⚖️ Ethics in Computing

Professional Ethics

Why Professional Ethics Matters

"Professionalism is not about wearing a suit. It's about the standards you hold yourself to when no one is watching." — Anonymous

Computing professionals shape systems that affect millions. Ethical practice isn't optional — it's the foundation of public trust, legal compliance, and sustainable careers.

The Two Views of Professionalism

A critical distinction in professional ethics is between compliance-based (HR/corporate) and standards-based (professional body) views:

Dimension	HR / Corporate View	Professional Body View (BCS, ACM, IEEE)
Purpose	Risk mitigation, legal compliance, brand protection	Public trust, competence advancement, societal benefit
Scope	Employee conduct within organization	Professional practice across all contexts
Enforcement	Employment contract, disciplinary policy	Code of conduct, peer review, certification
Accountability	To employer	To profession, public, peers
Continuing Obligation	While employed	Lifetime / while certified
Conflict Resolution	Internal HR, legal	Professional conduct committees, independent review
Whistleblowing	Often discouraged (loyalty)	Protected duty (public interest)
Competence	Job requirements	Continuing Professional Development (CPD)

Key Insight: The HR view asks "What can I get away with?" — the professional body view asks "What should I do?"

Why This Distinction Matters

# Scenario: You discover a security vulnerability in your company's product.
# ┌─────────────────────────────────────────────────────────────────────┐
# │  HR View (Compliance)          │  Professional View (BCS/ACM)       │
# │  ────────────────────────────   │  ─────────────────────────────────  │
# │  • Report to manager           │  • Report to manager               │
# │  • Follow internal process     │  • If ignored → escalate internally│
# │  • Don't disclose externally   │  • If still ignored → responsible  │
# │  • Protect company interests   │    disclosure (public interest)    │
# │  • Loyalty to employer         │  • Protect users/public            │
# └────────────────────────────────┴────────────────────────────────────┘

// Scenario: You discover a security vulnerability in your company's product.
// ┌─────────────────────────────────────────────────────────────────────┐
// │  HR View (Compliance)          │  Professional View (BCS/ACM)       │
// │  ────────────────────────────   │  ─────────────────────────────────  │
// │  • Report to manager           │  • Report to manager               │
// │  • Follow internal process     │  • If ignored → escalate internally│
// │  • Don't disclose externally   │  • If still ignored → responsible  │
// │  • Protect company interests   │    disclosure (public interest)    │
// │  • Loyalty to employer         │  • Protect users/public            │
// └────────────────────────────────┴────────────────────────────────────┘

// Scenario: You discover a security vulnerability in your company's product.
// ┌─────────────────────────────────────────────────────────────────────┐
// │  HR View (Compliance)          │  Professional View (BCS/ACM)       │
// │  ────────────────────────────   │  ─────────────────────────────────  │
// │  • Report to manager           │  • Report to manager               │
// │  • Follow internal process     │  • If ignored → escalate internally│
// │  • Don't disclose externally   │  • If still ignored → responsible  │
// │  • Protect company interests   │    disclosure (public interest)    │
// │  • Loyalty to employer         │  • Protect users/public            │
// └────────────────────────────────┴────────────────────────────────────┘

// Scenario: You discover a security vulnerability in your company's product.
// ┌─────────────────────────────────────────────────────────────────────┐
// │  HR View (Compliance)          │  Professional View (BCS/ACM)       │
// │  ────────────────────────────   │  ─────────────────────────────────  │
// │  • Report to manager           │  • Report to manager               │
// │  • Follow internal process     │  • If ignored → escalate internally│
// │  • Don't disclose externally   │  • If still ignored → responsible  │
// │  • Protect company interests   │    disclosure (public interest)    │
// │  • Loyalty to employer         │  • Protect users/public            │
// └────────────────────────────────┴────────────────────────────────────┘

The professional obligation transcends employment. Your primary duty is to the public interest, not your employer.

BCS Code of Conduct

The British Computer Society (BCS) Code of Conduct has four core ethical principles:

1. Public Interest

"You shall have regard for public health, privacy, security and wellbeing of others and the environment."

