Ethics and the law

Legal and ethical

Not legal but ethical

Not ethical but legal

Not ethical and not legal

Ethics in Project Management

Ethics, loosely defined, is a set of principles that guide our decision making based on personal values of what is “right” and “wrong”

Project managers often face ethical dilemmas

In order to earn PMP certification, applicants must agree to PMI’s Code of Ethics and Professional Conduct

1. http://onlineethics.org

2. http://ieeessit.org for IEEE Society on Social Implications of Technology

3. http://computingcases.org

PMI Code of Ethics and Professional Conduct – includes:

As practitioners in the global project management community:

We made decisions and take actions based on the best interests of society, public safety, and the environment

We accept only those assignments that are consistent with our background, experience, skills, and qualifications

We fulfill the commitments that we undertake – we do what we say we will do …

We inform ourselves about the norms and customs of others and avoid engaging in behaviour they might consider disrespectful

PMI Code of Ethics and Professional Conduct

We listen to other’s point of view, seeking to understand them

We approach directly those persons with whom we have a conflict or disagreement

We demonstrate transparency in our decision making process

We constantly re-examine our impartiality and objectivity, taking corrective action as appropriate

We proactively and fully disclose any real or potential conflicts of interest to appropriate stakeholders

We earnestly seek to understand the truth

We are truthful in our communications and in our conduct

Intro’ to Professionalism and IT Project Management

3 general characteristics of professionalism

Being knowledgeable about your field

Keep up to date in your specialist areas

Obligation to take CPD (continuous professional development)

Being competent to practice

Able to apply your knowledge competently

Competent decision (technical and ethical)

Taking responsibility for one’s actions

When things go wrong

Open and honest in your dealings

Practice responsibility

Professional Bodies

Role of a professional body

Regulates a profession

British Computer Society (BCS)

Responsibilities include

To advance knowledge

To uphold and improve standards

To set education and training standards

To advise the government

British Computer Society

The BCS code of conduct covers:

Public interest

Duty to relevant authority

Duty to profession

Professional competence and integrity

The BCS code of practice covers:

Common practices

Key IT practice areas

Practice specific to education and research

PMI

Project Management Institute code of ethics and professional conduct

http://www.pmi.org/about/ethics/code

Legislation And Regulations That Could Affect You

Data Protection Act 1998

Regulation of Investigatory Powers Act 2000

Draft Investigatory Powers Bill - requires web and phone companies to store records of websites visited by every citizen for 12 months for access by police, security services and other public bodies.

Computer Misuse Act 1990 (Amendment) Act 2005. This Act does not extend to Scotland.

E-commerce Regulations 2002

Freedom of Information Act 2000

Freedom of Information (SCOTLAND) Act 2002

BS7799 certification

Anti-money laundering (Criminal Justice Act 1988, Drug Trafficking Act 1994, Terrorism Act 2000)

Financial Services Authority Operational Risk Systems and Controls guidelines

The Financial Services and Markets Act 2000

International Financial Reporting Standards

Information Commissioner’s Code on Employer’s Monitoring Practices

Basel II Accord

EU Directive on Privacy and Electronic Communications

EU Insurance Mediation Directive

EU Directive on Data Protection

US Sarbanes-Oxley Act

US Patriot Act

US Reduction in Distribution of Spam Act (proposed)

Human Rights Act 1998

Copyright Patents and Designs Act 1988

IT Project Management and Related Law

A professional must be aware of relevant law:

Software Ownership and Copyright

Contract Law

Data Protection and Privacy Legislation

Computer Misuse

Health and Safety

Regulation of Investigatory Powers Act (RIP)

Software Ownership

Intellectual Property Rights apply to software

Patent law – covers commercial inventions

Can be a product or a process

Usually used for hardware

Trademarks

Software Copyright – what is it?

Copyright is the ‘expression of an idea’

It must be original and recorded

All software is subject to copyright

Who owns the copyright?

