Data Privacy in Software Practice: Brazilian Developers’ Perspectives

Aryely Matos; Mario Patrício; Maria Isabel Nicolau; Edna Dias Canedo; Juliana Alves Pereira; Anderson Uchôa

doi:10.5753/jisa.2025.5302

Authors

Aryely Matos Federal University of Ceará https://orcid.org/0009-0008-3441-4208
Mario Patrício Federal University of Ceará https://orcid.org/0009-0002-8569-8972
Maria Isabel Nicolau Pontifical Catholic University of Rio de Janeiro https://orcid.org/0009-0004-6260-1757
Edna Dias Canedo University of Brasília https://orcid.org/0000-0002-2159-339X
Juliana Alves Pereira Pontifical Catholic University of Rio de Janeiro https://orcid.org/0000-0002-0799-2829
Anderson Uchôa Federal University of Ceará https://orcid.org/0000-0002-6847-5569

DOI:

https://doi.org/10.5753/jisa.2025.5302

Keywords:

Data Privacy, Software Development, Data Privacy Strategies, Organizational Factors, Awareness

Abstract

Data privacy is an essential principle of information security, aimed at protecting sensitive data from unauthorized access and information leaks. As software systems advance, the volume of personal information also grows exponentially. Therefore, incorporating privacy engineering practices during development is vital to ensure data integrity, confidentiality, and compliance with legal regulations, such as the General Data Protection Regulation (GDPR). However, there is a gap in understanding developers' awareness of data privacy, their perceptions of the implementation of privacy strategies, and the influence of organizational factors on this adoption. Thus, this paper aims to explore the level of awareness among Brazilian developers regarding data privacy and their perceptions of the implementation strategies adopted to ensure data privacy. Additionally, we seek to understand how organizational factors influence the adoption of data privacy practices. To this end, we surveyed 88 Brazilian developers with privacy-related work experience. We got 21 statements grouped into three topics to measure the Brazilian developers' awareness of data privacy in software. Our statistical analysis reveals substantial gaps between groups, e.g., developers have Direct v.s. Indirect data privacy-related work experience. We also reveal some data privacy strategies, e.g., Encryption, are both widely used and perceived as highly important, others, such as Turning off data collection, highlight strategies where ease of use does not necessarily lead to widespread adoption. Finally, we identified that the absence of dedicated privacy teams correlates with a lower perceived priority and less investment in tools. Even in organizations that recognize the importance of privacy. Our findings offer insights into how Brazilian developers perceive and implement data privacy practices, emphasizing the critical role organizational culture plays in decision-making regarding privacy. We hope that our findings will contribute to improving privacy practices within the software development community, particularly in contexts similar to Brazil.

Downloads

Download data is not yet available.

References

Ashcraft, C., McLain, B., and Eger, E. (2016). Women in tech: The facts. National Center for Women & Technology (NCWIT) Colorado, CO, USA. Available online [link].

Brasil (2018). Lei n.º 13.709, de 14 de agosto de 2018. Available online [link],.

Caldiera, V. R. B.-G. and Rombach, H. D. (1994). Goal question metric paradigm. Encyclopedia of software engineering, 1(528-532):6. Available online [link].

Canedo, E. D., Bandeira, I. N., Calazans, A. T. S., Costa, P. H. T., Cançado, E. C. R., and Bonif'acio, R. (2023). Privacy requirements elicitation: a systematic literature review and perception analysis of IT practitioners. Requir. Eng., 28(2):177-194. DOI: 10.1007/S00766-022-00382-8.

Canedo, E. D., Calazans, A. T. S., Cerqueira, A. J., Costa, P. H. T., and Masson, E. T. S. (2021). Agile teams' perception in privacy requirements elicitation: Lgpd's compliance in brazil. In 29th IEEE International Requirements Engineering Conference, RE 2021, Notre Dame, IN, USA, September 20-24, 2021, pages 58-69. IEEE. DOI: 10.1109/RE51729.2021.00013.

Cheung, M. Y. M. and Liu, H. (2023). Information privacy concerns in generative AI. In Australasian Conference on Information Systems, ACIS 2023, Wellington, New Zealand, December 5-8, 2023. Available online [link],.

Corbin, J. and Strauss, A. (2008). Basics of qualitative research: Techniques and procedures for developing grounded theory. Thousand Oaks, 3:1-400. Available online [link],.

