Advice for Handling Potential Breaches of the Data Protection Act - Essay Example

Advice for handling potential breaches of the Data Protection Act BY YOU YOUR ACADEMIC ORGANISATION HERE HERE HERE Advice for handling potential breaches of the Data Protection Act Situation brief Joan, a hypothetical employee of INF Ltd., has discovered that information is being collected about various corporate officers and public officials who are employed by different publicly listed companies. Though her immediate supervision has assured her that this is not a problem nor a breach of ethical compliance standards, she is concerned about the activity and is considering reporting INF to the Data Protection Commissioner. This report highlights several areas of the BCS Code of Conduct which should be considered before reporting Joan’s employer as well as offering potential alternative solutions to handling this data protection problem. The BCS Code of Conduct considerations Section 2 of the BCS Code of Conduct clearly states on specific responsibility in the business environment: “You shall have regard to the legitimate rights of third parties” (bcs.org, 2009). It is clearly identified that the term third party consists of potential competitors or any member of the public society who could be adversely affected by certain elements of an information technology system without their full knowledge of these activities. In Joan’s situation, there is clearly an ethical dilemma as none of the aforementioned public officials or corporate officers are aware that information about them is being stored, accessed, and analysed in the INF Ltd. database. Though it has not been offered as to why this information is actually being collected, simply gathering information for future or current use about these officials and public figures creates non-compliance to ethical obligations of the business. This information could be being collected to sell to competing organisations in similar business markets, as one example. Joan has an obligation to recognise that these activities are immoral based on the BCS Code of Conduct and she has legitimate concerns over how this information is being handled and processed. In the event that any of this information might be given to other third parties, there are unlimited opportunities to cause harm to the individuals whose information is being collected. Further, the BCS Code of Conduct states: “You shall avoid any situation that may give rise to a conflict of interest between you and your relevant authority. You shall make full and immediate disclosure to them if any conflict is likely to occur or be seen by a third party as likely to occur” (bcs.org). In Joan’s situation, she has been chosen for the task of collecting this information therefore a conflict of interest has been created not only between herself and her employer, but potentially between herself and the data of the third parties (i.e. the officials). Joan, under the BCS Code of Conduct, performed her obligations effectively by bringing her concerns to her supervisor. Though her superiors took her concerns lightly, Joan is still put into a situation where a conflict of interest has been created as she cannot contact the third parties directly to inform them of the situation. To do so might actually jeopardise her career or her relationships with her superiors, especially if her supervisors actually did secure their obligations under the Data Protection Act. Additionally, the BCS Code of Conduct states, “You shall accept professional responsibility for your work and for the work of colleagues” (bcs.org). In Joan’s situation, simply by accepting a role in the data collection efforts of INF, she is putting herself in a situation where, if the company has performed unethical or even criminal actions in their data collection tasks, she will likely have to face ownership of her actions and may face legal challenges in the process. Since her supervisors have not given her any alternative options, such as refusing the data collection task, she could be putting herself into a potential criminal investigation which could not only affect her job, but her family, lifestyle, or household income. This is a difficult ethical dilemma based on the BCS Code of Conduct, however it is Joan’s responsibility to accept responsibility if she chooses not to pursue reporting these concerns to the Data Protection Commissioner. Finally, the BCS Code of Conduct offers: “You shall ensure that within your professional field/s you have knowledge and understanding of relevant legislation, regulations and standards, and that you comply with such requirements” (bcs.org). Joan, when assigned to this task, did not have the relevant understanding about data protection laws until she attended a seminar about these legal obligations. This is largely the company’s fault for not providing her with the relevant legislation information and they are putting her at risk by asking her to comply with these collection efforts. Moreover, they simply seemed to dismiss her concerns and asked her to go ahead with her group tasks. Joan should take a little more time to explore the relevant laws regarding data protection so that in the event of reporting her issues to the Data Protection Commissioner she is equipped to defend her actions by citing different laws and obligations to support why she made this decision in the first place. This might just be the efforts needed to prevent her from being spotlighted in a fraud or other criminal investigation by relevant authorities. What should Joan do? Joan has one major difficulty in her dilemma which should be highlighted. One business ethics professional offers that complaints from women about problems in business ethics are often challenged because such situations are “supportive of the business status quo” (Larson, 1997, p.73). This seems to be somewhat of a feminist viewpoint in business ethics, however as a female, Joan may have problems being taken seriously about her concerns especially if her management team consists of men. Clearly, at INF, the status quo seems to be a casual viewpoint about data collection procedures on third parties and, if this is a regular business activity at INF, Joan may not have much support at the higher levels of the business. It would seem that her concerns, should she choose to blow the proverbial whistle on their data collection efforts, might come down to her word against the word of several top management