.
.
Ethics in IT

 
PUBLICATIONS
SEARCH
CONTACT
 
 

 

 

 
. .

Ethics in Information Technology Practice

By

Peter Tylee BA (Deakin), MS(Psych) PhD (California Coast), GradDipInfoTech(InfoSys)Distinction (Charles Sturt)

Dr Tylee is a qualified health care professional and information technology professional and has lectured in ethics, among other things, at Australian universities for over ten years.

     Ethics is a demanding and rigorous discipline which is all too often not well understood. Its principles are applied to a very wide range of professions and while they may each make their peculiar demands, the principles themselves are universal. This exploratory and analytical paper will provide both a critical discussion which identifies the major ethical issues in the information technology industry and an examination of a case study drawn from several published by Kallman and Grillo (1993). We shall begin with a brief scene setting introduction to ethics which addresses two key areas that often give rise to confusion. The first is the relationship between scientific or technological thinking and that of ethics. The second is the relationship between ethics and the law.

     Ethics is a branch of philosophy known as moral philosophy. It employs the rules and tests of logic and its language is primarily prescriptive, not descriptive such as one finds in science and technology. Science may describe the way a thing is whereas ethics prescribes the way it should be. Karhausen (1987) writes: "Psychology or sociology, being scientific disciplines, may describe or explain how individuals or groups of people do behave and what their beliefs are concerning their behaviour, while ethics says how they ought to behave". Modern logic supports this view with the claim that the two modes of expression are deductively independent, one being indicative, the other prescriptive. This is important to note from the outset of our discussion since it is imperative to avoid the naturalistic fallacy: we must not derive an ought from an is.

     The law, possibly because it does employ prescriptive language and certainly, no doubt, because its prescriptions do overlap with ethics, is often confused with ethics or considered to be more closely related to ethics than it actually is. Even Kallman and Grillo (1993) state:

The fact that law is grounded in ethical principles makes law a good starting point for ethical decision making. In other words, when we are confronted with an ethical decision, we should first look to see what the law says (emphasis mine). (p.8)

They go on to undermine this position with clear illustrations that acts may be legal but not ethical, such as using pirated software in a country with no copyright laws, and ethical but not legal, such as copying copyrighted software to use only as a backup even when the copyright agreement specifically prohibits this act. It seems they too are confused. Downie and Calman (1987) agree that ethics and the law hold concepts such as justice, rights, responsibility and many others in common but point out that the law and ethics are logically distinct. They state:

A law is legally binding if, and only if, it is recognised by the courts according to agreed legislative procedures of a given legal system. Legal justice, rights and responsibility are all equally definable according to the procedural rules of the legal system. The question of what, morally speaking, the law ought to be, of who ought to have legal rights and what their content ought to be, or of what the criterion for responsibility ought to be, are not answered by the law (emphasis in original). ... It is therefore possible to discover a lot about prevailing morality by analysing current laws, but law and morality remain distinct and independently definable. (p.41)

In accordance with this latter view, the Kallman and Grillo (1993) model will be modified for case analysis. The adopted approach, in this regard, will more closely reflect the Curtin and Flaherty (1982) model, outlined in Appendix 1, which acknowledges that legal requirements and social expectations are extrinsic to ethical analysis.

     It is regrettable to note the paucity of high calibre ethics discourse related to information technology. Perhaps this is because it is a relatively new discipline or perhaps because it has become too closely aligned with business, which has a rather poor history when it comes to considering ethics. It may be that the problem begins at an earlier stage. Forrester and Morrison (1990), after teaching computer ethics at Griffiths University, claim to have learned "...that computer science students cannot be assumed to possess a social conscience or indeed have much awareness of social trends and global issues". Unfortunately, their text too had little to offer: no theory or conceptual model, merely more dilemmas. This situation must be addressed if practitioners of information technology are to emerge as the true professionals at least some aim to become (Australian Computer Society, 1994). Regrettably, as Montgomery (no year cited) laments, many in the Australian computer industry have no such aspirations.

     Prefatory matters attended, we shall now consider the major ethical issues facing the information technology industry, or more correctly, facing information technology 'professionals'. The broad classification of issues adopted by Kallman and Grillo (1993) will suffice to lend structure to the discussion, however their category of 'computer crime' will not be addressed since, by definition, such matters relate to legal as opposed to ethical issues. Further, some issues will be reclassified and health and environment related issues will be added.

     Social and economic issues are significant and have received considerable media attention over the years. The much feared job displacement associated with computerisation of various industries has indeed become reality. There is little evidence to support the view that there is a mere shift in employment from non-computer to computer related. In any event, this would be of little comfort to those who are unsuited to such retraining or who do not wish to do so. Have some been coerced? What of their autonomy or right to self-determination? Have some been socioeconomically disadvantaged? Is it just to sacrifice these 'few' for the sake of society as a whole in some form of utilitarian rationalisation? These questions are more searching than they at first appear. Who is to answer them ... information technology professionals?

