Professional Ethics and Legal Responsibilities

You can read this note directly if you understand that computing systems are used by real people. Professional ethics is about how computing professionals should act when their work affects others.

A computing professional may be able to access data, change code, configure systems, or influence decisions. Ethics and law help decide how that power should be used responsibly.

Beginner Problem

A computing professional often has more technical power than an ordinary user.

Examples:

Technical abilityWhy ethics matters
view database recordsaccess should be limited to legitimate work purposes
change production codemistakes can affect many users
configure security settingsweak settings can expose data
analyse user behaviouranalysis can become intrusive
moderate online contentdecisions may affect reputation, safety, and public trust

Ethics asks how that power should be used responsibly.

Weak thinking:

I can access the database, so it is fine for me to look at the records.

Stronger thinking:

Technical access is not the same as permission. I should only access records
for a legitimate work purpose, protect confidentiality, and follow the proper
policy or approval process.

Why Professional Ethics Matters

A programmer, database administrator, analyst, AI engineer, or cybersecurity worker may have access to:

  • private user data;
  • internal business information;
  • security settings;
  • code that controls important services;
  • decisions that affect users;
  • online communication systems that can spread information or harm quickly.

Technical skill is not enough. The professional must also act responsibly.

Professional ethics matters because computing systems can affect privacy, safety, fairness, trust, and access to important services. A careless action may harm many users even if the original intention was not malicious.

Core Professional Responsibilities

ResponsibilityWhat it means in practice
integritybe honest about work, data, risks, and mistakes
responsibilityaccept accountability for professional decisions
competencekeep skills current and avoid work beyond ability without support
confidentialityprotect information that should not be disclosed
respect for usersconsider privacy, safety, accessibility, and fairness
professionalismcommunicate clearly and avoid behaviour that damages trust
law-aware conductrecognise when laws, policies, or reporting duties may apply

Example:

A developer finds a security flaw in a school system.

Professional response:

  • do not exploit it;
  • do not publish private details;
  • report it through the proper channel;
  • help fix and test the solution if responsible for the system;
  • document what was found and what action was taken.

The key idea is:

A professional response is not just "avoid breaking the law".
It also includes reducing harm, protecting users, reporting responsibly,
and being honest about risks and limitations.

Ethical Decision Process

Caption: Ethical decisions should identify stakeholders, rules, risks, actions, and review steps.

Use this process for scenario questions:

  1. identify the stakeholders;
  2. identify relevant laws, policies, and professional duties;
  3. identify potential harms and benefits;
  4. choose a responsible action;
  5. document and review the decision.

For H2 Computing answers, do not stop at naming a law or saying an action is wrong. Explain the issue, the affected stakeholders, the possible harm, and the responsible action.

Legal means related to law.

Ethical means related to what should be done responsibly.

They overlap, but they are not identical.

SituationLegal questionEthical question
collecting app usage datais consent or notification required?is the collection necessary and proportionate?
using open-source codedoes the licence allow this use?is attribution clear and honest?
monitoring employeesis the monitoring allowed?is it excessive or unfair?
removing harmful commentsis the content unlawful or against policy?is the moderation transparent and fair?
using AI to screen applicantsare personal data and employment rules followed?is the decision fair, explainable, and reviewed by humans?

Beginner rule:

Legal sets a minimum boundary. Ethics asks whether the action is responsible,
fair, honest, and proportionate.

Examples:

  • An action may be legal but still ethically questionable if it is intrusive, unfair, or misleading.
  • An action may be ethically necessary even before a law forces it, such as warning users about a serious data leak.

At H2 Computing depth, you should recognise broad legal issue areas and connect them to scenarios. You are not expected to memorise detailed statute sections or give legal advice.