The creator of the work

Only the owner of the copyright can use the work

Software license

Software Contracts

‘Expression of Idea’

Code

design

Free software

Not copyright free, but given with some restrictions waived

Freeware

Open source software

Public domain software

Shareware

DATA PROTECTION ACTS 1998

EC Directive on Data Protection (95/46/EC)

1984 Act

Covers the storage and use of certain categories and usage of personal data in electronic form

1998 Act

Extended to cover manually held data

Extended the range of data considered personal data

Reasons for Data Protection Act

1. To protect private individuals from the threat of the use of erroneous information about them and also the misuse of correct information about them

2. To ensure compliance with the council of Europe’s Convention on Data Protection

Data Protection legislation (1984 & 1998)

Enforces 8 data protection principles

Probably the most important computer based legislation

Initially brought in via 1984 Data Protection Act

To cover computer based storage and processing of personal data

To allow UK to comply with international data interchange regulations

Re-enforced by 1998 legislation

Responding to a 1995 EU directive

Now covers both computers and non computer based data

Definitions

DATA

Information recorded in a form in which it can be processed by equipment operating automatically in response to instructions given for that purpose

PERSONAL DATA

Information relating to a living individual who can be identified from that information or that and other information in the possession, or likely to come into the possession, of the Data Controller. It includes any expression of opinion about the individual and any indication of intention of the Data Controller or any other person in respect of that individual

Status Of New Act

The Act received Royal Assent 16 July 1998

Implementation of Act 24 October 1998

Act came into force 1 March 2000

Data Protection Act 1984 (Old)

Main Issues

Relevant to all personal data processed on a computer

Personal data held and its use must be registered

1st Data subject has right to request copy of data held and the right to have it corrected

Illegal disclosure

Data Protection Act 1998

Additional Issues

Includes manual records

Personal data held, its use and security measures must be notified

2nd Right to object to other processing likely to cause substantial damage or substantial stress

3rd Right to object to direct marketing

Transmission of personal data outside EEA (28 EU States, Iceland, Norway, Liechtenstein)

Data Protection (1998) – 8 Principles

Personal data shall be:

1. Processed fairly and lawfully

2. Obtained & processed for specified purposes

3. Adequate, relevant and not excessive

4. Accurate and up to date

5. Held no longer than necessary

6. Processed in accordance with the rights of the data subject

7. Kept secure

8. Transferred outside of the EEA only if adequate safeguards exist

7. Kept secure

Principle 7 is important because it makes it clear that security is an important aspect of data protection, and is perhaps the most important of all principles. It also means anything that travels over the internet.

If you have good security then that’s a unique selling point and one benefit that could seal the deal.

8. Transferred outside of the EEA only if adequate safeguards exist

You may reasonably decide there is adequate protection without a detailed analysis, depending on: the nature of the information; the circumstances of the transfer; your knowledge of the country; and the company you are transferring to. Some examples are discussed below.

Example 1

A university wishes to transfer the academic biographies of its lecturers and research staff to other universities and potential students outside the EEA. Nothing of a private nature is included.

This is a well-known practice in the university. The personal data, such as the staff’s qualifications and publications, is already publicly available. Any member of staff can have their information withheld if they have a reason to do so – such as concerns about their safety. In this case, it is difficult to see a problem with adequacy as the potential for staff to object has been addressed and there is little further risk of misuse.

Example 2

Company A in the UK sends its customer list to company B outside the EEA so that company B, acting as a processor, can send a mailing to company A’s customers. It is likely that adequate protection exists if:

the information transferred is only names and addresses

there is nothing particularly sensitive about company A’s line of business;

the names and addresses are for one-time use and must be returned or destroyed within a short timescale;

company A knows company B is reliable; and

there is a contract between them governing how the information will be used.

Conditions for Processing

One of the following conditions must be satisfied:

Individual has given consent

Necessary for performance of contract with individual

Required under a legal obligation

Necessary to protect vital interest of the individual

To carry out public functions

Necessary in order to pursue the legitimate interest of the data controller or certain third parties

Conditions for Processing Sensitive Data

In addition to one of the previous conditions, at least one of the following must also be satisfied:

Data subject has given explicit consent

Processing is necessary for

Performance of legal duty in relation to employment

Protection of subject’s or third party’s vital interests

Legitimate activities of some non-profit organisations

In connection with legal proceedings

Administration of Justice

Crown/Public functions

Medical purposes

Data Subjects Rights of Access

Copy of any data processed by reference to individual

Description of the data being processed

Description of the purposes for which it is being processed

Description of any potential recipients of individual’s data

Any information as to the source of the data on the individual

Logic involved in any automated decision making

Direct Marketing

Individuals must be given the opportunity to opt-out

For sensitive data must be given right to opt -in

Mailing lists are exempt for First Transitional period only if

the personal data consists only of names, addresses or other particulars affecting distribution

where processing is carried out only for purposes of distribution or recording the distribution of articles or information to the data subject

the data subject must have been asked whether he objects to his personal data being processed in this way

