Professional Ethics
Why Professional Ethics Matters
"Professionalism is not about wearing a suit. It's about the standards you hold yourself to when no one is watching." — Anonymous
Computing professionals shape systems that affect millions. Ethical practice isn't optional — it's the foundation of public trust, legal compliance, and sustainable careers.
The Two Views of Professionalism
A critical distinction in professional ethics is between compliance-based (HR/corporate) and standards-based (professional body) views:
| Dimension | HR / Corporate View | Professional Body View (BCS, ACM, IEEE) |
|---|---|---|
| Purpose | Risk mitigation, legal compliance, brand protection | Public trust, competence advancement, societal benefit |
| Scope | Employee conduct within organisation | Professional practice across all contexts |
| Enforcement | Employment contract, disciplinary policy | Code of conduct, peer review, certification |
| Accountability | To employer | To profession, public, peers |
| Continuing Obligation | While employed | Lifetime / while certified |
| Conflict Resolution | Internal HR, legal | Professional conduct committees, independent review |
| Whistleblowing | Often discouraged (loyalty) | Protected duty (public interest) |
| Competence | Job requirements | Continuing Professional Development (CPD) |
Key Insight: The HR view asks "What can I get away with?" — the professional body view asks "What should I do?"
Why This Distinction Matters
# Scenario: You discover a security vulnerability in your company's product.
# ┌─────────────────────────────────────────────────────────────────────┐
# │ HR View (Compliance) │ Professional View (BCS/ACM) │
# │ ──────────────────────────── │ ───────────────────────────────── │
# │ • Report to manager │ • Report to manager │
# │ • Follow internal process │ • If ignored → escalate internally│
# │ • Don't disclose externally │ • If still ignored → responsible │
# │ • Protect company interests │ disclosure (public interest) │
# │ • Loyalty to employer │ • Protect users/public │
# └────────────────────────────────┴────────────────────────────────────┘
// Scenario: You discover a security vulnerability in your company's product.
// ┌─────────────────────────────────────────────────────────────────────┐
// │ HR View (Compliance) │ Professional View (BCS/ACM) │
// │ ──────────────────────────── │ ───────────────────────────────── │
// │ • Report to manager │ • Report to manager │
// │ • Follow internal process │ • If ignored → escalate internally│
// │ • Don't disclose externally │ • If still ignored → responsible │
// │ • Protect company interests │ disclosure (public interest) │
// │ • Loyalty to employer │ • Protect users/public │
// └────────────────────────────────┴────────────────────────────────────┘
// Scenario: You discover a security vulnerability in your company's product.
// ┌─────────────────────────────────────────────────────────────────────┐
// │ HR View (Compliance) │ Professional View (BCS/ACM) │
// │ ──────────────────────────── │ ───────────────────────────────── │
// │ • Report to manager │ • Report to manager │
// │ • Follow internal process │ • If ignored → escalate internally│
// │ • Don't disclose externally │ • If still ignored → responsible │
// │ • Protect company interests │ disclosure (public interest) │
// │ • Loyalty to employer │ • Protect users/public │
// └────────────────────────────────┴────────────────────────────────────┘
// Scenario: You discover a security vulnerability in your company's product.
// ┌─────────────────────────────────────────────────────────────────────┐
// │ HR View (Compliance) │ Professional View (BCS/ACM) │
// │ ──────────────────────────── │ ───────────────────────────────── │
// │ • Report to manager │ • Report to manager │
// │ • Follow internal process │ • If ignored → escalate internally│
// │ • Don't disclose externally │ • If still ignored → responsible │
// │ • Protect company interests │ disclosure (public interest) │
// │ • Loyalty to employer │ • Protect users/public │
// └────────────────────────────────┴────────────────────────────────────┘
The professional obligation transcends employment. Your primary duty is to the public interest, not your employer.
BCS Code of Conduct
The British Computer Society (BCS) Code of Conduct has four core ethical principles:
1. Public Interest
"You shall have regard for public health, privacy, security and wellbeing of others and the environment."
| Obligation | Practical Application |
|---|---|
| Protect public safety | Refuse unsafe deployments, escalate risks |
| Respect privacy | Privacy by design, data minimisation, consent |
| Ensure security | Secure defaults, responsible disclosure, patch management |
| Environmental impact | Green computing, e-waste responsibility, energy efficiency |
| Accessibility | Inclusive design (WCAG), digital inclusion |
| Truthfulness | Accurate claims, no misleading marketing |
Conflict Example: Employer wants to launch without security audit. - HR view: "Ship it, we'll patch later" - BCS view: Refuse — public safety risk. Document, escalate, report to BCS if necessary.
