Code Of Conduct

A computing professional shall:

1. Strive to achieve high quality in both the processes and products of professional work.

Computing professionals should insist on and support high quality work from themselves and from colleagues. The dignity of employers, employees, colleagues, clients, users, and anyone else affected either directly or indirectly by the work should be respected throughout the process. Computing professionals should respect the right of those involved to transparent communication about the project. Professionals should be cognizant of any serious negative consequences affecting any stakeholder that may result from poor quality work and should resist inducements to neglect this responsibility.

2. Maintain high standards of professional competence, conduct, and ethical practice.

High quality computing depends on individuals and teams who take personal and group responsibility for acquiring and maintaining professional competence. Professional competence starts with technical knowledge and with awareness of the social context in which their work may be deployed. Professional competence also requires skill in communication, in reflective analysis, and in recognizing and navigating ethical challenges. Upgrading skills should be an ongoing process and might include independent study, attending conferences or seminars, and other informal or formal education. Professional organizations and employers should encourage and facilitate these activities.

3. Know and respect existing rules pertaining to professional work.

“Rules” here include local, regional, national, and international laws and regulations, as well as any policies and procedures of the organizations to which the professional belongs. Computing professionals must abide by these rules unless there is a compelling ethical justification to do otherwise. Rules that are judged unethical should be challenged. A rule may be unethical when it has an inadequate moral basis or causes recognizable harm. A computing professional should consider challenging the rule through existing channels before violating the rule. A computing professional who decides to violate a rule because it is unethical, or for any other reason, must consider potential consequences and accept responsibility for that action.

4. Accept and provide appropriate professional review.

High quality professional work in computing depends on professional review at all stages. Whenever appropriate, computing professionals should seek and utilize peer and stakeholder review. Computing professionals should also provide constructive, critical reviews of others’ work.

5. Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks.

Computing professionals are in a position of trust, and therefore have a special responsibility to provide objective, credible evaluations and testimony to employers, employees, clients, users, and the public. Computing professionals should strive to be perceptive, thorough, and objective when evaluating, recommending, and presenting system descriptions and alternatives. Extraordinary care should be taken to identify and mitigate potential risks in machine learning systems. A system for which future risks cannot be reliably predicted requires frequent reassessment of risk as the system evolves in use, or it should not be deployed. Any issues that might result in major risk must be reported to appropriate parties.

6. Perform work only in areas of competence.

A computing professional is responsible for evaluating potential work assignments. This includes evaluating the work’s feasibility and advisability, and making a judgment about whether the work assignment is within the professional’s areas of competence. If at any time before or during the work assignment the professional identifies a lack of a necessary expertise, they must disclose this to the employer or client. The client or employer may decide to pursue the assignment with the professional after additional time to acquire the necessary competencies, to pursue the assignment with someone else who has the required expertise, or to forgo the assignment. A computing professional’s ethical judgment should be the final guide in deciding whether to work on the assignment.

7. Foster public awareness and understanding of computing, related technologies, and their consequences.

As appropriate to the context and one’s abilities, computing professionals should share technical knowledge with the public, foster awareness of computing, and encourage understanding of computing. These communications with the public should be clear, respectful, and welcoming. Important issues include the impacts of computer systems, their limitations, their vulnerabilities, and the opportunities that they present. Additionally, a computing professional should respectfully address inaccurate or misleading information related to computing.

8. Member who are involved in data processing, data control, data transfer or any aspect of data management shall:

8.1 Process the personal data for the sole purpose requested by the data controller and in accordance with the express instructions of the data controller only (to the fullest extent under law).

8.2 keep confidential the personal data that it processes on behalf of data controller and shall ensure that anyone acting under its authority keeps personal data confidential.

8.3 notify the data controller immediately in writing should it be compelled under law to process personal data in any way not specifically requested by the data controller.

8.4 notify the data controller immediately in writing beforehand of any transfer of personal data abroad.

8.5 implement appropriate technical and organizational measures to ensure a level of security appropriate to the data privacy risk. The measures must also be aimed at preventing the unnecessary collection and further processing of personal data.

8.6 periodically evaluate and strengthen, supplement or improve the measures it has implemented insofar as requirements or (technological) developments prompt it to do so.

8.7 Give the data controller the opportunity to periodically check compliance with this Code of Conduct and data privacy laws and regulations in force.

8.8 Notify the data controller in writing of any personal data breach in accordance with applicable laws and regulations in force i.e. within 72 hours after becoming aware of the personal data breach.

8.9 Notify the data controller in writing of complaints and/or requests from data subjects whose personal data are being processed by it on behalf of data controller in accordance with the controller’s Data Privacy Rights Management Policy and any other related policies.

8.10 provide the data controller with reasonable assistance requested by the data controller in connection with a request from, or audit by, a Supervisory Authority or other competent authority, or in connection with a request or complaint from data subjects whose personal data are being processed by the data processor on behalf of data controller

8.11 Assist the data controller in complying with applicable data privacy laws and regulations in force that may require a data controller to conduct data protection impact assessments and/or to consult with Supervisory Authorities.

8.12   shall not outsource the processing of personal data, whether the whole or in part to a subcontractor without the prior written authorisation of the data controller. The data processor’s subcontractor must also, as a minimum, comply with this Code of Conduct. In case the subcontractor fails to fulfil its data protection obligations under this Code, the data processor shall remain fully liable towards the data controller for the (non-) performance of the subcontractor’s obligations under this Code.

8.13  Delete promptly all personal data in its possession after such processing agreement with the data controller, unless otherwise is agreed by the controller and data processor and provide prompt written confirmation to the data controller of same.

8.14 If the personal data is required to be transferred outside of the country, the data controller must provide its prior written consent. Unless otherwise agreed to between the data controller and data processor in writing, the same safeguards in this Code shall apply to any personal data transferred abroad.

VIOLATION OF THE CODE OF ETHICS for computing professionals:

CAICT designees, credential holders, and/or members who violate the Code of Ethics shall be subject to disciplinary actions by the CAICT Ethics Committee.

Acknowledgements

In developing the Code of Professional Ethical Conduct for computing professionals, the Commonwealth Academy of Information and Communication Technology (CAICT) has examined several sources of advice on ethical practices in the field of information technology globally. We want to thank the Saylor Academy whose code of ethics has informed our approach in the provision of principles guiding the conduct of CAICT members. We are equally indebted to the Harel Mallac Data Protection Policy, which provided critical insights and guidelines for maintaining best practices in data protection and ethical behavior for professionals in the technology domain