Transitional Arrangements

Processing already underway

First transitional period 24/10/1998 to 23/10/2001

Total exemption for manual filing systems. Also automated data used for payroll and accounts, unincorporated members clubs, mailing lists, backup data

Partial exemption -For data held prior to 24/10/1998 from Notification, Enhanced Access rights, new Data Protection Principles, new Data Subjects Rights

Second transitional period 24/10/2001 to 23/10/2007

Partial exemption for manual data which gives until 2007 to conform totally with Data Protection Principles 1-5

Data Protection Act 1998

On Wednesday 24th October 2001 the full provisions of the Data Protection Act 1998 came into force. Briefly this means that

all personal information held on paper, emails, computer files, audio and visual tapes from collection to disclosure and storage now come under the auspices of the Act.

all companies must now advise internet site visitors of their intention to use COOKIES to collect data and the intended purpose of the data gathered

personal information includes any facts or opinions about any living person

all personal information is required to be kept accurate, up to date (e.g. ensure changes of programmes, modules, addresses, etc are undertaken quickly and the Central Student Record System updated) and secure (i.e. don't leave personal information lying around)

personal information must not be disclosed to third parties (i.e. parents, organisations, referees, etc.) see http://www.gcu.ac.uk/dataprotection/enquiries/

all personal information (including minutes of meetings, exam/assessment comments, locally and centrally kept files on paper or computer) must be provided by the University in response to a Subject Access Request.

University Data Protection Guidelines can be found at http://www.caledonian.ac.uk/datap

Status Of New Act

Received Royal Assent 29 June 1990

Act came into force 29 August 1990

The Act created 3 new criminal offences

Unauthorised access to computer material (that is, a program or data).

Unauthorised access to computer material with the intent to commit or facilitate the commission of a serious crime.

Unauthorised modification of computer material

The Act defines (1) (the basic offence) as a summary offence punishable on conviction with a maximum prison sentence of six months or a maximum fine of £10,000 or both.

The Act goes on to describe offences (2) and (3) as triable either summarily or on indictment, and punishable with imprisonment for a term not exceeding 10 years or a fine or both.

These sentences clearly reflect the perceived gravity of the offence and would imply that universities should take an equally serious view of hacking or virus proliferation.

Example 1, Unauthorised Access to Computer Material

This would include: using another person's identifier (ID) and password without proper authority in order to use data or a program, or to alter, delete, copy or move a program or data, or simply to output a program or data (for example, to a screen or printer); laying a trap to obtain a password; reading examination papers or examination results.

The response to some actions will depend on the specific conditions of use in force. Take, for example, unauthorised borrowing of an identifier from another student in order to obtain more time for a computer project the student was required to complete. In this case both the student who borrowed the ID and the student who lent it would be deemed to have committed an offence.

Example 2, Unauthorised Access to a Computer with intent.

This would include: gaining access to financial or administrative records, but intent would have to be proved.

Example 3, Unauthorised Modification of Computer Material.

This would include: destroying another user's files; modifying system files; creation of a virus; introduction of a local virus; introduction of a networked virus; changing examination results; and deliberately generating information to cause a complete system malfunction.

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state.

Police set to step up hacking of home PCs

David Leppard

THE Home Office has quietly adopted a new plan to allow police across Britain routinely to hack into people’s personal computers without a warrant.

The move, which follows a decision by the European Union’s council of ministers in Brussels, has angered civil liberties groups and opposition MPs. They described it as a sinister extension of the surveillance state which drives “a coach and horses” through privacy laws.

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Status Of New Act

Implementation of Act 24 October 1998

Act came into force 24 October 2000

The Regulation of Investigatory Powers Act (RIP), 2000

RIP Act enables the government to demand that a public telecommunications service provides access to a customer’s communications in secret.

