Legal, Social, ethical and Professional Issues in Systems Development – Part 1
Aims To have a better understanding of
the social, ethical (and to some extent legal)
Associated professional responsibilities
Legislation
What are the social, ethical (and legal) issues associated with Systems
Development?
Privacy, security, quality of working life/job design, accessibility, ownership (IPR) and so on…
To understand these issues need to be aware of: relevant legislation ethics as well as concepts of professional
responsibility and accountability
Privacy One definition of privacy - the right
of an individual or organisation to be left alone and to be secure in their personal papers
Data protection legislation seeks to protect the individual’s right to privacy
Data Protection ActSome definition of terms: Data
details recorded in a form which can be processed automatically
Personal data data relating to a living individual who can
be identified from the data Data subject
an individual who is the subject of personal data
Data controller a person (or body corporate) who holds data
Hellenic Data Protection Authority
http://www.dpa.gr/portal/page?_pageid=33,43560&_dad=portal&_schema=PORTAL
The protection of personal data and privacy of individuals constitutes a fundamental human right. Data protection law grants the data subjects, i.e. individuals, certain rights and imposes certain responsibilities on data controllers, i.e. anyone who keeps personal data in a file and processes it.
Data Protection Act Key questions on data protection:
How to respond to a subject access request? How to notify and maintain register entry? Can we send personal data overseas? What security measures should be taken to
protect personal data held? What should we do if personal data is lost? What is an audit and how can we request
one? more details can be found on this
website:http://www.ico.gov.uk/for_organisations/data_protection.aspx
Personal information online:code of practice http://
www.dpa.gr/pls/portal/docs/PAGE/APDPX/ENGLISH_INDEX/LEGAL%20FRAMEWORK/LAW%203471-2006-EN.PDF
The code covers activities such as: collecting a person’s details through an
online application form; using cookies or IP addresses to target
content at a particular individual; using personal data to market goods or to
deliver public services; and using cloud computing facilities to process
personal data.
What is Information Security? Some definitions:
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
The field of endeavour concerned with the protection of the confidentiality, integrity and availability of information
Purpose: To ensure business continuity and minimise business
damage by preventing and reducing the impact of security incidents
To protect an organisation from unacceptable harm caused by the compromise of the confidentiality, integrity or availability of information
(Wilson, 2003)
What is Information Security?
Properties of information: Confidentiality
Protecting sensitive information from unauthorised disclosure (e.g. details about a new product)
Integrity Safeguarding the accuracy and completeness of
information and computer software (e.g. key financial information)
Availability Ensuring information and vital services are available to
users when required (e.g. production line data) (Wilson,
2003)
What security measures should be taken to protect personal data?
For computer security: Firewall, virus checking, anti-spyware. Operating system upgrade Latest patches or security updates download Limit staff access to the information they need to do
their job and do not allow to share passwords Encrypt any personal information held electronically
if it could cause damage or distress if it is lost or stolen
Securely remove personal information (by using technology or destroying the hard disk) from old computers before disposal
Ethics Ethics
Principles of right and wrong that can be used to guide the behaviour of free moral agents who make choices
Ethics and the law Law is only that part of ethics which society
feels so strongly about that it is willing to support it with physical force (law enforcement agencies)
May be many practices which are within the law and yet considered unethical by some … or outside the law and considered ethical by some….
Consider defective software….
10 Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people's computer work.
3. Thou shalt not snoop around in other people's computer files.
4. Thou shalt not use a computer to steal. 5. Thou shalt not use a computer to bear false
witness. 6. Thou shalt not copy or use proprietary
software for which you have not paid.
10 Commandments of Computer Ethics
7. Thou shalt not use other people's computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people's intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
Computer Misuse Act 1990http://www.legislation.gov.uk/ukpga/190/18/contents Computer misuse offences:
Unauthorised access to computer material. Unauthorised access with intent to commit
or facilitate commission of further offences. Unauthorised acts with intent to impair, or
with recklessness as to impairing, operation of computer, etc.