2. Professional Competence and Integrity
"You shall only undertake work you are competent to perform, and maintain your professional knowledge."
| Obligation | Practical Application |
|---|---|
| Know your limits | Decline work beyond expertise, recommend specialists |
| CPD / Lifelong learning | Minimum 25 hours/year (BCS), track in CPD log |
| Honest representation | Accurate CV, no exaggerated claims, honest estimates |
| Intellectual property | Respect licences, attribute correctly, open source compliance |
| Quality standards | Follow best practices, testing, documentation |
| Mentorship | Support junior colleagues, knowledge sharing |
Competence Boundaries:
| Scenario | Ethical Response |
|---|---|
| Asked to design medical system without domain knowledge | Decline or partner with qualified expert |
| Using unfamiliar framework in production | Prototype first, document learning, get review |
| Asked to certify untested code | Refuse — cannot vouch for quality |
3. Duty to Relevant Authority
"You shall carry out your professional responsibilities with due care and diligence in accordance with the requirements of your employer/client."
| Obligation | Practical Application |
|---|---|
| Duty of care | Competent, timely, professional service |
| Confidentiality | Protect client/employer information |
| Conflict of interest | Disclose, recuse, don't exploit position |
| Contractual compliance | Meet agreed specifications, timelines |
| Proper authority | Only accept instructions from authorised persons |
Critical Exception: Duty to authority never overrides duty to public interest (Principle 1).
# Conflict Resolution Hierarchy:
# 1. Public Interest (Paramount)
# 2. Professional Competence & Integrity
# 3. Duty to Relevant Authority
# 4. Duty to the Profession
// Conflict Resolution Hierarchy
// 1. Public Interest (Paramount)
// 2. Professional Competence & Integrity
// 3. Duty to Relevant Authority
// 4. Duty to the Profession
// Conflict Resolution Hierarchy
// 1. Public Interest (Paramount)
// 2. Professional Competence & Integrity
// 3. Duty to Relevant Authority
// 4. Duty to the Profession
// Conflict Resolution Hierarchy
// 1. Public Interest (Paramount)
// 2. Professional Competence & Integrity
// 3. Duty to Relevant Authority
// 4. Duty to the Profession
4. Duty to the Profession
"You shall uphold the reputation of the profession and support fellow professionals."
| Obligation | Practical Application |
|---|---|
| Reputation | No conduct bringing profession into disrepute |
| Peer support | Mentor, review, collaborate constructively |
| Diversity & inclusion | Challenge discrimination, promote equity |
| Professional development | Share knowledge, contribute to community |
| Reporting misconduct | Report serious breaches to BCS/appropriate body |
Other Major Codes of Conduct
ACM Code of Ethics (2018)
| Principle | Key Points |
|---|---|
| 1. General Moral Imperatives | Contribute to society, avoid harm, be honest, fair, respect IP, privacy, confidentiality |
| 2. Professional Responsibilities | Strive for excellence, know limits, accept review, evaluate systems |
| 3. Professional Leadership | Manage responsibly, ensure quality, protect users, support colleagues |
| 4. Compliance | Uphold code, report violations, treat violations seriously |
ACM vs BCS: ACM is more detailed (25 clauses), BCS is more principles-based (4). Both align on public interest paramountcy.
IEEE Code of Ethics
- Public welfare — paramount
- Conflict of interest — disclose
- Honest claims — realistic estimates
- Reject bribery — no improper influence
- Technological understanding — improve understanding
- Technical competence — maintain
- Honest criticism — seek/offer
- Fair treatment — no discrimination
- Avoid injury — no harm to others
- Support colleagues — professional development
Ethical Decision-Making Frameworks
1. BCS Ethical Decision Framework
# 1. IDENTIFY the ethical issue
# ├─ What principles are at stake?
# ├─ Who are the stakeholders?
# └─ What are the consequences?
# 2. CONSULT
# ├─ BCS Code of Conduct
# ├─ Organizational policies
# ├─ Legal requirements
# └─ Trusted colleagues / mentor
# 3. CONSIDER alternatives
# ├─ What would a reasonable professional do?
# ├─ Test: "Would I defend this publicly?"
# ├─ Test: "What if everyone did this?"
# └─ Test: "Does this respect autonomy/dignity?"
# 4. DECIDE and DOCUMENT
# ├─ Record reasoning
# ├─ Act
# └─ Reflect on outcome
// 1. IDENTIFY the ethical issue
// ├─ What principles are at stake?
// ├─ Who are the stakeholders?
// └─ What are the consequences?
// 2. CONSULT
// ├─ BCS Code of Conduct
// ├─ Organizational policies
// ├─ Legal requirements
// └─ Trusted colleagues / mentor
// 3. CONSIDER alternatives
// ├─ What would a reasonable professional do?
// ├─ Test: "Would I defend this publicly?"