Telecommunications service - includes

Internet services providers

Phone companies

Someone running a website

Under certain circumstances the government can order the external communications of a telecommunications service can be intercepted

National security, preventing serious crime, safeguarding economic well being, interests of public safety, protecting public health, tax assessment/collection, preventing death/injury

Includes mass surveillance warrants for ISPs to fit equipment

ISP must comply and keep this secret

Government can demand decryption keys (to access protected information)

It is an offence not to hand over a decryption key (2 years in prison)

If notice to hand over the key demands secrecy, it is an offence to reveal this (5 years in prison)

Employers’ Rights-1

Regulations authorise companies and non-commercial organisations to monitor communications transmitted over their systems when:

establishing facts

ascertaining compliance with rules of regulators

ascertaining standards of service which ought to be achieved

Employers’ Rights-2

preventing or detecting crime

investigating unauthorised use of the telecommunications system

ensuring the effective operation of the system

checking communications are relevant

monitoring calls to free counselling helplines

Employees’ Rights-1

employees’ communications cannot be monitored without consent except for the reasons given in Employers’ Rights

if an employer breaks the law the sender or recipient may be able to sue for damages

although Human Rights Act guarantees a right to privacy, experts say it is unlikely to help if employer sticks to monitoring calls within terms of the RIP Act

Employees’ Rights-2

Interceptions must be in accordance with the Data Protection Act 1998

Critics of RIP Act argue

RIP Act allows government to access a person’s electronic communications in a highly unrestricted manner – infringement of privacy

Terms ‘warranted interception’ are sufficiently vague to permit electronic surveillance of anyone under any circumstance

Government can therefore gather information on

What websites you visit and when, who you email, who emails you, what newsgroups you read, all the phone numbers you call, what software you download, documents you download, where and when you log on to a machine

Specific concerns have been raised about the government’s powers to require ISPs to fit surveillance equipment

Could allow ‘back door’ into the system for the purposes of monitoring

Could be a security issue

Legal requirement to hand over decryption keys undermine the use of public key systems

Have to either

disclose their private keys (thus compromising all of the information sent to them)

Risk going to prison for destroying, forgetting or losing a key

TU spokesman, “Employers should not be allowed to routinely screen e-mail and phone calls-certainly not without consent. What is needed is a Code of Practice so that everyone knows where they stand”.

Civil Liberties, “Employees had a right to privacy in the workplace but could risk losing their jobs if they challenged their bosses”.

Government Minister, “Regulations struck a balance between protecting privacy and enabling industry to get the maximum benefit from technology. RIP Act placed limits on employers and would prevent them from intercepting personal calls for unjustified or scurrilous interest”.

Computer Security Expert, “Companies should be able to monitor their communications facilities, especially if they feared workers were downloading pornography”.

Many workers experience stress because their activities are now monitored closely by an “invisible supervisor”, i.e. the computer using “packet sniffing” software such as the FBI’s Carnivore and MI5’s Black box, which can monitor data communicated between networked computers by capturing data (packets) across a computer network.

75.3% of major US firms admit to recording and reviewing employee communication and activities on the job, including their phone calls, e-mail, computer files, phone logs or CCTV and videotaping for security purposes . Not surprisingly, these kinds of surveillance and monitoring techniques often cause employee stress.

Experiments with rats show that observing them long enough made them neurotic

Thus computerised monitoring of employees raises a number of ethical issues. The central issue involves the privacy rights and expectations of individuals, especially as they pertain to the workplace. Employee privacy issues include the use of e-mail in the workplace: do employees, for example, have a right to send and receive private e-mail on an employer’s system? Many organisations have developed explicit policies regarding the use of e-mail as well as other employer-owned computer-system resources, while other institutions and companies have not.

As a result, it is not always clear what kinds of personal privacy protection employees can expect.

The debate should be an argument for competing but equally legitimate claims for “privacy and transparency.” If individuals (employees) are given an absolute right to privacy, they may act only in their own interest and thereby defraud the employer.

It is also worth noting that if the employer is given a complete right to transparency, it may strip the employee of autonomy and self-determination by making inappropriate judgements that only serve the interest of the employer. We can thus conclude that we need a framework that would “distribute” the right to privacy of the employee and the right to transparency of the employer.

Arguments Used to Support Computer Monitoring	Arguments Used to Oppose Computer Monitoring
Helps to reduce employee theft	Increases employee stress
Helps to eliminate waste	Undermines employee trust
Helps employers to train new employees	Reduces individual autonomy
Provides employers with a motivational tool	Invades worker privacy
Improves competitiveness	Focuses on quantity rather than quality of work
Saves the company money	Creates an “electronic sweatshop”
Guards against industrial espionage	Provides employers with an “electronic whip”
Improves worker productivity and profits	Reduces employee morale and overall productivity

Freedom of Information

Implications of FoI

FoI and Minutes of Assessment Boards

Further information

Freedom of Information Act 2000

Freedom of Information (Scotland) Act 2002

Act passed 24 April 2002

Received Royal Assent 28 May 2002

Fully in force 1 January 2005

Section 1(1)

“A person who requests information from a Scottish Public authority which holds it is entitled to be given it by the Authority.”

