Professional Ethics and Legal Responsibilities
You can read this note directly if you understand that computing systems are used by real people. Professional ethics is about how computing professionals should act when their work affects others.
A computing professional may be able to access data, change code, configure systems, or influence decisions. Ethics and law help decide how that power should be used responsibly.
Beginner Problem
A computing professional often has more technical power than an ordinary user.
Examples:
| Technical ability | Why ethics matters |
|---|---|
| view database records | access should be limited to legitimate work purposes |
| change production code | mistakes can affect many users |
| configure security settings | weak settings can expose data |
| analyse user behaviour | analysis can become intrusive |
| moderate online content | decisions may affect reputation, safety, and public trust |
Ethics asks how that power should be used responsibly.
Weak thinking:
I can access the database, so it is fine for me to look at the records.Stronger thinking:
Technical access is not the same as permission. I should only access records
for a legitimate work purpose, protect confidentiality, and follow the proper
policy or approval process.Why Professional Ethics Matters
A programmer, database administrator, analyst, AI engineer, or cybersecurity worker may have access to:
- private user data;
- internal business information;
- security settings;
- code that controls important services;
- decisions that affect users;
- online communication systems that can spread information or harm quickly.
Technical skill is not enough. The professional must also act responsibly.
Professional ethics matters because computing systems can affect privacy, safety, fairness, trust, and access to important services. A careless action may harm many users even if the original intention was not malicious.
Core Professional Responsibilities
| Responsibility | What it means in practice |
|---|---|
| integrity | be honest about work, data, risks, and mistakes |
| responsibility | accept accountability for professional decisions |
| competence | keep skills current and avoid work beyond ability without support |
| confidentiality | protect information that should not be disclosed |
| respect for users | consider privacy, safety, accessibility, and fairness |
| professionalism | communicate clearly and avoid behaviour that damages trust |
| law-aware conduct | recognise when laws, policies, or reporting duties may apply |
Example:
A developer finds a security flaw in a school system.Professional response:
- do not exploit it;
- do not publish private details;
- report it through the proper channel;
- help fix and test the solution if responsible for the system;
- document what was found and what action was taken.
The key idea is:
A professional response is not just "avoid breaking the law".
It also includes reducing harm, protecting users, reporting responsibly,
and being honest about risks and limitations.Ethical Decision Process
Caption: Ethical decisions should identify stakeholders, rules, risks, actions, and review steps.
Use this process for scenario questions:
- identify the stakeholders;
- identify relevant laws, policies, and professional duties;
- identify potential harms and benefits;
- choose a responsible action;
- document and review the decision.
For H2 Computing answers, do not stop at naming a law or saying an action is wrong. Explain the issue, the affected stakeholders, the possible harm, and the responsible action.
Ethical Versus Legal
Legal means related to law.
Ethical means related to what should be done responsibly.
They overlap, but they are not identical.
| Situation | Legal question | Ethical question |
|---|---|---|
| collecting app usage data | is consent or notification required? | is the collection necessary and proportionate? |
| using open-source code | does the licence allow this use? | is attribution clear and honest? |
| monitoring employees | is the monitoring allowed? | is it excessive or unfair? |
| removing harmful comments | is the content unlawful or against policy? | is the moderation transparent and fair? |
| using AI to screen applicants | are personal data and employment rules followed? | is the decision fair, explainable, and reviewed by humans? |
Beginner rule:
Legal sets a minimum boundary. Ethics asks whether the action is responsible,
fair, honest, and proportionate.Examples:
- An action may be legal but still ethically questionable if it is intrusive, unfair, or misleading.
- An action may be ethically necessary even before a law forces it, such as warning users about a serious data leak.
Singapore Legal Responsibilities at Syllabus Depth
At H2 Computing depth, you should recognise broad legal issue areas and connect them to scenarios. You are not expected to memorise detailed statute sections or give legal advice.
