Ethics in IT

The Australian Council of Professions defines a profession as a disciplined group adhering to ethical standards, possessing special knowledge in a widely recognised body of learning derived from research, education and training at a high level, and prepared to apply that knowledge in the interest of others. A code of ethics inherently governs each profession and is enforced by the profession itself.

5 essential elements of a profession:

• Specialised knowledge not available to the general public, derived from formal education
• Ethical standards enforced by the profession, not just by law
• Service orientation toward others rather than solely self-interest
• Public trust — society accepts the practitioner as an expert
• A code of ethics that governs conduct beyond personal moral obligations

Does IT meet these criteria?

• Specialised knowledge: IT practitioners develop expertise through university programmes, professional certifications, and ongoing research that the general public cannot replicate. The knowledge base (programming, systems design, security, networking) is formally recognised across industry, government, and academia.
• Ethical codes enforced by the profession: The ACS, ACM, and IEEE each maintain and actively enforce codes of ethics. ACS accreditation is conditional on appropriate qualifications, relevant experience, continuing education, and a written commitment to the ACS Code of Ethics.
• Service orientation: Healthcare systems, banking infrastructure, government services, transport, and communications all depend on IT expertise. IT professionals serve not just their immediate clients but society at large through the systems they build.
• Public trust: Society accepts IT professionals as possessing expertise beyond the reach of lay persons and relies on them to make decisions about system safety, privacy, and reliability.
• Heightened ethical responsibility: The pervasive and powerful nature of ICT means a single IT professional can release 100,000 medical records, disable critical public infrastructure, or steal millions of financial credentials with one action. This asymmetry between ease of action and magnitude of consequence creates ethical obligations that exceed most other professions.

IT therefore satisfies all five criteria and is unambiguously a profession. IT practitioners bear obligations not only to their immediate employers and clients but to society as a whole.

Four philosophical frameworks guide ethical decision-making in IT. No single theory applies to every situation; the modern professional approach combines elements of all four.

The scenario: 11 people in a lifeboat built for 10, sinking, water is freezing, no rescue possible.

1. Utilitarianism

• Basis: consequence-based — an action is ethical if it produces the greatest good for the greatest number
• Key phrase: "the greatest good for the greatest number"
• Pros: popular, practical, easily understood, provides a concrete basis for decisions
• Cons: can justify harming a minority; difficult to predict outcomes; "best" outcome is subjective
• Lifeboat: remove 1 person to save 10 — this produces the maximum net outcome (10 lives saved vs 0)
• IT example: collecting aggregate user data without individual consent if the benefit to the majority outweighs the privacy cost to individuals

2. Deontology

• Basis: duty-based — from Greek "deon" (obligation). An action is ethical only if it passes the micro test (acceptable for one person) and the macro test (universally applicable to everyone)
• Key phrase: act only according to a rule you can universalise
• Pros: universal, fair, not based on pleasure or pain outcomes
• Cons: conflicting duties create unresolvable dilemmas; can be rigid
• Lifeboat: conduct a lottery giving each person an equal probability of removal — impartial, universal, no life is worth more than another (confirmed in ICT521 FAQ)
• IT example: refuse to disclose confidential client data even under pressure, because "do not betray confidences" must apply universally

3. Contract-based ethics

• Basis: rights, freedoms, and mutual social or legal agreements made for collective benefit
• Key phrase: "when in Rome, do as the Romans do"
• Pros: creates social cohesion, trust, and predictability; focuses on the common good
• Cons: minimalist (doing no harm is not doing good); cultural differences cause conflicts
• Lifeboat: follow whatever survival protocol was agreed before the crisis, or negotiate a new agreement among all passengers
• IT example: comply with privacy laws, employment contracts, and professional codes that represent collective agreements about acceptable behaviour

4. Character-based ethics (virtue ethics)

• Basis: developing internal moral character; good people naturally make good decisions
• Key phrase: "good people make good decisions"
• Pros: motivates aspiration to higher standards; holistic; emphasises good of others
• Cons: virtues can conflict (honesty vs kindness); no formal evaluation mechanism; varies between individuals
• Lifeboat: a person of exceptional virtue might voluntarily sacrifice themselves, removing the need to impose a choice on anyone else
• IT example: an IT professional who refuses to build a privacy-invasive system not because it is illegal, but because it conflicts with their internalised professional values