Codes of conduct (guide professions)
Sit somewhere between the law and ethics Are a set of rules which a group of like minded
people may formalise to provide them with guidance in conducting their affairs
Usually ‘best practice’ in the conduct of that profession - ‘enforceable’ part of profession’s ethics
Examples in field of computing are the BCS (British Computer Society) and ACM (American Association of Computing Machinery) codes of professional conduct with which members must comply
Professional accountability BCS code of conduct, clause 17
reads: “You shall accept professional responsibility
for your work and for the work of colleagues who are defined in a given context as working under your supervision.”
Accountability and Liability Important to establish lines of
responsibility but separate ‘accountability’ and ‘liability to compensate’?
“An individual programmer or software designer may be responsible for a harm, but liability [may] more properly lie[s] with the employer, since it retains responsibility/ownership for the work of its employees” (Davison, 2000, p.17)
The self-employed developer has both accountability and liability
Case Study
Suppose that you are the manager of acomputer services department in a UK
collegethat is responsible for management
informationservices. How you would ensure that thecollege complied with the UK DataProtection Act 1998.
Case Study There must be mechanisms to ensure that both
students and staff are aware of the provisions of the Act so far as it affects them.
The university should be registered as a data user under the Act and the registration should be up to date.
Appropriate organisational and technical mechanisms should be in place within the university in order to provide an adequate level of security for personal data held.
Requests to view personal data held by the university by data subjects should be dealt with within an appropriate time scale, and any codes used in the data should be translated into plain English.
Legal, Social, ethical and Professional Issues in Systems Development – Part 2
Ownership and Intellectual Property Rights
“Intellectual Property Rights (IPR) concern the protection of all products created or designed by the human intellect – books, songs, poems, trademarks, blueprints … and software” (Davison, 2000, p.9)
Software developers concerned about protecting their intellectual investment (fair reward)
Legislation includes UK Copyright, Designs & Patents Act, 1988 (more on this later)
Consumer responsibilities and rights “To protect [developers] right to the
fruit of their endeavours, they claim that consumers have a duty both to pay the price [of product] and to respect the intellectual property contained within the product – by not stealing it. ….
…consumers may claim that they have the right to….expect that the product will be free of defects (bugs)”
(Davison, 2000, p.12)
Ethical issues: software ownership & sale
Kling, 1996, p.5: “To what extent are software vendors
obligated to accurately advertise their software capabilities and system requirements?
To what extent should software vendors be obligated to refund purchased software that a customer has found will not work as advertised on her computer systems” (Kling, 1996, p.5)
Ethical issues: software ownership & sale
For example: Landmark case of St Albans City &
District Council v. ICL (1995) For the first time there is firm indication
that software is goods hence: must be ‘fit for purpose’ under Sale of
Goods Act, 1979 Supply of Goods and Services Act, 1982 also
applies
Ethical issues: software ownership & sale
Case of St Albans City & District Council v. ICL (1995) also illustrates:
Difficulty that software company may have in satisfying ‘reasonableness test’ in relation to contractual terms excluding or restricting liability (for defective software). Unfair Contract Terms Act 1977
(Bainbridge, 2000)
In any case were ICL developers behaving in a ‘professional’ manner?
So… There are rights and
responsibilities of ownership This implies professional
responsibility and accountability Codes of conducts (BCS)
Competence and responsibility‘Intelligent’ information systems: deliberately attempt to emulate some aspect
of human performanceCurrent problems: Information systems have extended from
clerical and manual areas into those of professionals
increased demand means that automated support may have to take over some of the human professional’s functions
lack of experience in managing intelligent systems that deal in information/knowledge, rather than just data
Assigning responsibility Future intelligent systems may assume
task of issuing instructions to pilots on how to avoid a collision.
Problems: who is responsible? current policies and procedures are built to
support and monitor human capabilities Illustrates difficulties in assigning
responsibility but Davison argues those concerned with developing systems shouldn’t avoid sorting this out (Davison, 2000)
Responsibility Responsibility - however many layers of
automation, must still be ultimate human responsibility System specification - Originating
agency? Creation of software (writing and
testing) - Organisation contracted to supply software?
System in use - Users, if system pushed beyond agreed level of competence?
