{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,7]],"date-time":"2026-02-07T19:44:01Z","timestamp":1770493441426,"version":"3.49.0"},"reference-count":62,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2021,5,18]],"date-time":"2021-05-18T00:00:00Z","timestamp":1621296000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2021,11,12]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>This study aims to conduct a survey in a bank to measure the perception of employees towards the effective governance of information privacy and at the same time validating the information privacy governance questionnaire (IPGQ) used in this study.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>A quantitative research approach was followed using an online survey questionnaire to collect data in a bank in South Africa.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>The survey results showed that employees perceived the governance of privacy in the organisation in a positive way. Three significant differences were identified, namely, Generation-Y being significantly more positive than Generation-X regarding privacy control assessment. Also, that the contractor\/vendor group was significantly more positive than permanent employees regarding organisational commitment and privacy control assessment. Exploratory factor analysis was used to validate the IPGQ and four factors were identified: privacy control assessment, personal information awareness assessment, privacy governance reporting and organisational commitment towards privacy. Cronbach\u2019s alpha was used to establish the internal reliability of the factors and indicated good internal consistency.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title><jats:p>One of the potential empirical research limitations for this study is that the study was conducted in a single organisation; therefore, when generalising the results, caution must be taken.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title><jats:p>Organisations, academics and the industry may find the questionnaire useful to determine employee perception towards privacy governance and to identify recommendations that could be used to improve their privacy policies, privacy programme controls and organisational commitment towards privacy. In this study, it was identified that for Generation-X employees to be more accepting towards the privacy controls, the organisation needs to implement focussed awareness training for them. To ensure permanent employees\u2019 commitment and accountability, internal audits, monitoring and risk assessment measures need to be implemented. These can be directed through the outcomes of the survey.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>The IPGQ can aid organisations in determining if they are governing privacy effectively, and thus assist them in meeting the accountability condition of data protection regulation.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-08-2020-0135","type":"journal-article","created":{"date-parts":[[2021,5,24]],"date-time":"2021-05-24T07:09:55Z","timestamp":1621840195000},"page":"761-786","source":"Crossref","is-referenced-by-count":8,"title":["Validating an information privacy governance questionnaire to measure the perception of employees"],"prefix":"10.1108","volume":"29","author":[{"given":"Paulus","family":"Swartz","sequence":"first","affiliation":[]},{"given":"Adele","family":"Da Veiga","sequence":"additional","affiliation":[]},{"given":"Nico","family":"Martins","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2021,5,18]]},"reference":[{"key":"key2021111012415338300_ref001","unstructured":"AICPA\/CICA. (2011), \u201cPrivacy maturity model\u201d, AICPA\/CICA, available at: https:\/\/iapp.org\/media\/pdf\/resource_center\/aicpa_cica_privacy_maturity_model_final-2011.pdf (accessed 29 January 2019)."