Obligation	Practical Application
Protect public safety	Refuse unsafe deployments, escalate risks
Respect privacy	Privacy by design, data minimization, consent
Ensure security	Secure defaults, responsible disclosure, patch management
Environmental impact	Green computing, e-waste responsibility, energy efficiency
Accessibility	Inclusive design (WCAG), digital inclusion
Truthfulness	Accurate claims, no misleading marketing

Conflict Example: Employer wants to launch without security audit. - HR view: "Ship it, we'll patch later" - BCS view: Refuse — public safety risk. Document, escalate, report to BCS if necessary.

2. Professional Competence and Integrity

"You shall only undertake work you are competent to perform, and maintain your professional knowledge."

Obligation	Practical Application
Know your limits	Decline work beyond expertise, recommend specialists
CPD / Lifelong learning	Minimum 25 hours/year (BCS), track in CPD log
Honest representation	Accurate CV, no exaggerated claims, honest estimates
Intellectual property	Respect licenses, attribute correctly, open source compliance
Quality standards	Follow best practices, testing, documentation
Mentorship	Support junior colleagues, knowledge sharing

Competence Boundaries:

Scenario	Ethical Response
Asked to design medical system without domain knowledge	Decline or partner with qualified expert
Using unfamiliar framework in production	Prototype first, document learning, get review
Asked to certify untested code	Refuse — cannot vouch for quality

3. Duty to Relevant Authority

"You shall carry out your professional responsibilities with due care and diligence in accordance with the requirements of your employer/client."

Obligation	Practical Application
Duty of care	Competent, timely, professional service
Confidentiality	Protect client/employer information
Conflict of interest	Disclose, recuse, don't exploit position
Contractual compliance	Meet agreed specifications, timelines
Proper authority	Only accept instructions from authorized persons

Critical Exception: Duty to authority never overrides duty to public interest (Principle 1).

# Conflict Resolution Hierarchy:
# 1. Public Interest (Paramount)
# 2. Professional Competence & Integrity
# 3. Duty to Relevant Authority
# 4. Duty to the Profession

// Conflict Resolution Hierarchy
// 1. Public Interest (Paramount)
// 2. Professional Competence & Integrity
// 3. Duty to Relevant Authority
// 4. Duty to the Profession

// Conflict Resolution Hierarchy
// 1. Public Interest (Paramount)
// 2. Professional Competence & Integrity
// 3. Duty to Relevant Authority
// 4. Duty to the Profession

// Conflict Resolution Hierarchy
// 1. Public Interest (Paramount)
// 2. Professional Competence & Integrity
// 3. Duty to Relevant Authority
// 4. Duty to the Profession

4. Duty to the Profession

"You shall uphold the reputation of the profession and support fellow professionals."

Obligation	Practical Application
Reputation	No conduct bringing profession into disrepute
Peer support	Mentor, review, collaborate constructively
Diversity & inclusion	Challenge discrimination, promote equity
Professional development	Share knowledge, contribute to community
Reporting misconduct	Report serious breaches to BCS/appropriate body

Other Major Codes of Conduct

ACM Code of Ethics (2018)

Principle	Key Points
1. General Moral Imperatives	Contribute to society, avoid harm, be honest, fair, respect IP, privacy, confidentiality
2. Professional Responsibilities	Strive for excellence, know limits, accept review, evaluate systems
3. Professional Leadership	Manage responsibly, ensure quality, protect users, support colleagues
4. Compliance	Uphold code, report violations, treat violations seriously

ACM vs BCS: ACM is more detailed (25 clauses), BCS is more principles-based (4). Both align on public interest paramountcy.

IEEE Code of Ethics

Public welfare — paramount
Conflict of interest — disclose
Honest claims — realistic estimates
Reject bribery — no improper influence
Technological understanding — improve understanding
Technical competence — maintain
Honest criticism — seek/offer
Fair treatment — no discrimination
Avoid injury — no harm to others
Support colleagues — professional development

Ethical Decision-Making Frameworks

1. BCS Ethical Decision Framework

# 1. IDENTIFY the ethical issue
#    ├─ What principles are at stake?
#    ├─ Who are the stakeholders?
#    └─ What are the consequences?

# 2. CONSULT
#    ├─ BCS Code of Conduct
#    ├─ Organizational policies
#    ├─ Legal requirements
#    └─ Trusted colleagues / mentor

# 3. CONSIDER alternatives
#    ├─ What would a reasonable professional do?
#    ├─ Test: "Would I defend this publicly?"
#    ├─ Test: "What if everyone did this?"
#    └─ Test: "Does this respect autonomy/dignity?"