Dias-Neto, A. C., Matalonga, S., Solari, M., Robiolo, G., and Travassos, G. H. (2017). Toward the characterization of software testing practices in south america: looking at brazil and uruguay. Software Quality Journal, 25:1145-1183. DOI: 10.1007/s11219-016-9329-3.

Ferrão, S. É. R., Silva, G. R. S., Canedo, E. D., and Mendes, F. F. (2024). Towards a taxonomy of privacy requirements based on the LGPD and ISO/IEC 29100. Inf. Softw. Technol., 168:107396. DOI: 10.1016/J.INFSOF.2024.107396.

Ferrara, E. (2023). Should chatgpt be biased? challenges and risks of bias in large language models. First Monday, 28(11):13346/11369. DOI: 10.5210/FM.V28I11.13346.

Franke, L., Liang, H., Farzanehpour, S., Brantly, A., Davis, J. C., and Brown, C. (2024). An exploratory mixed-methods study on general data protection regulation (GDPR) compliance in open-source software. In Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, ESEM 2024, Barcelona, Spain, October 24-25, 2024, pages 325-336. ACM. DOI: 10.1145/3674805.3686692.

Glaser, B. and Strauss, A. (2017). Discovery of grounded theory: Strategies for qualitative research. DOI: 10.4324/9780203793206.

Golda, A., Mekonen, K., Pandey, A., Singh, A., Hassija, V., Chamola, V., and Sikdar, B. (2024). Privacy and security concerns in generative AI: A comprehensive survey. IEEE Access, 12:48126-48144. DOI: 10.1109/ACCESS.2024.3381611.

Grissom, R. J. and Kim, J. J. (2005). Effect sizes for research: A broad practical approach. Lawrence Erlbaum Associates Publishers. DOI: 10.4324/9781410612915.

Hadar, I., Hasson, T., Ayalon, O., Toch, E., Birnhack, M., Sherman, S., and Balissa, A. (2018). Privacy by designers: software developers’ privacy mindset. Empirical Software Engineering, 23:259-289. DOI: 10.1007/s10664-017-9517-1.

Iwaya, L. H., Babar, M. A., and Rashid, A. (2023). Privacy engineering in the wild: Understanding the practitioners’ mindset, organizational aspects, and current practices. IEEE Transactions on Software Engineering, 49(9):4324-4348. DOI: 10.1109/TSE.2023.3290237.

Jesus, E. D. B. D., Vilela, J., and Silva, C. (2024). Requisitos de segurança e privacidade em startups: Um estudo empírico em uma aplicação de governança de dados. In Anais do WER24 - Workshop em Engenharia de Requisitos, Buenos Aires, Argentina, August 7-9, 2024. Even3, Brasil. DOI: 10.29327/1407529.27-13.

Kempe, E. and Massey, A. (2021). Regulatory and security standard compliance throughout the software development lifecycle. In 54th Hawaii International Conference on System Sciences, HICSS 2021, Kauai, Hawaii, USA, January 5, 2021, pages 1-10. ScholarSpace. Available online [link].

Kitchenham, B. and Pfleeger, S. L. (2002). Principles of survey research: part 5: populations and samples. ACM SIGSOFT Software Engineering Notes, 27(5):17-20. DOI: 10.1145/571681.571686.

Kruger, H. A. and Kearney, W. D. (2006). A prototype for assessing information security awareness. Computers & security, 25(4):289-296. DOI: 10.1016/j.cose.2006.02.008.

Kshetri, N. (2024). Navigating EU regulations: Challenges for U.S. technology firms and the rise of europe's generative AI ecosystem. Computer, 57(10):112-117. DOI: 10.1109/MC.2024.3433088.

Landis, C. B. and Kroll, J. A. (2024). Mitigating inference risks with the NIST privacy framework. Proc. Priv. Enhancing Technol., 2024(1):217-231. DOI: 10.56553/POPETS-2024-0013.

Lester, C. Y. and Jamerson, F. (2009). Incorporating software security into an undergraduate software engineering course. In The Third International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2009, 18-23 June 2009, Athens/Glyfada, Greece, pages 161-166. IEEE Computer Society. DOI: 10.1109/SECURWARE.2009.32.

Likert, R. (1932). A Technique for the Measurement of Attitudes. Number Nº 136-165 in A Technique for the Measurement of Attitudes. Archives of Psychology. Available online [link].

Linåker, J., Sulaman, S. M., de Mello, R. M., and Höst, M. (2015). Guidelines for conducting surveys in software engineering. Technical report. Available online [link].