How are these objectives to be achieved

Publication Schemes
(proactive available as a matter of course)

Information Requests
(reactive, respond to requests not covered by PS)

Records Management Systems
(how Act to be carried out)

FoI and Minutes of Assessment Boards

Personal Information

Confidential sections

Timings

Data protection responsibilities with respect to Assessment Boards and the reporting of student results. 

Student results and performance – the only person that you should release marks to or discuss their performance or progression, or what next is the student themselves. It is acceptable to outline University regulations to parents, or others, but the actual situation of the student must not be unless you have the permission of the student.

Giving out results over the telephone – results should not be given out over the telephone even to someone purporting to be the student. How do you know the identity of the individual at the other end of the phone?

Assessment board minutes – these can be requested under both data protection and freedom of information legislation hence it is important that they are produced in a specific manner which separates out personal information. A sample layout is attached along with a powerpoint presentation which you may find useful. 

FoI and Minutes of Assessment Board

Unconfirmed Minutes

Minutes of Assessment Boards should be confirmed within 12 weeks of the meeting

Any breach of the Code of Conduct brought to the attention of the Society will be considered under the Society’s Disciplinary procedures. You should also ensure that you notify the Society of any significant violation of this Code by another BCS member.

1. The Public Interest

2. Professional Competence and Integrity

3. Duty to Relevant Authority

4. Duty to the Profession

1. The Public Interest

In your professional role you shall:

a. have due regard for public health, privacy, security and wellbeing of others safety and the environment.

This is a general responsibility, which may be governed by legislation, convention or protocol.

If in doubt over the appropriate course of action to take in particular circumstances, you should seek the counsel of a peer or colleague.

b. have due regard to the legitimate rights of Third Parties.

The term 'Third Party' includes professional colleagues, or possibly competitors, or members of 'the public' who might be affected by an IT System without their being directly aware of its existence.

c. conduct your professional activities without discrimination on the grounds of sex, sexual orientation, marital status, nationality, colour, race, ethnic origin, religion, age or disability, or of any other condition or requirement

d. promote equal access to the benefits of IT and seek to promote the inclusion of all sectors in society wherever opportunities arise.

2. Professional Competence and Integrity

You shall:

a. only undertake to do work or provide a service that is within your professional competence.

b. NOT claim any level of competence that you do not possess.

only offer to do work or provide a service that is within your professional competence.

c. develop your professional knowledge, skills and competence on a continuing basis, maintaining awareness of technological developments, procedures, and standards that are relevant to your field.

d. ensure that you have the knowledge and understanding of Legislation and that you comply with such Legislation, in carrying out your professional responsibilities.

e. respect and value alternative viewpoints and, seek, accept and offer honest criticisms of work.

f. avoid injuring others, their property, reputation, or employment by false or malicious or negligent action or inaction.

g. reject and will not make any offer of bribery or unethical inducement

3. Duty to Relevant Authority

You shall:

a. carry out your professional responsibilities with due care and diligence in accordance with the Relevant Authority’s requirements whilst exercising your professional judgement at all times.

b. seek to avoid any situation that may give rise to a conflict of interest between you and your Relevant Authority.

You shall make full and immediate disclosure to them if any conflict is likely to occur or be seen by a third party as likely to occur. You shall endeavour to complete work undertaken on time to budget and shall advise the relevant authority as soon as practicable if any overrun is foreseen.

c. accept professional responsibility for your work and for the work of colleagues who are defined in a given context as working under your supervision.

d. NOT disclose or authorise to be disclosed, or use for personal gain or to benefit a third party, confidential information except with the permission of your Relevant Authority, or as required by Legislation.

e. NOT misrepresent or withhold information on the performance of products, systems or services, (unless lawfully bound by a duty of confidentiality not to disclose such information), or take advantage of the lack of relevant knowledge or inexperience of others.

4. Duty to the Profession

You shall:

a. accept your responsibility to uphold the reputation of the profession and not take any action which could bring the profession into disrepute.

b. seek to improve professional standards through participation in their development, use and enforcement.

c. uphold the reputation and good standing of BCS, the Chartered Institute for IT.

d. act with integrity and respect in your professional relationships with all members of BCS and with members of other professions with whom you work in a professional capacity.

e. notify BCS if convicted of a criminal offence or upon becoming bankrupt or disqualified as a Company Director and in each case give details of the relevant jurisdiction.

f. encourage and support fellow members in their professional development.

http://www.bcs.org/

ACM/IEEE Software Engineering Code of Ethics and Professional Practice

Software engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles:

1. PUBLIC - Software engineers shall act consistently with the public interest.

2. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer consistent with the public interest.

3. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible.

4. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment.

5. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance.

6. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.

7. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.

8. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.

Virtues of Codes of Conduct and Ethics	Shortcomings of Codes of Conduct and Ethics
Lay down common standards of behaviour	Ethical issues are complex and have to be resolved by individuals. It is not possible to resolve such dilemmas simply by producing a set of rules to follow.
Important in supporting any refusal by a professional to behave unethically.	There is no justification for any code, since the kinds of ethical dilemmas or problems that professionals face are no different from those which people encounter in general, regardless of whether they belong to a profession or not.
Take public interest or human rights into account.	There may be secondary motives such as the desire to enhance the status of the profession.
Inspire members of a profession to behave ethically	Rise to complacency: practitioners may think that so long as they observe the code they need not concern themselves with any ethical issues.
Discipline members when they violate one or more of the code’s directives.	Codes help to draw attention away from significant issues, such as how technology should be introduced or controlled, to smaller more immediate issues, such as the conduct of individuals.
Enhance the profession in the eyes of the public	Concern of professionals often seems as much to avoid being held responsible for problems or disasters as to prevent them.

Ethics Tests

1. Harm/Beneficence Test

Determine whether the impact of this action is harmful (Does it produce physical or mental suffering, impose financial or non-financial costs, deprive others of important or essential goods?) or beneficial (does it increase safety, quality of life, health, security, etc.)

2. Publicity Test (Virtue ethics)

Would others view you as a good person for what you are about to do?

3. Reversibility Test

If you were in their place, would you still find the action treated you with respect?

4. Code of Ethics Test

5. Feasibility Test

Brings in a series of practical constraints by asking whether the selected alternative can be implemented given time, financial, legal, personal, and social constraints.

Harm/Beneficence Test

Publicity Test

Reversibility Test

Code of Ethics Test

Feasibility Test

The ethics tests help us learn that ethical decision making is not simply a matter of applying rules.

The rules, in the guise of these ethics tests, often don't establish a definitive answer (or even a set of definitive answers).

The most help they can provide is to guide thinking on the issues and to rule out some clearly inappropriate choices.

These tests provide reasons that can be appealed to in making ethical arguments. for example, it would produce harm (violate the harm test), place others at risk (which is not reversible), and expose an operator as a cowardly person who callously exposes others to severely diminished personal privacy and rights (publicity test).

Should Internet service providers be liable for the material on their bulletin boards?

Service providers are, according to the Defamation Act 1996, not held responsible for libellous statements posted at sites they maintain provided they can show that they do not edit or vet the material that their users post. But the legal position of service providers is confused by the fact that they are supposed to take reasonable care in preventing libellous material from appearing.

This situation leaves Estate Agents in something of a dilemma. They must strike a balance between the extremes of allowing any material to appear on their site (thus failing to take reasonable care) and vetting material excessively, so putting themselves into an editorial role and becoming liable as editors.

Service providers can also find themselves legally exposed in other areas, such as when obscene material is posted to a site they maintain. The Obscene Publications Act 1959 as later amended by the Criminal Justice and Public Order Act 1994 makes it an offence to publish an obscene article or to possess such an article for gain (for example, with the intention to sell or later publish it).

Recent amendments to the law make it clear that publication includes electronic transmission of data that is obscene when viewed. This means that sending e-mails containing obscene material is an offence (even if the contents of the e-mail are encrypted). More stringent controls are applied to certain kinds of obscene material; for instance, possession of indecent photographs of minors with intent to show them is a separate, more serious, offence.

Recent amendments to the law make it clear that publication includes electronic transmission of data that is obscene when viewed. This means that sending e-mails containing obscene material is an offence (even if the contents of the e-mail are encrypted). More stringent controls are applied to certain kinds of obscene material; for instance, possession of indecent photographs of minors with intent to show them is a separate, more serious, offence.

The particular problem posed for service providers by obscene material is that should they unwittingly provide such material (for example, by maintaining a bulletin board or FTP site where someone has uploaded obscene material) they may be held legally responsible as the publishers of the material.

The only defence available to such providers is to show that they both did not look at obscene material that they unwittingly published and that they had no cause to inspect it.