Professional Accountability “In general accountability lies at the root of
vendor-client relationships, and is therefore relevant to our professional behaviour in consulting or professional work…” (Davison, 2000, p.12-13)
“Accountability is important because it shows that high-quality work is valued, encourages professionals to be diligent and responsible in their practice….[and] because computer software is used throughout our society, and is an essential component of many life-critical systems..” (Davison, 2000, p.13)
Professional accountability “Through encouraging a strong sense of
professional accountability, we can attempt to ensure that those who are responsible for the safe functioning of these systems will do their utmost to ensure that systems are safe, and will minimise risks. Accountability runs a considerable risk of being eroded, however, when computers are made scapegoats for human failings or when developers of computer software deny any responsibility for the consequences of use of the software, even when this use is in accordance with the purpose for which the software was designed” (Davison, 2000, p.13)
Accountability and Liability Important to establish lines of
responsibility but separate ‘accountability’ and ‘liability to compensate’?
“An individual programmer or software designer may be responsible for a harm, but liability [may] more properly lie[s] with the employer, since it retains responsibility/ownership for the work of its employees” (Davison, 2000, p.17)
The self-employed developer has both accountability and liability
Legal Issues
Legislation What are major ethical issues in
Computing? Privacy, ownership, accessibility,
surveillance, computer crime, reliability etc
Professional practitioner needs to be aware of relevant legislation (laws) in relation to these issues
Legal issues are important to: Client or sponsor of an IT project IT project managers Anyone who produces assets (code etc.) Anyone who contributes to an IT project Anyone who uses software/ hardware/
computing technology whether for a project or not!
Legal Issues Areas: Intellectual Property Rights Contracts Licences (one way to protect IPR) Jurisdiction Patents/Trade Marks (one way to protect
IPR) Data Protection legislation (recap) Employment legislation Anti-discrimination legislation
Intellectual Property Rights (IPR)
These consist of a number of rights which give protection under the law to creators, performers and inventors
such as... copyright performance rights moral rights patents design rights trademarks
IPR - Copyright The Copyright Designs and Patents Act
1988 gives the copyright owner the following rights:
the right not to have copies issues to the public the right not to have the work performed, played or shown in public
the right not to have the work broadcast or included in a cable programme
the right not to have the work adapted
Unless you are the originator or owner of the copyright in a piece of work you may not do any of these things without the permission of the copyright owner (in most cases the originator).
Contracts
A contract consists of the offer, consideration, and acceptance. These are legal terms to explain the essential parts of a contract A contract is a legally binding agreement
between two or more parties which begins with an offer from one party but needs a sign from the other party to show their
willingness to accept the terms of that offer (acceptance), and
consideration which is normally in the form of payment
ContractsImportant contracts which may effect IT
projects are:
Project contract which is often formed from the original project proposal
Employment contracts
Contracts for third parties (such as suppliers)
Licences (one way to protect IPR)
A licence is a special permission to do something on or with someone else’s property which could be legally prevented if you did not have the licence
If you are involved in an IT project you will come across various licences on a daily basis
The software, tools, libraries, operating system and some hardware that you use to create your project will probably be governed by licence agreements
Licences The work the project team creates may
have to be protected through the use of a licence (in the project contract) and the product which the project creates such as a web site, a DVD, or an IT system may contain a licence about its usage by the end-user
So you will have to abide by licences created by other people and you will also have to consider creating licences to protecting the work of your project team and your client’s business
Jurisdiction
Every country has laws which govern that country, and when you are in a country you should abide by those laws in business and in your personal life
Jurisdiction is about which laws prevail - which law applies to you?
