Cards: Professional Conduct, Legal Frameworks, and Best Practice

What are Ethics?

Principles of right and wrong that guide behavior.

Give an example of ethics.

Avoiding plagiarism.

What are Legal Frameworks?

Laws based on ethics that regulate behavior.

Give an example of a Legal Framework.

Not sharing someone's private information without consent.

What is Best Practice?

Going beyond legal requirements to act ethically.

Give an example of Best Practice.

Asking for clear permission before collecting personal data.

What are Standards?

Formal rules that define and enforce best practice.

Give an example of a Standard.

Following guidelines like GDPR to protect personal data.

What was the main framework for data protection in the UK before 2018?

The Data Protection Act (DPA).

What rights did the DPA grant to 'data subjects'?

Individuals could request a copy of personal data held about them (Subject Access Request).

What obligations did the DPA impose on organisations?

Organisations had to ensure personal data was securely stored.

What role did the DPA introduce?

The Information Commissioner role.

What could the Information Commissioner do under the DPA?

Issue fines for non-compliance and maintain a register of data controllers.

What replaced the DPA in 2018?

The General Data Protection Regulation (GDPR).

What are the key enhancements under GDPR for data subjects?

Expanded rights for data subjects, including the Right to be Forgotten.

Give an example of an expanded right for data subjects under GDPR.

Introduced the Right to be Forgotten, allowing individuals to request data deletion.

What are the key enhancements under GDPR for organisations?

Stricter obligations for organisations.

Give an example of a stricter obligation for organisations under GDPR.

Required organisations to notify authorities of data breaches within 72 hours.

How was the role of the Information Commissioner strengthened under GDPR?

Increased fines, up to €20 million or 4% of global turnover, for non-compliance.

Why does GDPR compliance matter if you collect personal data about EU citizens?

You must comply with GDPR, regardless of where your organisation is based.

In the UK, who carries out investigation and enforcement for GDPR?

The Information Commissioner’s Office (ICO).

What are the penalties for non-compliance with GDPR?

Major fines – up to 4% of global turnover or €20 million, whichever is higher.

Give an example of a major GDPR fine.

British Airways: £183 million (2019).

What is the key takeaway regarding GDPR compliance?

Compliance is essential to avoid significant financial and reputational damage.

What is required for data collection under GDPR regarding consent?

Data collection requires informed and freely given consent.

Can individuals withdraw consent under GDPR?

Yes, individuals can withdraw consent at any time.

What is the Right to Be Forgotten?

Individuals can request data deletion.

What is the Right of Access under GDPR?

Individuals can access their personal data held by organisations.

What is the Breach Notification provision under GDPR?

Organisations must notify individuals and regulators of data breaches.

What is Personal Data?

Any information relating to a person who can be directly or indirectly identified.

To whom does personal data apply?

Only applies to natural persons (i.e., living individuals).

Is re-identification easy even if identifying details are removed from personal data?

Re-identification is surprisingly easy, even if identifying details are removed!.

What does Sensitive Personal Data include?

Includes data about protected attributes (e.g., health, race, religion).

What does collection of sensitive personal data require?

Requires greater justification for collection.

What security measures are needed for sensitive personal data?

Must be protected with higher security measures.

What is the key difference between personal and sensitive personal data?

Sensitive personal data involves stricter rules and protections due to its potential impact on individuals.

What are the seven principles of GDPR?

Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitation; Integrity and Confidentiality; Accountability.

What does Lawfulness, Fairness, and Transparency mean for GDPR compliance?

Comply with other laws and provide evidence of lawfulness.

What does Purpose Limitation mean for GDPR compliance?

Collect data only for specified, valid reasons and inform individuals.

What does Data Minimisation mean for GDPR compliance?

Limit data collection to what is relevant and necessary for the stated purposes.

What does Accuracy mean for GDPR compliance?

Ensure data is up to date and allow individuals to correct inaccuracies.

What does Storage Limitation mean for GDPR compliance?

Delete data when it is no longer needed.

What does Integrity and Confidentiality mean for GDPR compliance?

Protect data from unauthorised access or breaches.

What does Accountability mean for GDPR compliance?

Demonstrate compliance with GDPR by keeping records and documenting actions.

What approval is required for research involving personal data?

Approval from Ethics Review Boards (ERBs).

What must be done in Participatory Research regarding data?

Obtain informed consent from participants. Plan and document data handling, use, and retention.

What must be ensured when Building Systems regarding data?

Ensure compliance with data handling protocols and lawfulness. Follow specific conditions for using third-party libraries.

Why is it important to Document Everything for compliance?

Keep detailed records to demonstrate compliance with what you planned and stated.

What should you do if you are Working Alone regarding relevant laws?

You’ll need to familiarise yourself thoroughly with the relevant laws and regulations to ensure compliance.

What is the first rule under PROFESSIONAL COMPETENCE AND INTEGRITY in the BCS Code of Conduct?

Only undertake to do work or provide a service that is within your professional competence.

Give an example related to the first rule of professional competence.

If you're asked to design a database system but have no experience with databases, you should not proceed unless you’ve been trained or can consult with an expert.

What is the second rule under PROFESSIONAL COMPETENCE AND INTEGRITY?

NOT claim any level of competence that you do not possess.

Give an example related to the second rule of professional competence.

Avoid presenting yourself as a "cybersecurity expert" if your experience is limited to basic security settings.

What is the third rule under PROFESSIONAL COMPETENCE AND INTEGRITY?

Develop your professional knowledge, skills and competence on a continuing basis, maintaining awareness of technological developments, procedures, and standards that are relevant to your field.

What is the fourth rule under PROFESSIONAL COMPETENCE AND INTEGRITY?