Core legal contexts at syllabus depth include:

Legal contextWhat students should recogniseExample scenario
Personal Data Protection Act (PDPA)personal data should be collected, used, disclosed, stored, and protected responsiblyan app collects student names, contact numbers, location data, or medical information
Computer Misuse Actunauthorised access, modification, interception, or misuse of computer systems is a serious legal issuea student guesses a teacher’s password and enters the school system
Copyright and intellectual propertycopying, modifying, distributing, or reusing work without permission or licence compliance can be a legal and professional issuea student copies code, images, or text without checking the licence or giving required attribution
Cybersecurity and critical systemsimportant systems should be protected and cyber risks should be reported responsiblya developer finds a vulnerability in a service used by many people

Useful related contexts include software licences, online falsehoods, online harassment, doxxing, and school or workplace acceptable-use policies.

Important exam warning:

Do not cite a law randomly. Name a law only when the scenario matches its concern,
then explain the harm and responsible action.

For example, a question about copying code may be better discussed using intellectual property, licence, plagiarism, and professional honesty. A question about guessing a password should be discussed as unauthorised access and computer misuse.

The same scenario may involve more than one legal or professional issue.

AreaConcernResponsible response
personal data protectioncollecting, using, disclosing, storing, and protecting personal datacollect only necessary data, state purpose, restrict access, secure storage, delete when no longer needed
computer misuseavoiding unauthorised access, modification, interception, or misusedo not access systems without permission; report vulnerabilities responsibly
copyright and licencesrespecting ownership and permitted use of creative or software workscheck licences, attribute properly, avoid unauthorised copying
cybersecurityprotecting systems and responding responsibly to cyber riskspatch systems, use access control, monitor incidents, communicate responsibly
online falsehoodspreventing harmful spread of false or manipulated informationverify information, correct false claims, avoid amplifying harmful content
online harassment and doxxingpreventing harm through threats, repeated abuse, or exposure of private detailsreport abuse, remove harmful content where responsible, protect affected users

This note is for computing syllabus understanding, not legal advice.

Intellectual Property

Intellectual property issues include copying, modifying, distributing, or using works created by others.

Examples:

  • copying paid software without permission;
  • reusing code without respecting its licence;
  • using images, music, or text without proper permission or attribution;
  • claiming another person’s work as your own;
  • using AI-generated or copied material in a way that violates school rules or hides the true source.

Responsible action includes checking licences, giving attribution where required, and using properly authorised resources.

For programming work, remember:

Open-source does not mean "can do anything".
The licence tells you what use, modification, distribution, and attribution are allowed.

Privacy and Confidentiality

Privacy is about appropriate collection, use, and disclosure of personal data.

Confidentiality is about keeping sensitive information from unauthorised people.

Example:

A database administrator can technically view student records.

That does not mean they should view records without a work-related reason.

Responsible handling of data includes:

  • collect only data needed for a clear purpose;
  • inform users where appropriate;
  • restrict access to authorised people;
  • protect data using suitable security measures;
  • avoid using real personal data in test systems when anonymised data is enough;
  • delete or anonymise data when it is no longer needed;
  • report data leaks through proper channels.

Responsible Disclosure and Whistleblowing

A computing professional may discover a serious problem, such as a data leak, security flaw, unsafe system behaviour, or dishonest practice.

Responsible disclosure means reporting the problem in a way that helps reduce harm.

Professional response:

  • keep evidence only as necessary and handle it carefully;
  • do not exploit the flaw;
  • do not publish passwords, private data, or technical details that enable harm;
  • report the issue to a responsible person or official channel;
  • follow up so that the issue can be fixed;
  • escalate appropriately if the issue is ignored and serious harm may continue.

This does not mean hiding all problems. It means raising problems responsibly so that users are protected.

Scenario Template

Use this template:

PromptExample answer fragment
issueuser location data may be collected unnecessarily
stakeholderstudents, parents, school, app vendor
riskprivacy loss, misuse, unauthorised access
professional dutyminimise data collection and protect stored data
relevant legal contextPDPA may be relevant if personal data is collected or disclosed
safeguardcollect only needed data, state purpose, restrict access, log access
judgementacceptable only if purpose is clear, proportionate, secure, and reviewed

A strong answer should usually include:

issue + stakeholder + benefit/risk + responsible action + balanced judgement

Worked Scenario 1: Copying Real Data into a Test System

Scenario:

A developer is asked to copy user email addresses from a customer database
into a test system.