},{"issue":"3","key":"key2021111012415338300_ref002","first-page":"403","article-title":"Work outcomes and job design for contract versus permanent information systems professionals on software development teams","volume":"25","year":"2006","journal-title":"Information Systems Outsourcing (Second Edition): Enduring Themes, New Perspectives and Global Challenges"},{"key":"key2021111012415338300_ref003","article-title":"Questionnaire measures of organisational culture","volume-title":"Handbook of Organisational Culture and Climate","year":"2000"},{"issue":"2","key":"key2021111012415338300_ref004","doi-asserted-by":"crossref","first-page":"138","DOI":"10.1016\/j.dss.2010.01.010","article-title":"The impact of personal dispositions on in-formation sensitivity, privacy concern and trust in disclosing health information online","volume":"49","year":"2010","journal-title":"Decision Support Systems"},{"key":"key2021111012415338300_ref005","volume-title":"Psychology at Work","year":"1993"},{"key":"key2021111012415338300_ref006","first-page":"1","article-title":"The effects of the PoPI act on small and medium enterprises in South Africa","year":"2015","journal-title":"South African Journal of Economics"},{"key":"key2021111012415338300_ref007","volume-title":"Organizational Research Methods","year":"2001"},{"key":"key2021111012415338300_ref008","volume-title":"Business Research Methods and Statistics Using SPSS","year":"2008"},{"key":"key2021111012415338300_ref009","unstructured":"Clamp, C. (2017), \u201cKing III vs King IV \u2013 What you really need to know\u201d, Grant Thornton South Africa, available at: www.grantthornton.co.za\/globalassets\/1.-member-firms\/south-africa\/pdfs\/kingiv_feb17.pdf (accessed 29 January 2019)."},{"issue":"3","key":"key2021111012415338300_ref010","doi-asserted-by":"crossref","first-page":"259","DOI":"10.22495\/jgr_v4_i3_c2_p8","article-title":"Generational motivation and preference for reward and recognition","volume":"4","year":"2015","journal-title":"Journal of Governance and Regulation"},{"key":"key2021111012415338300_ref011","article-title":"Statistical power analysis for the behavioral sciences","volume-title":"Revised Ed","year":"1988"},{"key":"key2021111012415338300_ref012","unstructured":"Community Care Information Management (2010), \u201cCommon privacy framework CCIM assessment projects\u201d, Ontario Health Service Providers, available at: www.centralwestlhin.on.ca\/\u223c\/media\/sites\/cw\/Documents\/ForHSPs\/GeneralResources\/CCIM_CommonPrivacyFramework_v1,-d-,0_CPF(1)(4).pdf?la=en (accessed 29 January 2019)."},{"key":"key2021111012415338300_ref013","volume-title":"Business Research Methods","year":"2014","edition":"12th ed."},{"issue":"2","key":"key2021111012415338300_ref014","doi-asserted-by":"crossref","first-page":"189","DOI":"10.1108\/ICS-05-2017-0034","article-title":"Cloud privacy objectives a value based approach","volume":"27","year":"2019","journal-title":"Information and Computer Security"},{"key":"key2021111012415338300_ref015","volume-title":"Research Design: Qualitative, Quantitative, and Mixed Methods Approaches","year":"2014","edition":"4th ed."},{"issue":"2","key":"key2021111012415338300_ref016","doi-asserted-by":"crossref","first-page":"243","DOI":"10.1016\/j.clsr.2015.01.005","article-title":"Information security culture and information protection culture: a validated assessment instrument","volume":"31","year":"2015","journal-title":"Computer Law and Security Review"},{"key":"key2021111012415338300_ref017","doi-asserted-by":"publisher","first-page":"261","DOI":"10.1016\/j.ijinfomgt.2019.05.010","article-title":"Mobile users\u2019 information privacy concerns and the role of app permission requests","volume":"50","year":"2020","journal-title":"International Journal of Information Management"},{"key":"key2021111012415338300_ref018","unstructured":"Denham, E. (2015), \u201cAn examination of BC goverment\u2019s privacy breach management\u201d, Office of the Information and Privacy Commissioner, available at: www.oipc.bc.ca\/media\/16876\/oipc-examination-of-bc-governments-privacy-breach-management.pdf (accessed 29 January 2019)."