# 4. DECIDE and DOCUMENT
#    ├─ Record reasoning
#    ├─ Act
#    └─ Reflect on outcome

// 1. IDENTIFY the ethical issue
//    ├─ What principles are at stake?
//    ├─ Who are the stakeholders?
//    └─ What are the consequences?

// 2. CONSULT
//    ├─ BCS Code of Conduct
//    ├─ Organizational policies
//    ├─ Legal requirements
//    └─ Trusted colleagues / mentor

// 3. CONSIDER alternatives
//    ├─ What would a reasonable professional do?
//    ├─ Test: "Would I defend this publicly?"
//    ├─ Test: "What if everyone did this?"
//    └─ Test: "Does this respect autonomy/dignity?"

// 4. DECIDE and DOCUMENT
//    ├─ Record reasoning
//    ├─ Act
//    └─ Reflect on outcome

// 1. IDENTIFY the ethical issue
//    ├─ What principles are at stake?
//    ├─ Who are the stakeholders?
//    └─ What are the consequences?

// 2. CONSULT
//    ├─ BCS Code of Conduct
//    ├─ Organizational policies
//    ├─ Legal requirements
//    └─ Trusted colleagues / mentor

// 3. CONSIDER alternatives
//    ├─ What would a reasonable professional do?
//    ├─ Test: "Would I defend this publicly?"
//    ├─ Test: "What if everyone did this?"
//    └─ Test: "Does this respect autonomy/dignity?"

// 4. DECIDE and DOCUMENT
//    ├─ Record reasoning
//    ├─ Act
//    └─ Reflect on outcome

// 1. IDENTIFY the ethical issue
//    ├─ What principles are at stake?
//    ├─ Who are the stakeholders?
//    └─ What are the consequences?

// 2. CONSULT
//    ├─ BCS Code of Conduct
//    ├─ Organizational policies
//    ├─ Legal requirements
//    └─ Trusted colleagues / mentor

// 3. CONSIDER alternatives
//    ├─ What would a reasonable professional do?
//    ├─ Test: "Would I defend this publicly?"
//    ├─ Test: "What if everyone did this?"
//    └─ Test: "Does this respect autonomy/dignity?"

// 4. DECIDE and DOCUMENT
//    ├─ Record reasoning
//    ├─ Act
//    └─ Reflect on outcome

2. ACM/IEEE "Seven-Step" Model

State the problem clearly
Check facts — laws, policies, codes
Identify stakeholders and impact
Generate alternatives (at least 3)
Evaluate alternatives against principles
Choose best option
Implement and monitor

3. Practical Quick Test (The "Newspaper Test")

Would you be comfortable reading about your decision on the front page of a national newspaper?

If no → reconsider. If yes → proceed with documentation.

Common Ethical Dilemmas in Computing

1. Security vs. Usability

Pressure	Ethical Response
"Remove 2FA for conversion"	Refuse — security is non-negotiable for auth
"Weak password policy"	Implement progressive requirements, educate
"Skip penetration test"	Refuse — document risk, escalate

2. Data Privacy vs. Business Analytics

Pressure	Ethical Response
"Track everything by default"	Privacy by design — opt-in, purpose limitation
"Sell user data"	Refuse without explicit informed consent
"Ignore GDPR for non-EU users"	Apply highest standard globally

3. AI/ML Ethics

Pressure	Ethical Response
"Deploy model without bias audit"	Refuse — demand disaggregated metrics
"Use scraped data"	Verify licensing, consent, copyright
"Hide model limitations"	Document honestly (model card), set expectations

4. Technical Debt vs. Business Pressure

Pressure	Ethical Response
"Ship now, fix later"	Define "later", get written commitment, document risk
"No time for tests"	Minimal viable test coverage, track debt, schedule repayment
"Refactor is waste"	Explain long-term cost, propose incremental approach

5. Whistleblowing Scenario

# You discover: Company knowingly ships software with critical safety bug.

# Step-by-step:
# 1. DOCUMENT factually (dates, versions, evidence)
# 2. REPORT internally (manager → security team → CTO)
# 3. ESCALATE if ignored (board, compliance, legal)
# 4. EXTERNAL reporting if:
#    - Imminent public danger
#    - Internal channels exhausted
#    - Legal requirement (SOX, GDPR, sector regulators)
# 5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
# 6. CONSULT BCS/ACM ethics helpline for guidance

// You discover: Company knowingly ships software with critical safety bug.