     We have also seen the exploitation of computing professionals. As computers have sped transaction and computational processing an insatiable demand for ever greater performance has been stimulated (witness, for example, the computer performance curve over the last decade). This has resulted in shortages of computing personnel and a tendency to place onerous demands on their work performance over long periods of time. Is this treatment of staff or consultants just? Can this be considered beneficient or non-maleficent? Surely managers of information technology must balance task and people needs like any other managers.

     Another have-have not dimension has been created in society. We have become aware of the existence of the information rich and the information poor. As this dichotomy worsens there is the risk that traditionally disadvantaged groups in society, such as the poor, will become doubly disadvantaged as they miss out on access to information and information technology. We have learned that the complex issues of social justice cannot be addressed overnight, but what is the responsible position to take for those who control these instruments?

     Recognition of the value of computing resources leads to a consideration of issues related to individual practice. These include responsible use of computing resources to avoid wastage and protection of access and data using appropriate security. Responsible practice also includes protecting rights to privacy by taking care when confidential or personal information will be displayed or printed.

     There are other issues related to the systems development process. Given the pressure to perform and to meet deadlines there can be a tendency to release software or any new system for use before adequate testing and debugging. This can result in damage to a client's business or even potentially worse consequences, such as the loss of important medical records. Indeed it takes little imagination to think of far more dire potential consequences as the use of information technology continues to expand. If done knowingly, this is clearly a breach of trust and the principle of beneficence, at the very least.

     Issues surrounding the manager-subordinate relationship have also been identified. A subordinate who has been disciplined poorly or passed over for promotion for example, might be tempted to abuse their power by causing harm to the employer by poor work performance or direct damage to the computer system, such as changing a sensitive software routine (a potentially illegal act). Abuse of power in the reverse direction could result in subordinate programmers being directed to change software in ways they believe is wrong (in the ethical rather than technical sense). Whilst these are not situations confined to information technology personnel, one must acknowledge that the consequences might very well be much more significant than in other occupational areas. Another issue relates to the surreptitious monitoring of computer users, especially on a network, but by no means exclusively so (Hot Chips, 1995). This invasion of privacy is sometimes justified on technical grounds but should also be addressed as an ethical concern.

     Issues that Kallman and Grillo (1993, 28) see as related to processing include problems of unreliability, untimely output and unintended data use. The first two are obviously closely related. As both hardware and software become more complex it could be argued that it is becoming more difficult to control and predict, yet these are clearly very important functions. Who is responsible then when major losses are experienced? The losses may be in the order of many millions of dollars for a multinational corporation with funds transfer system failure or many hundreds of lives for a busy airport with air traffic control system failure. The stakes are high indeed. Should information technology professionals insist on slower development and more thorough testing and expensive backup systems to help prevent such problems? Are they empowered to make such decisions? Should they be?

     The problem of unintended data use is one that can affect everyone. Selection of certain data from legitimately held files to make new files containing personal details of clients or customers for sale to third parties has certainly occurred. "For example, a bank should not, without the cardholders knowledge, use information about credit-card purchases to create a consumer profile for marketing purposes" (Kallman and Grillo, 1993, 28). This is certainly a breach of confidentiality and use of the data constitutes an invasion of privacy. This issue is related to questions of data collection, storage and access generally.

     What data should be collected and stored? It may be that people are being asked to provide much more data than is actually required and the mere possession of such stored data represents a potential threat to privacy. Can access to such data be adequately controlled? Can it be stored securely? Is the stored data accurate, current and relevant to a particular context for which it might be used? What rights to review the data do the people it describes possess? Many questions must be addressed in this very important area.

     Issues related to the quickly growing area of electronic mail also relate to privacy and honesty. Electronic mail, unless encrypted, may readily be intercepted and read by non-intended parties. Further, it is well documented that it is possible to easily falsify the originating address on electronic mail, making it possible for perpetrators to send mischievous messages as if they were coming from someone else (EduPage, 1995). There is also widespread use of employers' mail systems for sending personal mail, thereby consuming work resources for private purposes. Indeed, there is the whole issue of using any of one's employer's computing resources for private purposes, without approval. In some instances this may equate to stealing and be illegal, but even where it is allowed by an employer, it may not be entirely ethical.