},{"key":"key2021111012415338300_ref019","volume-title":"The Privacy Engineer\u2019s Manifesto \u2013 Getting from Policy to Code to QA to Value","year":"2014"},{"issue":"20","key":"key2021111012415338300_ref020","first-page":"1","article-title":"Understanding and using factor scores: considerations for the applied researcher","volume":"14","year":"2009","journal-title":"Practical Assessment, Research and Evaluation"},{"key":"key2021111012415338300_ref021","unstructured":"DPA (2018), \u201cData protection act 2018 (UK)\u201d, United Kingdom\u201d, available at: www.legislation.gov.uk\/ukpga\/2018\/12\/pdfs\/ukpga_20180012_en.pdf (accessed 15 July 2020)."},{"issue":"2","key":"key2021111012415338300_ref022","doi-asserted-by":"crossref","first-page":"291","DOI":"10.1111\/j.1744-6570.1986.tb00583.x","article-title":"The application of exploratory factor analysis in applied psychology: a critical review and analysis","volume":"39","year":"1986","journal-title":"Personnel Psychology"},{"issue":"1","key":"key2021111012415338300_ref023","doi-asserted-by":"crossref","first-page":"262","DOI":"10.5465\/ambpp.1979.4977171","article-title":"Information privacy in organizations: an examination of employee perceptions and attitudes","volume":"1979","year":"1979","journal-title":"Academy of Management Proceedings"},{"key":"key2021111012415338300_ref024","unstructured":"GDPR (2016), \u201cGeneral data protection regulation (EU) 2016\/679\u201d, Official Journal of the European Union, available at: http:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/PDF\/?uri=CELEX:32016R0679&qid=1490179745294&from=en (accessed 27 June 2017)."},{"key":"key2021111012415338300_ref025","first-page":"30","article-title":"Quantitative research design","volume-title":"Data Acquisition \u2013 1 Day","year":"2017"},{"issue":"1","key":"key2021111012415338300_ref026","first-page":"22","article-title":"Contract moderation effects on temporary agency workers\u2019 affective organizational commitment and perceptions of support","volume":"44","year":"2014","journal-title":"Personnel Review"},{"key":"key2021111012415338300_ref027","unstructured":"Greenleaf, G. (2019), \u201cGlobal data privacy laws 2019: 132 national laws and many bills\u201d, Privacy Laws and Business International Report, No. 157, pp. 14-18."},{"key":"key2021111012415338300_ref028","volume-title":"Building a Privacy Program. A Practitioner\u2019s Guide","year":"2011","edition":"2nd ed."},{"key":"key2021111012415338300_ref029","first-page":"9","article-title":"Building an effective privacy program","volume":"6981","year":"2005","journal-title":"EDPACS"},{"key":"key2021111012415338300_ref030","unstructured":"Hughes, T. and Leizerov, S. (2016), \u201cIAPP-EY annual privacy governance report 2016\u201d, IAPP-EY, available at: https:\/\/iapp.org\/media\/pdf\/resource_center\/IAPP-2016-Governance-Survey-Final2.pdf (accessed 29 January 2019)."},{"key":"key2021111012415338300_ref031","unstructured":"IAPP-FTI Consulting (2020), \u201cIAPP-FTI Consulting Privacy Governance Report 2020\u201d, available at: https:\/\/iapp.org\/media\/pdf\/resource_center\/IAPP_FTIConsulting_2020PrivacyGovernanceReport.pdf (accessed 18 January 2021)."},{"key":"key2021111012415338300_ref032","unstructured":"Information Regulator (South Africa) (2020), \u201cCommencement of certain sections of the protection of personal information act\u201d, available at: www.justice.gov.za\/inforeg\/docs\/ms-20200622-POPIA-SectionsCommencement-IR.pdf (accessed 15 July 2020)."},{"issue":"1","key":"key2021111012415338300_ref033","doi-asserted-by":"crossref","first-page":"141","DOI":"10.1177\/001316446002000116","article-title":"The application of electronic computers to factor analysis","volume":"20","year":"1960","journal-title":"Educational and Psychological Measurement"},{"key":"key2021111012415338300_ref034","first-page":"103","article-title":"Management of employees from different generations \u2013 challenge for Bulgarian managers and HR professionals","volume":"1","year":"2017","journal-title":"Economic Alternatives"},{"key":"key2021111012415338300_ref035","unstructured":"King III Report (2009), \u201cKing code of governance for South Africa 2009\u201d, Institute of Directors in Southern Africa, available at: www.ngopulse.org\/sites\/default\/files\/king_code_of_governance_for_sa_2009_updated_june_2012.pdf (accessed 29 January 2019)."