Possible answer:

PartResponse
issuepersonal data may be exposed outside its original purpose
stakeholderusers, developer, company, test team
riskunauthorised access, accidental disclosure, loss of trust
professional dutyprotect confidentiality and minimise unnecessary data use
relevant legal contextPDPA-style personal data protection concerns may apply
safeguarduse anonymised test data, restrict access, document approval
judgementcopying real emails is inappropriate unless clearly authorised and necessary

This style is useful because it turns a vague ethical concern into a specific professional decision.

Worked Scenario 2: False Information on a School Platform

Scenario:

A student uses a school discussion platform to spread a false claim that a teacher
has been dismissed for misconduct.

Possible answer:

PartResponse
issuefalse information may harm reputation and trust
stakeholderteacher, students, school, platform administrator
riskreputational harm, emotional distress, spread of misinformation
professional dutymoderate harmful content fairly and communicate responsibly
relevant legal contextonline falsehood or harassment-related concerns may arise depending on the details
safeguardverify facts, remove or correct harmful content, keep records, report through school channels
judgementthe platform should not allow harmful false claims to remain online without review

Do not write only:

This is illegal.

A better answer explains what harm may occur and what responsible action should be taken.

Worked Scenario 3: Online Harassment and Doxxing

Scenario:

A user posts another student's phone number and home address in a group chat,
then encourages others to send insulting messages.

Possible answer:

PartResponse
issuedoxxing and harassment expose private information and encourage abuse
stakeholdertargeted student, classmates, school, platform administrator
riskemotional harm, safety risk, privacy loss, escalation of conflict
professional dutyprotect affected users and prevent misuse of the platform
relevant legal contextharassment, doxxing, and personal data concerns may be relevant
safeguardremove the post, restrict the offender if appropriate, preserve evidence, report to responsible staff
judgementthis behaviour is not acceptable because it creates direct harm and misuse of personal information

This scenario shows that computing ethics is not only about databases and hacking. Online communication systems can also cause real harm.

How to Answer Different Question Types

Command wordWhat to doExample response style
identifyname the issue or law/context”This raises a personal data protection issue because location data is collected.”
explaingive reason and consequence”Unauthorised access is harmful because it may expose confidential records.”
discussgive both benefit and risk”Monitoring may improve security, but it may also reduce privacy and trust.”
evaluategive a balanced judgement with conditions”The system is acceptable only if the purpose is clear, data is minimised, and human review is available.”
suggestpropose a safeguard or responsible action”Use anonymised test data instead of real customer emails.”

Useful sentence patterns:

This affects [stakeholder] because...
The benefit is..., but the risk is...
A responsible safeguard is...
This is acceptable only if...

Common Mistakes

  • Saying “the user agreed” without asking whether the user was properly informed.
  • Treating technical access as permission.
  • Assuming free online material can always be copied.
  • Ignoring confidentiality because no hacking occurred.
  • Giving a legal answer only, without discussing professional responsibility.
  • Naming a law without explaining why it applies.
  • Saying “it is just online” when the scenario involves real privacy, reputation, or safety harm.
  • Treating a security flaw as something to show off rather than report responsibly.

Check Your Understanding

  1. Why is confidentiality important for computing professionals?
  2. What is the difference between legal and ethical?
  3. Why should a developer check a code licence before reuse?
  4. What should a professional do after finding a serious security flaw?
  5. Why is technical access not the same as permission?
  6. Give one computing scenario involving online harassment or doxxing.
  7. Give one computing scenario involving a harmful online falsehood.

Answers:

  1. Professionals may access sensitive information that must not be disclosed without authorisation.
  2. Legal concerns what law permits or requires; ethical concerns what responsible action should be taken.
  3. The licence controls how the code may be used, modified, or distributed.
  4. Report it through proper channels and avoid exploiting or publicising sensitive details.
  5. A person may be technically able to view or change something, but they still need a legitimate authorised purpose.
  6. A user repeatedly sends abusive messages or posts another person’s private details online.
  7. A user spreads a false online claim about a public matter that may cause public harm.