// ├─ Test: "What if everyone did this?"
// └─ Test: "Does this respect autonomy/dignity?"
// 4. DECIDE and DOCUMENT
// ├─ Record reasoning
// ├─ Act
// └─ Reflect on outcome
// 1. IDENTIFY the ethical issue
// ├─ What principles are at stake?
// ├─ Who are the stakeholders?
// └─ What are the consequences?
// 2. CONSULT
// ├─ BCS Code of Conduct
// ├─ Organizational policies
// ├─ Legal requirements
// └─ Trusted colleagues / mentor
// 3. CONSIDER alternatives
// ├─ What would a reasonable professional do?
// ├─ Test: "Would I defend this publicly?"
// ├─ Test: "What if everyone did this?"
// └─ Test: "Does this respect autonomy/dignity?"
// 4. DECIDE and DOCUMENT
// ├─ Record reasoning
// ├─ Act
// └─ Reflect on outcome
// 1. IDENTIFY the ethical issue
// ├─ What principles are at stake?
// ├─ Who are the stakeholders?
// └─ What are the consequences?
// 2. CONSULT
// ├─ BCS Code of Conduct
// ├─ Organizational policies
// ├─ Legal requirements
// └─ Trusted colleagues / mentor
// 3. CONSIDER alternatives
// ├─ What would a reasonable professional do?
// ├─ Test: "Would I defend this publicly?"
// ├─ Test: "What if everyone did this?"
// └─ Test: "Does this respect autonomy/dignity?"
// 4. DECIDE and DOCUMENT
// ├─ Record reasoning
// ├─ Act
// └─ Reflect on outcome
2. ACM/IEEE "Seven-Step" Model
- State the problem clearly
- Check facts — laws, policies, codes
- Identify stakeholders and impact
- Generate alternatives (at least 3)
- Evaluate alternatives against principles
- Choose best option
- Implement and monitor
3. Practical Quick Test (The "Newspaper Test")
Would you be comfortable reading about your decision on the front page of a national newspaper?
If no → reconsider. If yes → proceed with documentation.
Common Ethical Dilemmas in Computing
1. Security vs. Usability
| Pressure | Ethical Response |
|---|---|
| "Remove 2FA for conversion" | Refuse — security is non-negotiable for auth |
| "Weak password policy" | Implement progressive requirements, educate |
| "Skip penetration test" | Refuse — document risk, escalate |
2. Data Privacy vs. Business Analytics
| Pressure | Ethical Response |
|---|---|
| "Track everything by default" | Privacy by design — opt-in, purpose limitation |
| "Sell user data" | Refuse without explicit informed consent |
| "Ignore GDPR for non-EU users" | Apply highest standard globally |
3. AI/ML Ethics
| Pressure | Ethical Response |
|---|---|
| "Deploy model without bias audit" | Refuse — demand disaggregated metrics |
| "Use scraped data" | Verify licensing, consent, copyright |
| "Hide model limitations" | Document honestly (model card), set expectations |
4. Technical Debt vs. Business Pressure
| Pressure | Ethical Response |
|---|---|
| "Ship now, fix later" | Define "later", get written commitment, document risk |
| "No time for tests" | Minimal viable test coverage, track debt, schedule repayment |
| "Refactor is waste" | Explain long-term cost, propose incremental approach |
5. Whistleblowing Scenario
# You discover: Company knowingly ships software with critical safety bug.
# Step-by-step:
# 1. DOCUMENT factually (dates, versions, evidence)
# 2. REPORT internally (manager → security team → CTO)
# 3. ESCALATE if ignored (board, compliance, legal)
# 4. EXTERNAL reporting if:
# - Imminent public danger
# - Internal channels exhausted
# - Legal requirement (SOX, GDPR, sector regulators)
# 5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
# 6. CONSULT BCS/ACM ethics helpline for guidance
// You discover: Company knowingly ships software with critical safety bug.
Step-by-step:
1. DOCUMENT factually (dates, versions, evidence)
2. REPORT internally (manager → security team → CTO)
3. ESCALATE if ignored (board, compliance, legal)
4. EXTERNAL reporting if:
- Imminent public danger
- Internal channels exhausted
- Legal requirement (SOX, GDPR, sector regulators)
5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
6. CONSULT BCS/ACM ethics helpline for guidance
// You discover: Company knowingly ships software with critical safety bug.
Step-by-step:
1. DOCUMENT factually (dates, versions, evidence)
2. REPORT internally (manager → security team → CTO)
3. ESCALATE if ignored (board, compliance, legal)
4. EXTERNAL reporting if:
- Imminent public danger
- Internal channels exhausted
- Legal requirement (SOX, GDPR, sector regulators)
5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
6. CONSULT BCS/ACM ethics helpline for guidance
// You discover: Company knowingly ships software with critical safety bug.