},{"key":"key2021111012415338300_ref036","unstructured":"King IV Report (2016), \u201cKing IV report on corporate governance for South Africa 2016\u201d, Institute of Directors Southern Africa, available at: http:\/\/c.ymcdn.com\/sites\/www.iodsa.co.za\/resource\/resmgr\/king_iv\/King_IV_Report\/IoDSA_King_IV_Report_-_WebVe.pdf (accessed 29 January 2019)."},{"issue":"1","key":"key2021111012415338300_ref037","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1016\/j.giq.2015.12.002","article-title":"The collaborative realization of public values and business goals: governance and infrastructure of public-private information platforms","volume":"33","year":"2016","journal-title":"Government Information Quarterly"},{"issue":"3","key":"key2021111012415338300_ref038","doi-asserted-by":"crossref","first-page":"607","DOI":"10.1177\/001316447003000308","article-title":"Determining sample size for research activities","volume":"30","year":"1970","journal-title":"Educational and Psychological Measurement"},{"key":"key2021111012415338300_ref039","unstructured":"Kumaraguru, P. and Cranor, L.F. (2005), Privacy indexes: a survey of Westin\u2019s studies, CMU-ISRI-5-138, Institute for Software Research International School of Computer Science, Carnegie Mellon University, pp. 1-22."},{"issue":"3","key":"key2021111012415338300_ref040","doi-asserted-by":"publisher","first-page":"305","DOI":"10.1108\/PROG-02-2014-0014","article-title":"A structural model of information privacy concerns toward hospital websites","volume":"49","year":"2015","journal-title":"Program"},{"issue":"4","key":"key2021111012415338300_ref041","first-page":"33","article-title":"Conceptual framework","volume":"30","author":"Maxwell","year":"2004","journal-title":"Journal of Educational Administration"},{"key":"key2021111012415338300_ref042","unstructured":"Michalsons (2017), \u201cProtection of personal information act summary | POPIA\u201d, available at: www.michalsons.com\/focus-areas\/privacy-and-data-protection\/protection-of-personal-information-act-popia (accessed 29 January 2019)."},{"key":"key2021111012415338300_ref043","volume-title":"Generational Sub-Cultures","year":"2014"},{"issue":"1\/2","key":"key2021111012415338300_ref044","doi-asserted-by":"crossref","first-page":"58","DOI":"10.1108\/GKMC-02-2019-0026","article-title":"Assessment of a South Africa national consultative workshop on the protection of personal information act (POPIA)","volume":"69","year":"2019","journal-title":"Global Knowledge, Memory and Communication"},{"key":"key2021111012415338300_ref045","doi-asserted-by":"publisher","DOI":"10.2307\/3211488","volume-title":"Socal Research Methods: Qualitative and Quantitative Approaches, Relevance of Social Research","year":"2014","edition":"7th ed"},{"key":"key2021111012415338300_ref046","unstructured":"Office of Privacy Commissioner (2016), \u201cGetting accountability right with a privacy management program\u201d, Privacy Commisioners of Canada, Alberta and British Columbia, available at: www.oipc.bc.ca\/guidance-documents\/1435 (accessed 10 October 2016)."},{"key":"key2021111012415338300_ref047","unstructured":"POPIA (2013), Protection of Personal Information Act No 4 of 2013, Government Gazette, Vol. 581, South Africa, pp. 1-148."},{"key":"key2021111012415338300_ref048","unstructured":"PwC (2017), \u201cPrivacy governance survey: the state of privacy management in Belgian organisations\u201d, PricewaterhouseCoopers, available at: www.pwc.be\/en\/documents\/20170313-privacy-governance-health-check.pdf (accessed 24 June 2018)."},{"key":"key2021111012415338300_ref049","volume-title":"Research Methods for Business Students, Business","year":"2016","edition":"7th ed."