Recently I have gone through a traning program which is said to be standard ethical practices and in that traning some question arised related to privacy. Although organization are on document defining what is ethical and what is non ethical but how many of IT manager understand it. Key buzz word which is responsible for revolution in US healthcare sector is privacy. Lets understand this and its relevance in ethical part for IT managers.
Does information’s availability justify its use?
Governments collect massive amounts of data on individuals and organizations and use it for a variety of purposes: national security, accurate tax collection, demographics, international geopolitical strategic analysis, etc. Corporations do the same for commercial reasons; to increase business, control expense, enhance profitability, gain market share, etc. Technological advances in both hardware and software have significantly changed the scope of what can be amassed and processed. Massive quantities of data, measured in petabytes and beyond, can be centrally stored and retrieved effortlessly and quickly. Seemingly disparate sources of data can be cross-referenced to glean new meanings when one set of data is viewed within the context of another. In the 1930s and 1940s the volumes of data available were miniscule by comparison and the "processing" of that data was entirely manual. Had even a small portion of today’s capabilities existed, the world as we now know it would probably be quite different. Should organizations’ ability to collect and process data on exponentially increasing scales be limited in any way? Does the fact that information can be architected for a particular purpose mean it should be, even if by so doing individual privacy rights are potentially violated? If data meant for one use is diverted to another process which is socially redeeming and would result in a greater good or could result in a financial gain, does that mitigate the ethical dilemma, no matter how innocent and pure the motivation?
How much effort and expense should managers incur in considering questions of data access and privacy?
This is an issue with both internal and external implications. All organizations collect personal data on employees, data that if not properly safeguarded can result in significant negative implications for individuals. Information such as compensation and background data and personal identification information, such as social security number and account identifiers, all have to be maintained and accessed by authorized personnel. Systems that track this data can be secured, but at some point data must leave those systems and be used. Operational policies and procedures can address the proper handling of that data but if they’re not followed or enforced, there’s hardly any point in having them. Organizations routinely share data with each other, merging databases containing all kinds of identifiers. What’s the extent of the responsibility we should expect from the stewards of this data? Since there’s no perfect solution, where’s the tipping point beyond which efforts to ensure data can be accessed only by those who are authorized to do so can be considered reasonable and appropriate?
What can employers expect from employees with regard to nondisclosure when going to work for another firm?
Many people are required to sign NDAs (nondisclosure agreements) and noncompete clauses in employment contracts, legal documents that restrict their ability to share information with other future employers even to the point of disallowing them to join certain companies or continue to participate in a particular industry. What about the rest of us, who have no such legal restrictions? In the course of our work for employer A, we are privy to trade secrets, internal documents, proprietary processes and technology, and other information creating competitive advantage. We can’t do a brain dump when we leave to go to work for employer B; we carry that information with us. Is it ethical to use our special knowledge gained at one employer to the benefit of another? How do you realistically restrict yourself from doing so?
What part of an information asset belongs to an organization and what is simply part of an employee’s general knowledge?
Information, knowledge, and skills we develop in the course of working on projects can be inextricably intertwined. You’re the project manager for an effort to reengineer your company’s marketing operations system. You have access to confidential internal memoranda on key organization strategic and procedural information. To build the new system, you and your team have to go for some advanced technical training on the new technology products you’ll be using. The new system you build is completely revolutionary in design and execution. Although there are areas of patent law that cover many such situations, there’s not much in the way of case law testing this just yet, and of course laws vary between countries. Clearly, you’ve built an asset owned by your company, but do you have a legitimate claim to any part of it? Can you take any part of this knowledge or even the design or code itself with you to another employer or for the purpose of starting your own company? Suppose you do strike out on your own and sell your system to other companies. Is the ethical dilemma mitigated by the fact that your original company isn’t in the software business? Or that you’ve sold your product only to noncompeting companies? What if we were talking about a database instead of a system?
In a bygone era, there was less data to work with, and the only quality assurance that needed to be performed was on data…operations and procedures were manual, so it was the output of those functions that was most critical. Technology has enabled vastly more complicated and interconnected processes, such that a problem far upstream in a process has a ripple effect on the rest of the process. Sarbanes Oxley requires the certification of all internal controls in large part for this reason.
Does data gathered violate employee privacy rights?
Many organizations have started adding a credit and background check to the standard reference check during the hiring process. Are those organizations obligated to tell us they’re doing this and what results they’ve received? The justification for doing the credit check typically is that a person who can’t manage his or her own finances probably can’t be trusted with any fiduciary responsibility on behalf of the organization. Does this pass the smell test or is this actually an infringement of privacy? Performing these checks is a relatively recent phenomenon, brought on in part by the desire of organizations to protect themselves in the wake of the numerous corporate scandals of the past few years but also because technology has enabled this data to be gathered, processed, and accessed quickly and inexpensively. Is technology responsible for enabling unethical behavior?
Do employees know the degree to which behavior is monitored?
Organizations have the right to monitor what employees do (management is measurement) and how technology systems are used. It’s common practice to notify employees that when they use organizational assets such as networks or Internet access, they should have no expectation of privacy. Even without that disclaimer, they really don’t need the warning to know this monitoring is, or could be, taking place. Do organizations have an obligation to notify employees as to the extent of that monitoring? Should an organization make it clear that in addition to monitoring how long employees are using the Internet, it's also watching which Web sites they visit? If employees are told there’s no expectation of privacy when using the e-mail system, is it an ethical violation when they later find out the organization was actually reading their e-mails?