Core legal contexts at syllabus depth include:
| Legal context | What students should recognise | Example scenario |
|---|---|---|
| Personal Data Protection Act (PDPA) | personal data should be collected, used, disclosed, stored, and protected responsibly | an app collects student names, contact numbers, location data, or medical information |
| Computer Misuse Act | unauthorised access, modification, interception, or misuse of computer systems is a serious legal issue | a student guesses a teacher’s password and enters the school system |
| Copyright and intellectual property | copying, modifying, distributing, or reusing work without permission or licence compliance can be a legal and professional issue | a student copies code, images, or text without checking the licence or giving required attribution |
| Cybersecurity and critical systems | important systems should be protected and cyber risks should be reported responsibly | a developer finds a vulnerability in a service used by many people |
Useful related contexts include software licences, online falsehoods, online harassment, doxxing, and school or workplace acceptable-use policies.
Important exam warning:
Do not cite a law randomly. Name a law only when the scenario matches its concern,
then explain the harm and responsible action.For example, a question about copying code may be better discussed using intellectual property, licence, plagiarism, and professional honesty. A question about guessing a password should be discussed as unauthorised access and computer misuse.
Common Legal Issue Areas
The same scenario may involve more than one legal or professional issue.
| Area | Concern | Responsible response |
|---|---|---|
| personal data protection | collecting, using, disclosing, storing, and protecting personal data | collect only necessary data, state purpose, restrict access, secure storage, delete when no longer needed |
| computer misuse | avoiding unauthorised access, modification, interception, or misuse | do not access systems without permission; report vulnerabilities responsibly |
| copyright and licences | respecting ownership and permitted use of creative or software works | check licences, attribute properly, avoid unauthorised copying |
| cybersecurity | protecting systems and responding responsibly to cyber risks | patch systems, use access control, monitor incidents, communicate responsibly |
| online falsehoods | preventing harmful spread of false or manipulated information | verify information, correct false claims, avoid amplifying harmful content |
| online harassment and doxxing | preventing harm through threats, repeated abuse, or exposure of private details | report abuse, remove harmful content where responsible, protect affected users |
This note is for computing syllabus understanding, not legal advice.
Intellectual Property
Intellectual property issues include copying, modifying, distributing, or using works created by others.
Examples:
- copying paid software without permission;
- reusing code without respecting its licence;
- using images, music, or text without proper permission or attribution;
- claiming another person’s work as your own;
- using AI-generated or copied material in a way that violates school rules or hides the true source.
Responsible action includes checking licences, giving attribution where required, and using properly authorised resources.
For programming work, remember:
Open-source does not mean "can do anything".
The licence tells you what use, modification, distribution, and attribution are allowed.Privacy and Confidentiality
Privacy is about appropriate collection, use, and disclosure of personal data.
Confidentiality is about keeping sensitive information from unauthorised people.
Example:
A database administrator can technically view student records.That does not mean they should view records without a work-related reason.
Responsible handling of data includes:
- collect only data needed for a clear purpose;
- inform users where appropriate;
- restrict access to authorised people;
- protect data using suitable security measures;
- avoid using real personal data in test systems when anonymised data is enough;
- delete or anonymise data when it is no longer needed;
- report data leaks through proper channels.
Responsible Disclosure and Whistleblowing
A computing professional may discover a serious problem, such as a data leak, security flaw, unsafe system behaviour, or dishonest practice.
Responsible disclosure means reporting the problem in a way that helps reduce harm.
Professional response:
- keep evidence only as necessary and handle it carefully;
- do not exploit the flaw;
- do not publish passwords, private data, or technical details that enable harm;
- report the issue to a responsible person or official channel;
- follow up so that the issue can be fixed;
- escalate appropriately if the issue is ignored and serious harm may continue.
This does not mean hiding all problems. It means raising problems responsibly so that users are protected.
Scenario Template
Use this template:
| Prompt | Example answer fragment |
|---|---|
| issue | user location data may be collected unnecessarily |
| stakeholder | students, parents, school, app vendor |
| risk | privacy loss, misuse, unauthorised access |
| professional duty | minimise data collection and protect stored data |
| relevant legal context | PDPA may be relevant if personal data is collected or disclosed |
| safeguard | collect only needed data, state purpose, restrict access, log access |
| judgement | acceptable only if purpose is clear, proportionate, secure, and reviewed |
A strong answer should usually include:
issue + stakeholder + benefit/risk + responsible action + balanced judgementWorked Scenario 1: Copying Real Data into a Test System
Scenario:
A developer is asked to copy user email addresses from a customer database
into a test system.Possible answer:
| Part | Response |
|---|---|
| issue | personal data may be exposed outside its original purpose |
| stakeholder | users, developer, company, test team |
| risk | unauthorised access, accidental disclosure, loss of trust |
| professional duty | protect confidentiality and minimise unnecessary data use |
| relevant legal context | PDPA-style personal data protection concerns may apply |
| safeguard | use anonymised test data, restrict access, document approval |
| judgement | copying real emails is inappropriate unless clearly authorised and necessary |
This style is useful because it turns a vague ethical concern into a specific professional decision.
