in it.”
pointed out that such control is often unavailable to em-               Our participants also pointed out the limitations of
ployees and instead asked for ex-post control that would           current privacy controls in many situations. They felt
allow them to object to ongoing processing.                        powerless, either because there was “no way of saying
      The strong desire for self-determination was also            no, I don’t want to” (P05) or they were unsatisfied with
made evident by the fact that half of participants stated          the controls they have. On this note, P03 complained
that they would conduct their own investigations in                that “you can shape your everyday life by using the
the event of misuse of personal data. Very few partici-            appropriate buttons and allowing or rejecting things”.
pants indicated that they would consult a DPO. In cases            P18 pointed out the insufficiency of privacy settings,
of intentional misdemeanor, they claimed legal action              stating that “if I had to set 10,000 settings every day,
against their employer by filing a claim for damages.              no, of course I don’t want that” and explained that there
                                                                   was also the question of “granularity - I don’t want to
                                                                   release data in such a detailed way.”
5.2.3 Transparency

A quarter of participants discussed and recognized the             5.2.5 Clusters of mental models
value of transparency for privacy. They noted the com-
plex dimensions of “being informed” and argued it                  We conducted a clustering analysis of the coded inter-
would mean to become truly and deeply aware of pur-                views to examine correlations among our participants’
poses and consequences of data processing. They fur-               responses. Since our coding was aimed at identifying the
ther pointed out that one often does not consider the              presence of themes, we calculated the Jaccard-distance
linkage of data and also sought assurances of the legiti-          between the binary coding vectors of each participant.
Exploring mental models of the right to informational self-determination of office workers in Germany           15

Fig. 2. Identified themes of informational self-determination at work arranged by code groups and hierarchies. For each identified clus-
ter, the top ten codes are linked together. The line width symbolizes the code occurrence in a cluster (mentions / participants).

We used multidimensional-scaling to build a case map,                     Data-Flow Concerned Protectionist (DFCP):
followed by hierarchical clustering (Unweighted Average               Participants in this group (N=9; 4 IT, 3 administra-
Linkage). We compared the resulting feature vectors for               tive, 2 other) had a strong desire to protect their pri-
2, 3, and 4 clusters by working out differences and sim-              vacy outside the organization and, to some extent, in-
ilarities. We opted for the three-cluster solution due to             ternally. We found strong claims towards an ability to
meaningful differences in the views and emphasis on pri-              gain control over both the forwarding of data by employ-
vacy objectives, transparency, and control (cf. Fig. 2).              ers and the audience to whom personal data were dis-
     Privacy Doctrinairist (PD): The first group                      closed. These demands were expressed in mental models
(N=8; 5 IT, 2 others, 1 administrative) demanded the                  either through expecting to be asked for explicit consent
unrestricted validity of the right to informational self-             each time or expecting full control over the processing
determination at work, requiring full control over the                of data. Nevertheless, some mental models also showed
processing of personal data. In addition, they partially              traits of accepting restrictions.
recognized the value of ex-post control. Mental mod-
els in this cluster were the only ones that recognized
transparency as an important key aspect of privacy, in                5.2.6 Discussion
order to become aware of aims and purposes of data pro-
cessing. Emphasis was put on information about which                  Our investigation of the right to informational self-
personal data are stored and who has access to data.                  determination reveals that privacy at work is associated
     Control-Seeking Pragmatist (CSP): For par-                       with different meanings, objectives, and problems. Our
ticipants in this group (N=10; 5 administrative, 3 oth-               cluster analysis further shows that although the men-
ers, 2 IT), informational self-determination was tanta-               tal models may overlap to some extent, there are dif-
mount to control over the disclosure of personal data.                ferent emphases. First, for mental models in the CSP
Mental models were characterized by the primary goal                  and DFCP clusters, privacy appeared to be almost syn-
of limiting disclosure to absolutely necessary data. They             onymous with control over the disclosure of data. The
defined self-determination as the key element of privacy              PD cluster, however, defined privacy in terms of both
and required employers to respect decisions to withhold               the demand for general control over data processing
data. Also, they showed traits of pragmatism, since they              but also for transparency. Thus, while our findings are
recognized the necessity of disclosure in employment re-              consistent with previous work highlighting the impor-
lationships and tended to accept limitations to privacy.              tance of control over the gathering and handling of data
Exploring mental models of the right to informational self-determination of office workers in Germany   16

