Data Privacy — What Does The Evidence Actually Say?

Carnegie UK
4 min readAug 30, 2018


by Anna Grant, Senior Policy and Development Officer, Carnegie UK Trust

In May 2017, the Carnegie UK Trust convened an international study trip to New York to learn from organisations, particularly from within the public library sector, about how they support citizens to understand about their data privacy and negotiate their own institutional data challenges. Similarly to the UK, the right to privacy is often seen as a cornerstone of American identity, fundamental to democracy, society and individual wellbeing.

Whilst the study trip provided numerous useful insights, highlighted in our blog series, it also raised significant questions.

Emotive terms such as ‘creepy’ were voiced numerous occasions to describe initiatives or practice which may impinge on personal privacy, while moral reasoning or instinctive personal responsive were often referenced as justifications for action, or a lack of it. While such value-based positions are, of course, perfectly legitimate it was striking that quantifiable data or evidence was rarely used to back up arguments — in contrast to the nature of policy debate on many other issues of public concern. Privacy is of course a highly personal and complex issue. But this led us to question — what does the evidence actually say? What do we, as the UK public, actually think about our data privacy? How many of us take proactive steps to protect our data online? And how much of our data are we willing to sacrifice? A range of research studies have explored people’s attitudes and behaviours towards data privacy in different scenarios and today we have published ‘ Online Data Privacy from Attitudes to Action ‘ a comprehensive evidence review undertaken for the Trust by by Ipsos MORI Scotland, to investigate these questions.

We wanted to know how much evidence was available that specifically pertained to the UK public, did all the research say the same thing, or are there areas in which studies disagree on their conclusions giving us no clear answers about public attitudes and behaviours on data privacy?

What does the research say?

Overall the review found a number of areas of consistency across the evidence base, but also significant questions that remain inconclusive and even notable contradictions across different evidence sources. 13 key messages were pulled from the data including:

  • Privacy Paradox: A clear message is that there is still a significant gap between the concern that the UK public have about data privacy; the high level of self-reported confidence personal ability to protect privacy; and the level of actual action taken by individuals.
  • Data Trade-Offs: The public report continually making trade-offs with regards to their data privacy online. However, these trade-offs are not purely constrained to gaining access to ‘free’ products or services, but also for ‘public good’ such as contributing to medical advancements.
  • Age: Age is often seen as a key indicator of data privacy behaviour, with older generations perceived as being far more privacy conscious than the ‘laissez-faire’ younger generations. But the available evidence is not as clear cut. Whilst the data suggests there is a tendency for older participants to be more concerned and at least say that they act more securely, there are also contexts where young people tend to behave more securely, such as the use of PINs and passcodes.
  • International Comparison: And on the question of national positioning — the data suggests the UK is more closely aligned in terms of our attitudes towards privacy with the US than our European counterparts.

Challenges with researching data privacy

In undertaking the evidence review process, which encompassed both recent quantitative and qualitative research from public, private and academic institutions including Ofcom, doteveryone and the European commission, a number of challenges were highlighted in terms of both the scope and methods used to research data privacy.

The available literature already suggests that different groups demonstrate different responses in terms of both their attitudes and actions, this means there is unlikely to be a ‘one size fits all solution’ and that targeted solutions are likely to be required. However, the research often lacks a depth of exploration into the differences by different demographic groups or what the implications of these different responses are. Added to this, minimal trend data and a reliance on self-report data for large scale methods contribute to a lack of nuance in the conclusions that can be drawn.

What next?

Since the initial study visit there has been a significant rise in public — and political — interest and concern in the privacy of our data online. From relatively small scale public outcry when organisations utilised personal usage data to create social media content, to arguably both the biggest data privacy scandal to date in the actions of Cambridge Analytica and the most significant data privacy legislation in the form of the General Data Protection Regulation (GDPR). But what impact will these incidents have on changing our attitudes or actions towards data privacy? It is too early to say conclusively yet, but we will need further research to ensure clearer, but also more nuanced public narrative on the issue of data privacy and for the impact and implications for different members of the public.

‘Online Data Privacy from Attitudes to Action: An Evidence Review’ is intended to provide a robust, timely and neutral evidence base from which to draw informed opinions with regards to UK data privacy attitudes and actions. We have also produced a short animation to accompany the report. We encourage you to get in touch if you are undertaking work in this field or if you would like to find out more about the project.

Originally published at on August 30, 2018.



Carnegie UK