Step-by-step:
1. DOCUMENT factually (dates, versions, evidence)
2. REPORT internally (manager → security team → CTO)
3. ESCALATE if ignored (board, compliance, legal)
4. EXTERNAL reporting if:
- Imminent public danger
- Internal channels exhausted
- Legal requirement (SOX, GDPR, sector regulators)
5. PROTECT yourself (laws: PIDA UK, SOX US, etc.)
6. CONSULT BCS/ACM ethics helpline for guidance
Professionalism in Practice
Daily Professional Habits
| Habit | Frequency | Evidence |
|---|---|---|
| Code review | Every PR | Constructive, learning-focused |
| Documentation | As you write | ADRs, API docs, runbooks |
| Testing | Before commit | Unit, integration, contract |
| Security | Continuous | Dependency scanning, secrets detection |
| Learning | Weekly | CPD log, tech talks, papers |
| Mentoring | Regular | Pair programming, reviews, guidance |
CPD (Continuing Professional Development)
BCS Requirements: - 25 hours/year minimum - Mix of: formal training, self-study, conferences, mentoring, writing - Reflective log — what, why, how applied - Audit — random selection, must provide evidence
CPD Categories:
| Category | Examples | Max Hours |
|---|---|---|
| Structured learning | Courses, certifications, conferences | Unlimited |
| Self-directed | Reading, videos, experimentation | 10 hrs |
| Work-based | Stretch projects, mentoring, reviews | 10 hrs |
| Professional activities | Committee, reviewing, speaking | 5 hrs |
Building Your Professional Portfolio
# Professional Portfolio Template
## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional
## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored
## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative
// Professional Portfolio Template
## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional
## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored
## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative
// Professional Portfolio Template
## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional
## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored
## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative
// Professional Portfolio Template
## Certifications
- BCS CITP (Chartered IT Professional)
- (ISC)² CISSP / CSSLP
- AWS/Azure/GCP Professional
## Evidence of Competence
- [ ] Architecture decisions (ADRs) with rationale
- [ ] Security reviews conducted
- [ ] Incidents led / postmortems written
- [ ] Mentoring relationships (formal/informal)
- [ ] Open source contributions
- [ ] Technical talks / blog posts
- [ ] Code review standards authored
## Ethical Leadership
- [ ] Escalated safety concern (documented)
- [ ] Refused unethical request (with rationale)
- [ ] Privacy impact assessment led
- [ ] Whistleblowing / reporting (if applicable)
- [ ] Diversity/inclusion initiative
Resources
Professional Bodies
| Body | Code | Support |
|---|---|---|
| BCS | Code of Conduct | Ethics helpline, CPD tracker |
| ACM | Code of Ethics | Case studies, ethics committee |
| IEEE | Code of Ethics | Ethics hotline |
| (ISC)² | Code of Ethics | CISSP ethics requirement |
Legal Frameworks (UK)
| Law | Relevance |
|---|---|
| Public Interest Disclosure Act 1998 | Whistleblower protection |
| Computer Misuse Act 1990 | Unauthorised access, modification |
| Data Protection Act 2018 / UK GDPR | Personal data obligations |
| Equality Act 2010 | Non-discrimination in systems |
| Online Safety Act 2023 | Platform duty of care |
Recommended Reading
- Professional Issues in Software Engineering — Bott et al.
- Computer Ethics — Deborah Johnson
- Ethics for the Information Age — Michael Quinn
- The Ethics of Invention — Sheila Jasanoff
- BCS Code of Conduct: A Guide for Members — BCS publication
- ACM Code of Ethics Case Studies — ethics.acm.org
Practical Tools
| Tool | Purpose |
|---|---|
| BCS CPD Tracker | Log and reflect on learning |
| Ethical OS Toolkit | Risk assessment for tech products |
| Consequence Scanning | Agile ethical impact assessment |
| Model Cards / Datasheets | Document ML ethics |
| DPIA Template | Data Protection Impact Assessment |
Summary: Your Professional Compass
| When You Face | Ask Yourself |
|---|---|
| Pressure to cut corners | "Does this protect the public?" |
| Unfamiliar territory | "Am I competent? Who can help?" |
| Confidentiality vs. safety | "Which principle is paramount?" |
| Employer asks for unethical act | "Can I escalate? Document? Refuse?" |
| Seeing misconduct | "Is silence complicity?" |
| Making a claim | "Is it honest? Verifiable?" |
| Using others' work | "Is it attributed? Licensed?" |
The professional's North Star: Public interest first, competence always, integrity non-negotiable.
Your BCS/ACM/IEEE membership isn't a certificate — it's a commitment. Honour it.