for privacy at work [16], our results also indicate that          framework itself does not appear to be problematic.
transparency is another important dimension. Since leg-           Rather our findings coincide with other work, suggest-
islation grants employees far-reaching rights for trans-          ing that people generally appear to be unaware of their
parency but limits self-determination, the PDs belong             rights towards ex-post control and transparency because
to the profiteers of the current legal framework, despite         of ignorance and false expectations about privacy leg-
their absolute claims to privacy. While no participants           islation [4]. Since our sample includes office workers
reported negative experiences with privacy at work, the           skilled in both security engineering and data processing,
somewhat limited view of the right to privacy as ex-ante          our results are likely to include more advanced mental
control among the CSPs and DFCPs likely prevented                 models. We therefore assume that the identified bias to-
them from becoming aware of issues that might conflict            wards ex-ante control is not unique to our sample.
with their privacy objectives. For example, the right to               Because mental models are formed by prior expe-
transparency would allow CSPs to request proof from               rience, we hypothesize that this bias results from the
their employers or DPOs of what data they are required            privacy controls available in practice, which appear to
to disclose. The control goals of DFCPs also correlate            be characterized by ex-ante control outside of the work
with the transparency goals of understanding data flow.           context. Likely, mental models of informational self-
Here, control claims might reflect a lack of transparency         determination at work are derived to a large extent from
of data flow at work, which is compensated for by con-            mental models in other contexts. This would explain
sidering the moment of disclosure as the most important           a lack of experience with ex-post controls and trans-
control point for privacy protection. Participants’ cur-          parency, and also prevent mental models from linking
rent mental models rather seem to simply make them                these features to the right to privacy. Future challenges
accept conflicts they are aware of. Despite discussing as-        are to establish such a link. It should be in the best
pects of transparency with all participants, our analysis         interests of employers to support their employees in
does not provide an answer as to why CSPs and DFCPs               building awareness of feasible control options, instead of
ignored transparency as a key element of privacy.                 leaving them in a mental state of unattainable privacy
     Moreover, it is questionable whether ex-ante con-            controls. Despite scientific and legal efforts to provide
trol would allow employees to manage their privacy in             transparency-enhancing tools [44], their value to the
a reasonable way, given that our results, similar to find-        right to privacy and their potential to reduce the bur-
ings from online privacy research [23, 54], suggest that          den of privacy management must also be promoted. The
privacy management is burdensome and that current in-             public discourse on data protection may have shaped
tervention options are inadequate or complex. In fact,            mental models of privacy in an overly one-sided way.
German legislation deliberately pursues a concept of pri-         Employees should also become aware that DPOs and
vacy paternalism for employment relationships, limit-             works councils are there to support them. Here, educa-
ing ex-ante control to relieve employees of the burden            tion is needed to familiarize employees with their rights
to protect their privacy. In particular, individual con-          and the entities involved in the right to privacy at work.
sensus is avoided because it is legally controversial and              We compared the descriptive characteristics of our
difficult for organizations to manage. An essential pre-          clusters with those of personas known from online pri-
requisite for consent in a legal sense is that consent must       vacy research and identified minor similarities with Mor-
be voluntary and can be revoked at any time without               ton’s information controller and organizational assur-
negative consequences. Due to the imbalance of power              ance seeker [43], and with Schomaker’s and Westin’s
between employer and employee, however, true volun-               privacy pragmatist [34, 57]. Different though, our clus-
tariness is difficult to guarantee. Consent is therefore          ters emphasize the various interpretations of the right to
often unavailable to employees. Instead, legislation en-          privacy at work instead of privacy concerns. In line with
courages collective agreements and makes works coun-              the criticism of online privacy personas not serving well
cils responsible for privacy protection. Indeed, the prob-        in other than the original context [28], we expect our
lem of true voluntariness appears to be intensified by an         clusters to highlight privacy perceptions that are partic-
overall negativity bias regarding privacy management.             ular to the employment context. We would like to point
     Nevertheless, our findings show that privacy pater-          out that our results do not indicate any unconcerned
nalism conflicts with self-determination being deeply             employees either, questioning the applicability of ap-
rooted in mental models. It is noteworthy that legisla-           proaches like Westin’s unconcerned persona to the work
tion generally enforces self-determination in non-work            context. We consider this a consequence of the overall
related contexts. We therefore assume that the legal              high value of the topic of data protection in Germany.
You can also read