Privacy, Data and Cybersecurity Advisory
Ethical Issues of Confronting IT Managers
Source: Lighthouse
The rapid evolution of information technology in recent years has been a boon to organizations in many ways. Cumbersome manual data collection and processing systems have been replaced by lightning-fast computer systems, enabling organizations to accumulate and store large volumes of data in a fraction of the time. System users can also access the data with just a few clicks of a computer mouse.
But as is the case with many technological advances, the powerful capabilities of the modern IT system can be a double-edged sword. Organizational leaders, and in particular, IT managers, face a variety of ethical issues regarding the collection, processing, and dissemination of data.
Does the organization’s collection and use of data infringe upon the right to privacy?
With so much data at their fingertips, including personal information such as a customer’s buying habits and other demographic indicators, questions arise regarding the responsibility organizations have in protecting an individual’s right to privacy. Should an organization be allowed to use the information as it sees fit, and should limitations be placed on how much and what type of data can be collected? Sharing of databases between organizations is also commonplace, so should this practice be restricted?
A possible solution is to create a written privacy policy that clearly states how the organization intends to use the personal data it collects, as well as the reasons for collecting it. Organizations should post the policy in a conspicuous location, such as under a tab on their company website.
Who really “owns” information?
It used to be that a person graduated from college, went to work for a company, and stayed there for 30 or 40 years. In today’s world, people move from one organization to another with much greater frequency. IT managers can leave one organization and attempt to implement a similar system for their new employer.
While some organizations make use of non-compete clauses and non-disclosure agreements to protect themselves, not all do. With an IT manager’s easy access to sensitive company information, where is the ethical line between carrying over what they’ve learned to a new organization and maintaining a previous employer’s confidentiality?
For situations not covered by non-compete clauses or non-disclosure agreements, IT managers bear the ethical responsibility to disclose any potential conflicts of interest to their employer, or even recuse themselves from potentially compromising situations.
How far should organizations go when using IT to monitor their employees?
These days, employees often go to work for a company with the understanding that their Internet use and email access will be monitored by their employer. How ethical is it for employers to monitor employee Internet use and read employee emails, and are employers ethically obligated to inform employees as to the extent of the monitoring?
Technology also enables organizations to perform more extensive background checks during the hiring process, such as running credit reports. Many potential employers are even asking for a job candidate's passwords to social media accounts. How far should organizations be allowed to go when using IT to delve into the private lives of their employees? To what degree do these practices constitute unethical behavior?
Creating a written Acceptable Use Policy (AUP) that all employees must sign can clarify to what extent the organization intends to monitor Internet and email access. In addition, Tony Bradley of PC World magazine suggests than an ethical approach to resolving the dilemma is to implement monitoring procedures that truly serve the best interests of the organization, its employees, and its customers instead of using them simply to “spy” on employees.
Are IT departments taking appropriate quality control (QC) measures?
The growing complexity of the modern IT systems and the sheer volume of data IT departments manage poses the need for more stringent quality control measures. The high degree of system interconnectivity between departments within an organization also means that a breakdown in one area can have far-reaching implications for the organization as a whole.
But QC can be expensive and time-consuming. How much QC is enough, and who is ultimately responsible for its administration? How much responsibility should IT managers have to work through worst-case scenarios in advance?
In general, top management sets the tone as well as the standards for quality throughout the entire organization. For QC to be effective at the IT level, IT managers must work in tandem with company management to develop effective IT quality measurement standards. Management should ensure that the IT department has implemented adequate QC processes and is fully prepared to react quickly when issues occur.
What is the level of responsibility of the IT department and the organization as a whole for ensuring system security?
We've all heard of situations where IT systems have been breached, resulting in serious consequences such as a identify theft and the loss of propriety information and trade secrets. According to the Verizon 2009 Data Breach Investigations Report, 64 percent of security breaches resulted from computer hacking, resulting in 94 percent of the company's records being compromised. Additionally, the report concluded that 87 percent of the incidents could have been avoided if appropriate security measures had been in place.
How much responsibility does IT bear in the prevention of potentially devastating security breaches? When a breach does occur, how liable should organizations be for any resulting damages?
As with QC issues, an ethical approach to IT security is for company management and IT to share the burden. The Verizon report recommends an approach that “aligns process with policy,” which requires the development of strict internal controls with clearly defined levels of accountability. Organizations should also develop and test an appropriate incident response plan to manage breaches quickly and limit potential liability.