The current epidemic of corporate scandal and wrongdoing has involved mostly senior executives and their cohorts, as well auditors and investment bankers. There has been a lot of unarguably criminal behavior. When bad things that seem happen to be in a gray area of the law, we hear about ethics. “Maybe it wasn’t against the law, but it was unethical.”
All of the hue and cry caused me to wonder where IT fits into this picture, if anywhere. I am happy to say that so far I have seen no mention of IT in the press in connection with this wave of corporate corruption. However, for the future, it is worth asking: Is there something special about IT that creates special ethical problems for the IT professional?
There are, it seems to me, three broad areas of concern, beyond actions that are clearly illegal.
- IT professionals are the designers and the custodians of the information systems that run the enterprise.
- IT professionals are the custodians of the information that these systems generate as well as the data that surrounds the systems. (Auditors and controllers might think that this is a usurpation of one of their roles, but clearly, IT has a big part to play here.)
- IT professionals have obligations as professionals, obligations that that they share with members of other professions.
Information systems have a lot of influence over the business processes that run the company. Theory says that IT designs systems that do what the users specify. The dirty little secret is that no matter how carefully and how well the users do their part in system design, there remains a myriad of details that the designers and programmers implement without user input as they go about their business.
Ethical issues for the designer/analyst abound.
- How far should the IT people go in imposing their ideas about how to conduct business processes when they design a new system?
- What should the designer/analyst do if the user does not properly specify parts of the system that do not directly affect the user’s own operation? This happens most often because of misguided efforts to save money and decrease implementation time. Things like security, audit trails and disaster recovery are also often neglected or ignored.
- In selecting the technology platform for a new system, does the analyst strike a reasonable balance among the needs of the user, the overall needs of the enterprise, and his personal preference to use a new and exciting technology?
The custodian of data and information faces a different set of problems.
- Personal privacy is at the forefront of our consciousness at the moment. How should the database manager respond if she is asked to deliver personal data about customers to an outside company? To a corporate affiliate? To a law enforcement officer?
- Personal privacy is an issue within a company as well. The supervisor of HR systems has access to a lot of information about employees, including in many instances health information. What should be disclosed? What should be held back? What should not be collected at all?
- Information about new systems is often exchanged by IT professionals from different organizations in order to keep up to date. When may this be done?
IT professionals, because they are professionals, have ethical obligations similar to those of other professionals: physicians, lawyers, accountants. These include, among others,
- The obligation to be competent at their professional tasks, and not to claim expertise that they do not have.
- The obligation not to use their status as professionals to deceive or bully others into doing things against their interests.
- The obligation not to use their status as professionals as a cloak for other agendas.
Ironically, the professional obligation group (the last set listed above) are the most straightforward (although not necessarily the easiest.) Professional societies take these responsibilities seriously and offer extensive standards and guidelines.
The data custodians must be guided by policies set by senior management and enforced rigorously. The stakes are too high these days to be cavalier about enforcing privacy policies. There are, of course, many technical tools and techniques to guard the privacy of data, but in the end human beings decide what should be shared and what should not.
The ethical requirements on the analysts and designers of information systems are harder to define and enforce. They always in the mode of balancing competing interests: getting the current job done as quickly and inexpensively as possible versus making sure that the current work fits into the future plans of the enterprise; serving the interests of the immediate user versus not degrading service to the user of another system; balancing the capabilities of new technology with the lower costs and higher reliability of older technology.
Each of these choices has both technical and business dimensions. The project management system and the operations manuals must assure that all of these tradeoffs are considered by both business staff and technical staff, and require all decisions to be in the long term interests of the company.
Those are the problems. What are the solutions? Philosophers and theologians have been trying to answer this question for millennia, with only modest success. So what can you do? The best overall guidelines I can think of come from the theologians of 2000 years ago. Jesus said, “Do others as you would have them do unto you.” Hillel (a rabbi who was roughly Jesus’ contemporary) phrased it slightly differently: “Do not do unto others that which you would find hateful if done to you.” These sound pretty good to me.