Ensure that you have the knowledge and understanding of legislation and that you comply with such legislation, in carrying out your professional responsibilities[cite: 40].

What is the fifth rule under PROFESSIONAL COMPETENCE AND INTEGRITY?

Respect and value alternative viewpoints and seek, accept and offer honest criticisms of work.

Give an example related to the fifth rule of professional competence.

You listen to their reasoning and consider its benefits. When your module is reviewed, you accept feedback about scalability issues and make improvements. In return, you respectfully point out potential security risks in a teammate’s code, suggesting fixes. This fosters collaboration and improves the project’s quality.

What is the sixth rule under PROFESSIONAL COMPETENCE AND INTEGRITY?

Avoid injuring others, their property, reputation, or employment by false or malicious or negligent action or inaction.

What is the seventh rule under PROFESSIONAL COMPETENCE AND INTEGRITY?

Reject and will not make any offer of bribery or unethical inducement.

What is the first rule under DUTY TO RELEVANT AUTHORITY in the BCS Code of Conduct?

Carry out your professional responsibilities with due care and diligence in accordance with the relevant authority’s requirements while exercising your professional judgement at all times[cite: 81].

What is the second rule under DUTY TO RELEVANT AUTHORITY?

Seek to avoid any situation that may give rise to a conflict of interest between you and your relevant authority.

What is the third rule under DUTY TO RELEVANT AUTHORITY?

Accept professional responsibility for your work and for the work of colleagues who are defined in a given context as working under your supervision[cite: 81].

What is the fourth rule under DUTY TO RELEVANT AUTHORITY?

NOT disclose or authorise to be disclosed, or use for personal gain or to benefit a third party, confidential information except with the permission of your relevant authority, or as required by legislation[cite: 81].

What is the fifth rule under DUTY TO RELEVANT AUTHORITY?

NOT misrepresent or withhold information on the performance of products, systems or services (unless lawfully bound by a duty of confidentiality not to disclose such information), or take advantage of the lack of relevant knowledge or inexperience of others.

What key aspect of governance processes is rapidly changing?

Evolving best practices, standards, and legislation.

What can you explore to improve your processes in AI governance?

Available resources, such as IBM’s AI Governance toolkits.

What is the Equality Act of 2010?

Replaced previous equality laws to simplify protections.

What types of discrimination does the Equality Act protect against?

Direct: Treating someone unfairly due to a protected characteristic. Indirect: Policies or practices that disadvantage certain groups.

Who monitors the Equality Act?

The Equality and Human Rights Commission (EHRC).

What does the EHRC focus on?

Digital services and AI impacts.

How is the Equality Act linked to GDPR?

Ensures fairness and lawfulness in data use.

Give an example of how AI systems must comply with both GDPR and the Equality Act.

If an AI system is trained using personal data, it must not only comply with GDPR but also ensure it does not discriminate against protected groups (e.g., based on gender, race, or disability) under the Equality Act.

What can result from the use or misuse of information and technology regarding equality?

Inequities between different groups of people.

How should technologies be designed regarding inclusivity?

Technologies should be as inclusive and accessible as possible.

What can failure to design for inclusiveness and accessibility constitute?

Unfair discrimination.

What is Positive Action?

Steps to improve representation and inclusion.

Give examples of Positive Action.

Helping individuals overcome disadvantages. Meeting specific needs. Encouraging underrepresented groups to participate (e.g., through targeted outreach).

What is Positive Discrimination?

Treating one group less favourably than another.

Is Positive Discrimination lawful?

No, Positive Discrimination is unlawful.

Give an example of Positive Discrimination.

Refusing to hire men solely to increase the number of women.

How did Amazon's AI hiring tool discriminate?

The system started to penalise CVs which included the word "women".

What is a risk of facial recognition technology regarding discrimination?

The technology disproportionately targeting people of colour and an innocent person getting arrested.

What are the key roles in AI Development?

Business Owner, Data Scientist, Model Validator, AI Operations Engineer.

What is the Business Owner's role in AI development?

Defines business goals and requirements.

What is the Data Scientist's role in AI development?

Uses data to train models to meet requirements.

What is the Model Validator's role in AI development?

Uses business goals, regulations, and best practices to test models.

What is the AI Operations Engineer's role in AI development?

Deploys and monitors models in running services.

What is a key practice for all actors in the AI Lifecycle?

Contributing to the documentation for that system.

What are Factsheets in the context of AI systems?

Standardised documents providing key details about an AI system's purpose, design, data, and performance, tailored for different stakeholders to ensure transparency and accountability.

What is the UK's standard for producing auditable documentation for AI systems?

The Algorithmic Transparency Standard.

What challenges remain in defining facts for AI systems?

Challenges remain in defining facts that demonstrate compliance with legal concepts like fairness (transparency and accountability).

What is active research focusing on in AI governance?

Developing metrics to evaluate AI systems against regulations and best practices.

What is essential for software development if you're developing software?

Thorough documentation of your processes is essential.

Are roles in monitoring and compliance growing?

Yes, roles in monitoring and compliance are growing—technical expertise is in demand.

Are research opportunities increasing for AI evaluation?

Yes, research opportunities are increasing to develop metrics for evaluating AI systems.

What are some new career paths in governance?

Working for organisations like the ICO or EHRC.

What should you do regarding disclosing information to authorities?

It’s important that you disclose information to authorities when you’re asked to do so and that you do this honestly.

What was the AI Safety Summit in November 2023?

A summit held in Bletchley Park, Buckinghamshire.

What was a key achievement of the AI Safety Summit regarding global coordination?

Unprecedented Global Coordination: World leaders, including China, came together to discuss AI governance.

What was established at the AI Safety Summit to identify AI risks?

AI Expert Panel Established: Tasked with identifying and assessing potential AI risks.