Jurisdiction
This is not a problem with contracts where the buyer and seller are both in the UK
If a project involves the Internet or requires worldwide publication or distribution, jurisdiction is very important
Some countries and US states will apply their jurisdiction to an on-line sale even if neither the buyer, seller or user is resident in that country
Jurisdiction Once you publish through the
Internet you are open to legal action from any country
Most of these actions concern consumer protection legislation, but certainly libel and defamation actions are becoming more common
Another issue is taxation You need to know which jurisdiction applies
and which set of taxes you have to pay
Patents/Trade Marks (one way to protect IPR)
A patent is a legal protection which is given to the inventor of a product or process for a limited time
Once patented, another person cannot use or sell the invention without permission or licence from the inventor
The patent only relates to the UK, and lasts for up to 20 years
You may need to protect your invention using the Patent law of many different countries
Patents / Trade Marks
The Patent Office is the UK body responsible for Copyright, Designs, Patents and Trade Marks.For more information on these topics, view the web site of the Patent Office:
http://www.ipo.gov.uk//
Data Protection legislation
Data protection is another issue which is important to an IT project manager, and others involved in the project
Under English law, anyone who controls data (information) about a person who is still living, may have to register under the Data Protection legislation as a data controller
The legislation is there to protect an individual’s privacy
Data Protection legislation
Information held about a person must be: fairly and lawfully processed processed for limited purposes adequate, relevant and not excessive accurate not kept longer than necessary processed in accordance with subject's rights secure not transferred to countries without adequate
protection
Data Protection legislation
The Information Commissioner enforces and oversees the Data Protection legislation (Data Protection Acts)
more details can be found on the following web site: http://www.ico.gov.uk/
Employment legislation As an IT manager it is necessary to know
the employment rights and duties as they apply to you and your workers
In a middle-sized to large company there will normally be a Human Resources (Personnel) department and Finance/Payroll to assist with this
This may not always be the case in a small company
Responsibility and competence Responsibility
the idea that individuals, organisations, and societies are free moral agents who act wilfully with intentions, goals, and ideas;
consequently they can be held accountable for their actions…
Competence Sufficiency of qualification, adequacy
Employment legislation Other rights are also protected such as the
right to belong to a Trade Union, minimum wage, and the right to maternity and paternity leave and pay
Know your own employment contract - Who owns the copyright of the code you produce?
Department of Trade and Industry’s website has a guide to Teleworking, and further information on employment and business issues: www.dti.gov.uk
Anti-discrimination legislation
Anti-discrimination legislation is there to protect each person’s rights not to be discriminated against on the grounds of Race, Sex and Disability.
The UK has also recently passed legislation concerning sexuality, and religion
and there is the possibility of gene discrimination in the future…
Service providers have to take reasonable steps to make their services (including public web sites) accessible to all. Check out the UK Government’s guide to Disability: http://www.disability.gov.uk/
Web Accessibility People with various disabilities can use the
Web. They can perceive, understand, navigate, and
interact with the Web and contribute to the Web.
Essential components: content - the information in a Web page or Web
application, including: text, images, and sounds; code or markup language that defines structure, presentation, etc.
Web browsers, media players, and other "user agents“
assistive technology such as screen readers and alternative keyboards.
Web Content Accessibility Guidelines: http://www.w3.org/WAI/intro/wcag.php
Greek report on Disability Discrimination Law in the Field ofEmployment.
http://www.pedz.uni-mannheim.de/daten/edzath/gdem/04/disabfull_el.pdf
Useful websites
BCS website: http://www.bcs.org/ and in particular BCS code of
conduct: http://www.bcs.org/server.php?show=nav.10967
ACM website: http://www.acm.org/ ACM code of ethics:
http://www.acm.org/constitution/code.html
References and further reading
Davison, R.M., (2000), Professional Ethics in Information Systems: A Personal Perspective, Communications of the Association for Information Systems, Vol. 3, (8), April.
Johnson, D.G. (2009) Computer Ethics – 4th edition, Prentice Hall. (especially chapters 2 and 3)
Wilson, A., (2003), QB304 Information Security lecture, accessible LondonMet internal network
References and further reading
In addition to the websites mentioned above here are some other reference sources:
Bainbridge, D., (2000). Introduction to Computer Law. 4th Edition. Pearson Education Limited
Baase, S. A. (2000) Gift of Fire: Social, Legal and Ethical Issues in Computing. Prentice Hall
Davison, R.M., (2000), Professional Ethics in Information Systems: A Personal Perspective, Communications of the Association for Information Systems, Vol. 3, (8), April.
Johnson, D.G. (2001) Computer Ethics – third edition, Prentice Hall
Kling, R., (1996) Beyond Outlaws, Hackers and Pirates: Ethical Issues in the Work of Information and Computer Science Professionals. Computers and Society, Jun, pp. 5-15.