Just because you can do something doesn’t mean you should do it. Like any other profession, information technology benefits from a standard, accepted code of ethics that helps guide behavior in sometimes confusing contexts.
Is it okay to read campus users’ email?
What if you believe that university policies are being violated?
Would you tell the users that their email is being read?
Is it okay to look through files on a user's laptop when you're troubleshooting a problem?
What if the user is someone you think might be storing illegal content on the laptop?
If any of these questions caused you to stop and think about what you would do, you’re not alone. Ethical choices often seem murky. We live in a human society, subject to less-than-complete information, societal pressures, and multiple interpretations of facts. More often than not, we need to apply professional judgment, which is guided by our own experiences as well as reliance on laws, policies, and culture.
Let’s consider somewhat more complex situations:
You’re a system administrator with broad access to enterprise systems. Your supervisor has asked you to begin archiving all of the emails and web activity logs of one of your coworkers. Typically requests of this nature are initiated through a formal communication from your campus’s legal office. You feel that this request is inappropriate and possibly at odds with standard campus procedure and processes.
You raise your concerns with your supervisor, but are told that this is a sensitive matter, and details cannot be shared with you. After thinking more about the conversation you had with your supervisor, you are under the impression that you might lose your job if you persist in discussing the matter further or if you refuse to carry out the task.
What would you do?
Allegations are being made against an individual on campus. You believe the allegations could be disproved through an analysis of data to which you have access, but you would have to explore the data to prove it. You don’t believe that this information would otherwise be discovered or disclosed.
What would you do?
As IT professionals, what should we do when we encounter potentially murky situations like the ones described? Sometimes existing laws or institutional policy will guide ethical behavior; sometimes they won't. What many people often do not understand is that what is legal is not always ethical.
I believe it is our responsibility as IT professionals to act in an ethical manner in the performance of our work duties. To inadvertently do otherwise risks losing the trust of our students, faculty, staff, communities, and the general public. Without such trust I have difficulty imagining how IT professionals can continue to perform their duties effectively.
Sources of Ethical Guidance for IT Professionals
A number of resources help IT professionals searching for ethical guidance within the scope of their job duties. For example, IEEE has a code of ethics for its members; the Association of Information Technology Professionals (AITP) has a code of ethics and standards of conduct; and SANS has published an IT code of ethics. There are other examples beyond these three, and many elements in these codes could be useful to higher education IT professionals. For example, among other elements that describe ethical behavior in the profession, in general these codes assert that IT professionals need to commit to:
- Integrity
- Competence
- Professional responsibilities
- Work responsibilities
- Societal responsibilities
Specific guidance stems from these general principles. Some common commitments between the three codes are to:
- Maintain technical competence
- Avoid injury to others, their property, reputation, or employment
- Reject bribes, kickbacks, etc.
There are interesting, though subtle, differences between the documents that may be related to the specific character and mission of the organizations that developed the different codes. For example, both SANS and IEEE include a commitment to honesty about the limits of one’s capabilities, as well as a commitment to nondiscrimination. On the other hand, both AITP and IEEE state specific commitments to acknowledging a professional’s responsibility to society. Given IEEE’s stated mission to “foster technological innovation and excellence for the benefit to humanity,” it’s not surprising that its code specifically calls out a commitment to understanding the potential consequences of the application of technology.
With regard to the questions initially asked in this article, both the SANS IT code of ethics and AITP’s Standards of Conduct would seem to cover the situations involving email and a user’s laptop. Guidance from SANS indicates that an IT professional “... will not peruse or examine [a coworker’s] information… except as defined by the appointed roles.”
Setting Your Own Professional Ethics
Responding ethically in the two scenarios in which one’s livelihood or someone’s innocence are involved isn’t so straightforward. Familiarity with standards of ethics for the profession can help provide guidance on ethical behavior in complex and confusing contexts such as these. Proactively establishing a set of professional ethics can help you navigate the complex interactions and relationships encountered in the workplace. After all, at work you have relationships with co-workers, employers, customers, clients, users, and the community. In order to navigate this complexity, all of us need to understand the ethics for each of these relationships. In a broader sense, we need professional ethics because of the impact that our actions have on society as a whole.
If you’re an IT professional and not familiar with one of the codes of ethics or standards of conduct for the profession, consider taking the time to read one or more of them. If it’s been some time since you’ve reviewed one, now might be a good time to refresh your knowledge. Given the impact that IT professionals can have in the workplace and society in general, reflecting on the ethics of how we behave as we carry out our duties should be one of our professional obligations.
In the end, making these decisions might come down to using your professional judgment. Maybe, just maybe, it comes down to understanding that just because you can do something, it is imperative to stop and think about whether you should do it. That’s where professional ethics will serve you well.
Melissa Woo is vice president of IT and CIO at Stony Brook University.
© 2017 Melissa Woo. The text of this article is licensed under Creative Commons BY 4.0.