},{"key":"key2021111012415338300_ref050","first-page":"989","article-title":"Information privacy research: an interdisciplinary review","year":"2011","journal-title":"MIS Quarterly"},{"issue":"2","key":"key2021111012415338300_ref051","doi-asserted-by":"publisher","first-page":"167","DOI":"10.2307\/249477","article-title":"Information privacy: measuring individuals\u2019 concerns about organizational practices","volume":"20","year":"1996","journal-title":"Mis Quarterly"},{"key":"key2021111012415338300_ref052","unstructured":"Sophos (2019), \u201cOnly 34% of South African organisations ready to comply with POPI act\u201d, available at: www.itweb.co.za\/content\/nWJadvb8z3bMbjO1 (accessed 15 July 2020)."},{"key":"key2021111012415338300_ref053","doi-asserted-by":"publisher","volume-title":"Business Research Methods: An Applied Orientation","year":"2014","DOI":"10.1007\/978-3-319-00539-3"},{"key":"key2021111012415338300_ref054","volume-title":"Quantitative Methods for the Social Sciences: A Practical Introduction with Examples in SPSS and Stata","year":"2019"},{"issue":"1","key":"key2021111012415338300_ref055","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1108\/IJLMA-04-2014-0034","article-title":"Corporate governance and social responsibility","volume":"57","year":"2015","journal-title":"International Journal of Law and Management"},{"key":"key2021111012415338300_ref056","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ICTAS.2019.8703636","article-title":"A conceptual privacy governance framework","volume-title":"2019 Conference on Information Communications Technology and Society (ICTAS)","year":"2019"},{"key":"key2021111012415338300_ref057","first-page":"1","article-title":"Privacy governance online: privacy policy on New Zealand websites","volume-title":"Pacific Asia Conference on Information Systems (PACIS). Association For Information System","year":"2016"},{"issue":"4","key":"key2021111012415338300_ref058","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1016\/j.im.2010.02.002","article-title":"Exploratory factor analysis revisited: how robust methods support the detection of hidden multivariate data structures in is research","volume":"47","year":"2010","journal-title":"Information and Management"},{"key":"key2021111012415338300_ref059","unstructured":"Vael, M, CSO Online (2017), \u201cPrivacy compliance laws: why the European commission has finally got it right\u201d, available at: www.csoonline.com\/article\/2132708\/privacy\/privacy-compliance-laws\u2013why-the-european-commission-has-finally-got-it-right.html (accessed 29 January 2019)."},{"issue":"3","key":"key2021111012415338300_ref060","doi-asserted-by":"crossref","first-page":"539","DOI":"10.1111\/j.1467-6486.2005.00508.x","article-title":"Temporary liaisons: the commitment of \u2018temps\u2019 towards their agencies","volume":"42","year":"2005","journal-title":"Journal of Management Studies"},{"issue":"3","key":"key2021111012415338300_ref061","doi-asserted-by":"crossref","first-page":"647","DOI":"10.2307\/256087","article-title":"A survey of employee perceptions of information privacy in organizations","volume":"25","year":"1982","journal-title":"Academy of Management Journal"},{"issue":"3","key":"key2021111012415338300_ref062","doi-asserted-by":"crossref","first-page":"889","DOI":"10.1016\/j.chb.2011.12.008","article-title":"The effect of online privacy policy on consumer privacy concern and trust","volume":"28","year":"2012","journal-title":"Computers in Human Behavior"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-08-2020-0135\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-08-2020-0135\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:09Z","timestamp":1753406589000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/29\/5\/761-786\/105823"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,5,18]]},"references-count":62,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2021,5,18]]},"published-print":{"date-parts":[[2021,11,12]]}},"alternative-id":["10.1108\/ICS-08-2020-0135"],"URL":"https:\/\/doi.org\/10.1108\/ics-08-2020-0135","relation":{},"ISSN":["2056-4961","2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"},{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2021,5,18]]}}}