officials. If she does not have the support of her supervision about her concerns, proving that her issues have merit against the viewpoints of the business status quo could be increasingly difficult. If this is the case at INF, Joan should once again understand as much of the relevant legislation regarding data protection, including how such reporting actions are handled by the Data Protection Commissioner, prior to lodging a formal complaint or concern. If, through this research, Joan discovers that the penalties as merely an employee involved in data protection crimes are not high, she might be better off to simply trust her supervision’s word and continue about her task of data collection. Maak and Pless (2006) also offer that ethical business leadership, despite being one of the most complicated and pressing issues in business, is also the least understood. What this suggests is that despite the growing, global recognition of corporate social responsibility, there does not seem to be a clearly defined set of obligations regarding moral and ethical business leadership. Once again, Joan may have difficulty convincing a regulatory figure, such as the Data Protection Commissioner, that her concerns are valid should she decide to report. For example, her supervisors, as business leaders, told her flatly not to worry and that all protection measures were in place. She was also not given specific instructions as to why this information was being collected or how it was being used. From most viewpoints, Joan is only acting on her instinct and a limited knowledge of the law regarding these data collection efforts. Joan might also benefit, prior to launching a complaint against her employer, by asking other professionals in the business if they are aware of how the data is being managed and analysed. This way, she can fully understand whether any specific principles of the Data Protection Act or the BCS Code of Conduct have been breached. This will also help her to familiarise herself with data usage in the business, giving her the ability (in the future) to recognise distinct ethical problems in data storage and usage at INF. Because she is unaware of how the data is being managed or why it is being collected, it is recommended that without inquiring from others that she simply continue on with her task of data collection in this scenario. On a different level, a startling statistic is something that Joan should consider: A recent Ernst & Young fraud survey, which highlighted 2,200 employees across Europe, found that nearly half of respondents actually believed that it was acceptable to behave unethically in business (McCurry, 2009). If this is the business status quo in many European industries, Joan may have even more difficulty trying to convince a regulator that data protection issues are occurring at her place of business. For example, this type of belief may be shared even by the Data Protection Commissioner himself/herself, or even in the ranks of her own business supervision, thus her complaints may simply be ignored since she is unable to provide actual proof of corruption or failure to comply with the Data Protection Act. Under these given statistics, with almost 50 percent of respondents believing unethical behaviour is acceptable, Joan may encounter several people in her business (or outside her business in the regulatory environment) who will simply dismiss her due to regular unethical beliefs and values. Another expert in business states, “a human being can only be a moral person if he or she is able to accept responsibility” (Stahl, 2004, p.47). If Joan is working with people who do not feel it necessary to accept responsibility in the event of improper data collection against unwitting third parties, she may simply want to continue about her business to avoid the complications of attempting to argue her concerns in the face of colleagues and external professionals who are unethical and fail to accept responsibility for their business actions. Though this is only hypothetical, the statistics would tend to illustrate that she may well encounter individuals who care little to nothing about her very vague and unsubstantiated concerns. In another entirely different viewpoint, OpRisk & Compliance (2009) identifies that the widespread availability of client data and other third parties is growing considerably, thus theft attempts for this data has become inevitable in a multitude of situations. Joan is concerned that the third parties involved in the data collection may not have been notified about what INF is doing with their information. Joan has another legitimate ethical concern, one in which she is protecting the integrity or potential profitability of her company, in which she could express concerns about potential hackers or internal theft of this information for possible sale to other third parties. Joan, in an attempt to protect her company reputation and her future career, could approach her supervision in a completely different way, rather than focusing on potential unethical behaviours. She could simply express concerns about managing the security of the data, to show that she is an advocate for her company and its success, to avoid supervision developing a negative attitude about her job performance. In this case, she would not have to go to the Data Protection Commissioner, instead she could try to make herself seem like the proverbial team player, and possibly learn more about what is actually going on with the third party data collection efforts in the process. This might avoid, for Joan, a difficult situation if a full-scale investigation were launched to ensure data protection is meeting with compliance whilst protecting her current and future reputation as a job performer in the process. Bibliography Bcs.org. (2009). Code of Conduct. http://www.bcs.org/server.php?show=nav.6030. Accessed 19 July 2009. Larson, Andrea. (1997). Women’s Studies and Business Ethics: Towards a New Conversation – Ruffin Series in Business Ethics. Oxford University Press, 73. Maak, T. and Pless, N. (2006). Responsible Leadership. London: Taylor & Francis Routledge, 101. McCurry, Jim. (2009). White Collar Crime: Sign of the crimes. The Lawyer, London. 15 Jun 2009, 23. OpRisk & Compliance. (2009). Responsible information management – ensuring data privacy in the enterprise. London, Jul 2009, 4-6. Stahl, Bernd C. (2004). Responsible Management of Information Systems. Idea Group Publishing, 47. Read More