Worked Scenario 2: False Information on a School Platform
Scenario:
A student uses a school discussion platform to spread a false claim that a teacher
has been dismissed for misconduct.Possible answer:
| Part | Response |
|---|---|
| issue | false information may harm reputation and trust |
| stakeholder | teacher, students, school, platform administrator |
| risk | reputational harm, emotional distress, spread of misinformation |
| professional duty | moderate harmful content fairly and communicate responsibly |
| relevant legal context | online falsehood or harassment-related concerns may arise depending on the details |
| safeguard | verify facts, remove or correct harmful content, keep records, report through school channels |
| judgement | the platform should not allow harmful false claims to remain online without review |
Do not write only:
This is illegal.A better answer explains what harm may occur and what responsible action should be taken.
Worked Scenario 3: Online Harassment and Doxxing
Scenario:
A user posts another student's phone number and home address in a group chat,
then encourages others to send insulting messages.Possible answer:
| Part | Response |
|---|---|
| issue | doxxing and harassment expose private information and encourage abuse |
| stakeholder | targeted student, classmates, school, platform administrator |
| risk | emotional harm, safety risk, privacy loss, escalation of conflict |
| professional duty | protect affected users and prevent misuse of the platform |
| relevant legal context | harassment, doxxing, and personal data concerns may be relevant |
| safeguard | remove the post, restrict the offender if appropriate, preserve evidence, report to responsible staff |
| judgement | this behaviour is not acceptable because it creates direct harm and misuse of personal information |
This scenario shows that computing ethics is not only about databases and hacking. Online communication systems can also cause real harm.
How to Answer Different Question Types
| Command word | What to do | Example response style |
|---|---|---|
| identify | name the issue or law/context | ”This raises a personal data protection issue because location data is collected.” |
| explain | give reason and consequence | ”Unauthorised access is harmful because it may expose confidential records.” |
| discuss | give both benefit and risk | ”Monitoring may improve security, but it may also reduce privacy and trust.” |
| evaluate | give a balanced judgement with conditions | ”The system is acceptable only if the purpose is clear, data is minimised, and human review is available.” |
| suggest | propose a safeguard or responsible action | ”Use anonymised test data instead of real customer emails.” |
Useful sentence patterns:
This affects [stakeholder] because...
The benefit is..., but the risk is...
A responsible safeguard is...
This is acceptable only if...Common Mistakes
- Saying “the user agreed” without asking whether the user was properly informed.
- Treating technical access as permission.
- Assuming free online material can always be copied.
- Ignoring confidentiality because no hacking occurred.
- Giving a legal answer only, without discussing professional responsibility.
- Naming a law without explaining why it applies.
- Saying “it is just online” when the scenario involves real privacy, reputation, or safety harm.
- Treating a security flaw as something to show off rather than report responsibly.
Check Your Understanding
- Why is confidentiality important for computing professionals?
- What is the difference between legal and ethical?
- Why should a developer check a code licence before reuse?
- What should a professional do after finding a serious security flaw?
- Why is technical access not the same as permission?
- Give one computing scenario involving online harassment or doxxing.
- Give one computing scenario involving a harmful online falsehood.
Answers:
- Professionals may access sensitive information that must not be disclosed without authorisation.
- Legal concerns what law permits or requires; ethical concerns what responsible action should be taken.
- The licence controls how the code may be used, modified, or distributed.
- Report it through proper channels and avoid exploiting or publicising sensitive details.
- A person may be technically able to view or change something, but they still need a legitimate authorised purpose.
- A user repeatedly sends abusive messages or posts another person’s private details online.
- A user spreads a false online claim about a public matter that may cause public harm.