Litwin, M. S. and Fink, A. (1995). How to measure survey reliability and validity, volume 7. Sage, https://methods.sagepub.com/book/how-to-measure-survey-reliability-and-validity. DOI: 10.4135/9781483348957.

Parsons, K., McCormac, A., Butavicius, M. A., Pattinson, M. R., and Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur., 42:165-176. DOI: 10.1016/J.COSE.2013.12.003.

Peixoto, M. M., Ferreira, D., Cavalcanti, M., Silva, C., Vilela, J., Araújo, J., and Gorschek, T. (2023). The perspective of brazilian software developers on data privacy. J. Syst. Softw., 195:111523. DOI: 10.1016/J.JSS.2022.111523.

Ralph, P., Baltes, S., Adisaputri, G., Torkar, R., Kovalenko, V., Kalinowski, M., Novielli, N., Yoo, S., Devroey, X., Tan, X., et al. (2020). Pandemic programming: How covid-19 affects software developers and how their organizations can help. Empirical software engineering, 25:4927-4961. DOI: 10.1007/s10664-020-09875-y.

Rocha, L. D., Silva, G. R. S., and Canedo, E. D. (2023). Privacy compliance in software development: A guide to implementing the LGPD principles. In Proceedings of the 38th ACM/SIGAPP Symposium on Applied Computing, SAC 2023, Tallinn, Estonia, March 27-31, 2023, pages 1352-1361. ACM. DOI: 10.1145/3555776.3577615.

Romano, J., Kromrey, J. D., Coraggio, J., Skowronek, J., and Devine, L. (2006). Exploring methods for evaluating group differences on the nsse and other surveys: Are the t-test and cohen’sd indices the most appropriate choices. In annual meeting of the Southern Association for Institutional Research, pages 1-51. Citeseer.

Salkind, N. (2012). Exploring Research. Pearson Education. Available online [link].

Sangaroonsilp, P., Dam, H. K., Choetkiertikul, M., Ragkhitwetsagul, C., and Ghose, A. (2023). A taxonomy for mining and classifying privacy requirements in issue reports. Inf. Softw. Technol., 157:107162. DOI: 10.1016/J.INFSOF.2023.107162.

Schrader, P. G. and Lawless, K. A. (2004). The knowledge, attitudes, & behaviors approach how to evaluate performance and learning in complex environments. Performance Improvement, 43(9):8-15. DOI: 10.1002/pfi.4140430905.

Shapiro, S. and Wilk, M. (1965). An analysis of variance test for normality (complete samples). Biometrika, 52(3/4):591-611. DOI: 10.2307/2333709.

Stallings, W. (2019). Engenharia de privacidade de informações e privacidade por design: Compreendendo ameaças à privacidade, tecnologia e regulamentações com base em padrões e melhores práticas. Addison-Wesley Professional. Book.

Tahaei, M., Frik, A., and Vaniea, K. (2021). Privacy champions in software teams: Understanding their motivations, strategies, and challenges. In CHI '21: CHI Conference on Human Factors in Computing Systems, Virtual Event / Yokohama, Japan, May 8-13, 2021, pages 693:1-693:15. ACM. DOI: 10.1145/3411764.3445768.

Thomson, M. E. and von Solms, R. (1998). Information security awareness: educating your users effectively. Inf. Manag. Comput. Secur., 6(4):167-173. DOI: 10.1108/09685229810227649.

União Europeia (2016). Regulamento (UE) 2016/679 do Parlamento Europeu e do Conselho de 27 de abril de 2016 relativo à proteção das pessoas singulares no que diz respeito ao tratamento de dados pessoais e à livre circulação desses dados e que revoga a Diretiva 95/46/CE (Regulamento Geral sobre a Proteção de Dados). Jornal Oficial da União Europeia, L 119, 1-88.

Whitley, E. and Ball, J. (2002). Statistics review 6: Nonparametric methods. Critical care, 6:1-5. DOI: 10.1186/cc1820.

Wohlin, C., Runeson, P., Höst, M., Ohlsson, M. C., Regnell, B., and Wessl'en, A. (2012). Experimentation in Software Engineering. Springer. DOI: 10.1007/978-3-642-29044-2.

Data Privacy in Software Practice: Brazilian Developers’ Perspectives

Authors

DOI:

Keywords:

Abstract

Downloads

References

Downloads

Published

How to Cite

Issue

Section

License

Metrics:

Make a Submission