The modern professional approach:

• No single theory is universally superior — each must be judged against the specific situation
• Combine: caring nature (character) + consistency and universality (deontology) + consider consequences for all stakeholders (utilitarianism)
• Lifeboat combined approach: conduct a lottery (deontological impartiality) aimed at saving the maximum number of lives (utilitarian outcome), agreed transparently among all parties (contract-based)

Ethics is a professional obligation in all fields, but four characteristics of ICT make ethical behaviour uniquely consequential for IT practitioners.

• Speed and scale: A single keystroke can instantaneously release 100,000 medical records, steal 2 million financial credentials, or disable critical infrastructure. No comparable single action by a doctor or lawyer produces damage of equivalent scale so instantaneously. The asymmetry between ease of action and magnitude of harm is unique to IT.
• Pervasiveness: ICT underpins every sector of modern society — healthcare, banking, government, education, defence, and communications. When IT systems fail or are compromised, consequences cascade across all sectors simultaneously. An IT professional designing a hospital system or banking platform affects everyone who depends on those systems.
• Gatekeeping responsibility: IT professionals are gatekeepers of systems that users cannot independently evaluate for safety, security, or fairness. Users of a banking application cannot verify its security. This information asymmetry creates an obligation analogous to that of a doctor prescribing medication — the patient trusts the professional's judgment and cannot verify it independently.
• Power redistribution: IT changes the distribution of power in society in ways previous technologies did not. Streaming disrupted intellectual property rights. Surveillance technology challenges privacy. Algorithmic decision-making challenges fairness and accountability. IT professionals who build these systems are making policy-level decisions with societal consequences, whether or not they recognise that responsibility.

These four factors justify specific professional codes, continuing education requirements, and the expectation that IT practitioners apply ethical reasoning to every professional decision — not only when the law explicitly requires it.

The five-step ethical analysis framework provides a structured approach to any ethical situation in professional practice.

The five steps:

1. Identify and describe the facts
2. Define the conflict or dilemma and identify the values involved
3. Identify the stakeholders
4. Identify the options
5. Identify the consequences of each option

Applied to the data breach scenario:

• Step 1 — Facts: A data breach has occurred; an unknown number of customer records were accessed by unauthorised parties. The IT manager discovered the breach during routine monitoring. Senior management has instructed the manager to conceal it from customers and the OAIC to protect the company's reputation.
• Step 2 — Dilemma and values: Core conflict: the IT manager's professional obligation to protect the public interest vs their employment obligation to follow managerial instructions. Competing values: professional integrity, customer welfare, legal compliance, and organisational loyalty. The Privacy Act 1988 Notifiable Data Breaches scheme makes concealment not merely unethical but potentially illegal.
• Step 3 — Stakeholders:
  • Affected customers — need notification to protect themselves (change passwords, monitor accounts)
  • Company management and shareholders — interest in reputational and financial risk management
  • OAIC — statutory interest in being notified of eligible breaches
  • The IT manager personally — faces legal liability, ACS professional sanction, and reputational consequences
  • Society — interest in a functioning, trustworthy privacy protection regime
• Step 4 — Options:
  • Option A: comply with management and conceal the breach
  • Option B: escalate internally to legal counsel or compliance team, advocate for disclosure
  • Option C: if internal escalation fails, report to the OAIC as required by law
• Step 5 — Consequences:
  • Option A: short-term reputation protection; but much larger penalties if discovered ($420,000 per event under Privacy Act); ongoing harm to customers; personal legal and professional liability for the manager
  • Options B and C: fulfil professional and legal obligations; possible employment consequences for the manager, but professional duty to society supersedes the employer's instruction to conceal a notifiable breach

The correct course is to pursue Option B first and Option C if necessary. The ACS Code of Ethics requires prioritising the public interest over organisational interests, and an instruction to conceal a notifiable breach is itself unlawful.