     One final area to be addressed here is the important one of health and environmental issues. This includes exercising a duty of care for information technology employees by ensuring, for example, adequate rest breaks to avoid repetitive strain injuries for keyboard operators and low radiation monitors to avoid real or potential harm to those who work closely with cathode ray tube screens. Also important is the duty of care to all by preserving the environment. This involves actions as diverse as choosing low power consuming monitors (Acer, 1995) and other system components to reduce our consumption of non-renewable energy sources, through implementation of thoughtful upgrading policies to help reduce waste of resources (Kyocera, 1995), to responsible disposal of discarded materials to avoid further environmental damage caused by careless disposal of used computing equipment.

     A useful way to develop an understanding of ethics is to apply a disciplined analysis to a particular situation or case. Many tools exist to assist with such an undertaking. Cougar (1989) for example, points to existing codes of ethics of relevance to information technology professionals. Bologna (1991) has provided a useful framework for the ethical analysis of information technologies which is in many ways superior to that promoted by Kallman and Grillo (1993). Nevertheless, in keeping with the selection of a case published by the latter, it is their framework, adapted where necessary, that we shall apply to the selected case. In doing so however, it is important to remember that we are confined to a discussion of the norms of obligation of normative ethics (see Appendix 2). That is, we seek to answer the fundamental ethical question: what is the right thing to do?

     The selected case is "Code Blue" (Kallman and Grillo, 1993, 119-120). The relevant facts are as follow. The setting is the third floor west wing ward at the Metropolitan General Hospital (MGH). This is one of the busiest and most critical care wards in the hospital. The hospital is transitioning from a central to a distributed hospital information system and patient data can be downloaded to PCs in nurses' stations on each ward. These computers are set to require some keyboard input within 60 seconds, such as a tap on the space bar, to prevent the screen from blanking and the current software from closing. Nurse Betty Blodgett was reading the personal medical record of a patient named Nathaniel Barker and tapped the space bar when suddenly the cardiac arrest alarm sounded. Betty followed standard procedure in immediately leaving her station to assist with the emergency. Coincidently, Melody Burns, a volunteer candystriper, who heard the alarm and therefore was not surprised to find the nurses' station unattended, arrived and noticed Nathaniel's personal details on the still lighted screen. Melody read the screen as she recognised the name as a patient she had spent some time with and was shocked to discover Nathaniel's positive HIV status. On Betty's return she greeted Melody with news that Nathaniel was much better and wanted to see her. Noticing Melody's shocked look she enquired as to what was wrong. Melody blurted out that she could not see Nathaniel again and expressed fear of his HIV status. Betty was shocked with this revelation and sought clarification.

   The stakeholders in this situation include Betty, Melody, Nathaniel, MGH, all patients at MGH (real and potential, HIV related or not), the hospital ethics committee and the hospital information services department and its policy makers. All of these are or can be directly impacted upon. Extending this to the 'wider population' would be too vague and including candystriper coordinator or staff development personnel would require excessive assumptions.

     There are several ethical issues. At the outset one could ask whether Betty should have been reading Nathaniel's file, but we might assume that this was proper. As indeed was Betty's behaviour in leaving the screen immediately to respond to the emergency, given the security facility of automatic screen blanking. Certainly Melody should not have read the screen. This was a breach of confidentiality and or privacy (the former necessitates a personal relationship such as a nurse-patient relationship whereas the latter is more generic and can also apply to institutions) on Melody's part and in so far as the hospital did not provide an appropriate and adequate policy and mechanisms to prevent the act, also constitutes a breach of a duty of care. The other main issue relates to Melody's refusal to attend to Nathaniel after reading his HIV status. Since candystripers are not professionals there is some mitigation possible, however the refusal constitutes a breach of the duty to care (even though it may not be a formal breach of the principle of beneficence). But is Melody justified on the grounds of self-preservation (ethical egoism) to refuse to expose herself to the risk of contracting HIV? Does her apparent ignorance, and in so far as she is distressed, the harm she has suffered, indicate another breach by the MGH in the duty to care by not better informing Melody, either that she was at some risk or indeed that she was not?

     What guidelines can we consult? The hospital should have policies and guidelines that cover who may read which patients' details and why, under what circumstances candystripers may refuse to see a patient, and who is informed of patients' HIV status (perhaps role based after an assessment of risk presented by the patient, for example, open wounds or draining bodily fluids would constitute a greater risk, a venepuncturist would have a greater need to be informed than a candystriper, and so on). The other relevant policy of blanking a screen after 60 seconds with no keyboard input does exist but is clearly inadequate. Darr (1987) indicates that hospital administrators are no strangers to codes of ethics or policy development in their support.