Step-by-step:
1. DOCUMENT factually (dates, versions, evidence)
2. REPORT internally (manager → security team → CTO)
3. ESCALATE if ignored (board, compliance, legal)
4. EXTERNAL reporting if:
   - Imminent public danger
   - Internal channels exhausted
   - Legal requirement (SOX, GDPR, sector regulators)
5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
6. CONSULT BCS/ACM ethics helpline for guidance

// You discover: Company knowingly ships software with critical safety bug.

Step-by-step:
1. DOCUMENT factually (dates, versions, evidence)
2. REPORT internally (manager → security team → CTO)
3. ESCALATE if ignored (board, compliance, legal)
4. EXTERNAL reporting if:
   - Imminent public danger
   - Internal channels exhausted
   - Legal requirement (SOX, GDPR, sector regulators)
5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
6. CONSULT BCS/ACM ethics helpline for guidance

// You discover: Company knowingly ships software with critical safety bug.

Step-by-step:
1. DOCUMENT factually (dates, versions, evidence)
2. REPORT internally (manager → security team → CTO)
3. ESCALATE if ignored (board, compliance, legal)
4. EXTERNAL reporting if:
   - Imminent public danger
   - Internal channels exhausted
   - Legal requirement (SOX, GDPR, sector regulators)
5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
6. CONSULT BCS/ACM ethics helpline for guidance

Professionalism in Practice

Daily Professional Habits

Habit	Frequency	Evidence
Code review	Every PR	Constructive, learning-focused
Documentation	As you write	ADRs, API docs, runbooks
Testing	Before commit	Unit, integration, contract
Security	Continuous	Dependency scanning, secrets detection
Learning	Weekly	CPD log, tech talks, papers
Mentoring	Regular	Pair programming, reviews, guidance

CPD (Continuing Professional Development)

BCS Requirements: - 25 hours/year minimum - Mix of: formal training, self-study, conferences, mentoring, writing - Reflective log — what, why, how applied - Audit — random selection, must provide evidence

CPD Categories:

Category	Examples	Max Hours
Structured learning	Courses, certifications, conferences	Unlimited
Self-directed	Reading, videos, experimentation	10 hrs
Work-based	Stretch projects, mentoring, reviews	10 hrs
Professional activities	Committee, reviewing, speaking	5 hrs

Building Your Professional Portfolio

# Professional Portfolio Template

## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional

## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored

## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative

// Professional Portfolio Template

## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional

## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored

## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative

// Professional Portfolio Template

## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional

## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored

## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative

// Professional Portfolio Template

## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional

## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored

## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative

Resources

Professional Bodies

Body	Code	Support
BCS	Code of Conduct	Ethics helpline, CPD tracker
ACM	Code of Ethics	Case studies, ethics committee
IEEE	Code of Ethics	Ethics hotline
(ISC)²	Code of Ethics	CISSP ethics requirement

Legal Frameworks (UK)

Law	Relevance
Public Interest Disclosure Act 1998	Whistleblower protection
Computer Misuse Act 1990	Unauthorized access, modification
Data Protection Act 2018 / UK GDPR	Personal data obligations
Equality Act 2010	Non-discrimination in systems
Online Safety Act 2023	Platform duty of care

Practical Tools

Tool	Purpose
BCS CPD Tracker	Log and reflect on learning
Ethical OS Toolkit	Risk assessment for tech products
Consequence Scanning	Agile ethical impact assessment
Model Cards / Datasheets	Document ML ethics
DPIA Template	Data Protection Impact Assessment

Summary: Your Professional Compass

When You Face	Ask Yourself
Pressure to cut corners	"Does this protect the public?"
Unfamiliar territory	"Am I competent? Who can help?"
Confidentiality vs. safety	"Which principle is paramount?"
Employer asks for unethical act	"Can I escalate? Document? Refuse?"
Seeing misconduct	"Is silence complicity?"
Making a claim	"Is it honest? Verifiable?"
Using others' work	"Is it attributed? Licensed?"

The professional's North Star: Public interest first, competence always, integrity non-negotiable.

Your BCS/ACM/IEEE membership isn't a certificate — it's a commitment. Honor it.