     Various tests can be applied. The golden rule for instance might suggest that one would not want one's own privacy breached and one would not want to be avoided by carers if one was HIV positive. At the same time, one might want to know if one was being exposed to increased risks. Similarly, one might feel very happy to "tell mum" or the media that one had avoided HIV risk but may not be so comfortable to admit to having come by the information wrongly, through an invasion of privacy. Equally, a hospital may not be pleased by publicity which suggests an absence of policies on informing staff of patients' HIV status and inadequacies of procedures for protecting privacy on the hospital's information system.

     Clearly a number of harms have occurred. Nathaniel has been harmed by both an invasion of privacy and its consequences. The perpetrators are both Melody and the MGH. Melody has been harmed by the hospital in not adequately preparing her for working with patients who are HIV positive and by allowing a situation to occur whereby she could access confidential records. The hospital has been harmed in that its reputation has been exposed to damage (someone told of the situation in this case!) and it may be exposed to remedies at law. There is insufficient data to establish whether or not Betty has been harmed.

     What then are the main principles at issue here? Nathaniel certainly has a right to privacy of his personal details. The hospital has a right to Melody's duties to discharge its responsibilities of duty to care. Melody has a right to self-protection (according to ethical egoism) and it should be noted that it is not clear that this has been threatened. Utilitarianism's edict of achieving the greatest good for the greatest number and the principles of consistency and respect underpin the need for the hospital to develop and implement the policies and procedures noted above. Finally, Betty has professional obligations of non-maleficence (to cause no harm) and to respect confidentiality, both of which have been breached, albeit inadvertently.

     What should be done? The hospital should develop and implement appropriate policies to enable immediate screen blanking on one keypress to be actioned whenever security may be compromised, to determine when and which personnel are to be informed of a patient's HIV status, and to inform all staff of appropriate safety precautions to take with HIV patients relevant to their roles. Betty, and all nurses, should blank screens immediately on having to leave to attend an emergency. Melody should be offered counselling to assist in remedying the harm which has been done to her and education to enable her to work safely and confidently with HIV-positive patients. Ultimately, Nathaniel's rights to privacy and care must outweigh breaches justified by emergencies and claims to self-protection, given the nature of a hospital's duty to care for its patients.

     If some of the above can be attended in a timely manner, Melody may still be able to attend to Nathaniel, who need never know of the breaches. Otherwise Betty will have to make excuses to Nathaniel for Melody's absence. Whilst she should not lie, there is no good to be achieved and some harm to be avoided by not informing Nathaniel of the details of Melody's absence. The consequences of appropriate remedies will include preserving Melody as a staff member (and not jeopardising her ambition to one day become a nurse), avoiding similar wrongs to patients' privacy by the hospital, improved standards of work performance based on a practical system of HIV status notification, and the protection from legal remedies for breaches of confidentiality for both the hospital and its employees.

     Clearly, something as simple technically as providing immediate screen blanking and application closure in a context such as this one can have very significant implications when it comes to ethics. One hopes that information technology personnel will grow in sensitivity to the wider ethical implications of their work.

 

REFERENCES

Acer (1995) AcerView monitors advertisement. Windows Sources Australia, September: 65.

Australian Computer Society (1994) ACS 1994 Handbook. ACS, Sydney.

Bologna, J. (1991) A framework for the ethical analysis of information technologies. Computers and Security. 10(1991): 303-307.

Couger, J. (1989) Preparing IS students to deal with ethical issues. MIS Quarterly. 13(2) June: np.

Curtin, L., Flaherty, M. (1992) Nursing ethics Theories and pragmatics. Prentice Hall, Englewood Cliffs.

Darr, K. (1987) Ethics in health services management. Praeger, New York.

Downie, R., Calman, K. (1987) Healthy respect Ethics in health care. Faber and Faber, London.

EduPage (1995) listproc@educom.edu.

Forester, T., Morrison, P. (1990) Computer ethics Cautionary tales and ethical dilemmas in computing. Blackwell, Oxford.

Hot Chips (1995) Korean smart cards at work. ABC Television.

Kallman, E., Grillo, J. (1993) Ethical decision making and information technology An introduction with cases. McGraw-Hill, New York.

Karhausen, L. (1987) From ethics to medical ethics in Doxiadis, S. (ed) Ethical dilemmas in health promotion. John Wiley and Sons, London.

Kyocera (1995) EcoSys printers advertisement. Business Product Review. August, 9(56): 3.

Montgomery, A. (no year cited) Twenty deadly sins against professionalism and progress in Australian computing. Australian Computer Journal.

Tylee, P. (1989) Ethics, Lecture materials, La Trobe University.

 

APPENDIX 1

The following diagram presents a model for ethical analysis. Note in particular the comments marked thus: *

Back

 

APPENDIX 2

The following diagram presents a schematic overview of the discipline of ethics.

Back 

 Publications | Search | Contact

 

 .

 
© 2001- 2004 Peter Tylee. All rights reserved.

 
.