Guest Editorial: Do DBAs Need a Code of Ethics?

  • Comments posted to this topic are about the item Guest Editorial: Do DBAs Need a Code of Ethics?

    Brad M. McGehee
    DBA

  • Sadly, I don't think we're up to the challenge. Not because we're unable to agree a set of guidelines, but because we've no power to enforce them.

    All the examples Brad has given are ones where there is a degree of enforcement. In most of those cases, it's enshrined in law - a doctor who's struck off is no longer legally allowed to either practice medicine or call themselves a doctor, so (s)he has no choice but to abide by the rules. On the other hand, anyone can call themselves an estate agent, but if they fail to abide by their industry guidelines they'll lose their customers, so the guidelines still have teeth.

    As for DBAs, I see very few examples of wilful negligence. I see plenty of examples of DBAs being forced into ethically compromised situations by their employers in the name of expedience, but, being cynical, I suspect a DBA who's prepared to put company before ethics is likely to be more, not less, employable. I also see plenty of examples of DBAs who've overstated their true abilities to get the job, but that's not an issue of guidelines, it's an issue within the recruitment process, since there are plenty of inept accountants and engineers too.

    So, unless governments are inclined to put a legal definition and associated obligations to the term Database Administrator, we're severely limited in the clout we can associate with any set of guidelines. The only workable solution I can see is, as Brad suggested, that all the major database manufacturers include a clause in their certifications which allows the certification to be withdrawn if a specified code of conduct isn't followed. Employers like certifications, so that's the only way misbehaving DBAs could be forcibly made less employable, although it would remain to be seen how companies would view any new qualifications that might run counter to their wishes.

    Apologies for waffling on, but in short I believe the bulk of our effort should be in lobbying the RDBMS manufacturers to incorporate an ethical code in their certs rather than fine-tuning the ethical code itself.

    Semper in excretia, suus solum profundum variat

  • Morning, all.

    I was intrigued by the thought of a code of ethics for DBAs. But having read through the latest one from OracleGiants.com (2007) I have changed my mind and no longer think we need one.

    Most ‘ethical’ decisions made by a DBA are nothing to do purely with being a DBA, just with being a person with inside knowledge/access. I think I read it on this website that a DBA owns the database but NEVER the data.

    A DBA has a position of trust, given that they have unfettered access to data which is very likely to be privileged, confidential and security related. But so do the finance department, the HR department and anyone else who has access to anything that isn’t theirs. You don’t need to be a skilled senior employee to do that. There are people much lower down the tree who have access to just as much personal data.

    Consider the clerk who enters your company’s payroll data. A junior role entrusted with the utmost private information.

    My point is this: A DBA making unethical use of their power is no different to anyone else doing the same. I don’t want my bin man going through my rubbish but I don’t expect there to be an industry approved code of conduct for him. He just needs to use some common sense.

    I wouldn't want someone looking through my data out of their own curiosity, so I don't do it. I don't steal things, and that includes data. Two ethical decisions but the DBA aspect is irrelevant.

    Tom

    Before I get back to prying through the home directories of our company’s directors I thought I would post a list of job roles which could do with codes of conduct, some of them maybe have? 🙂

    Personal trainer

    Teacher

    Journalist

    Carer

    Laundrette worker

    ‘Santa clause’ at the shopping centre

    Ice cream man

    Guys who invented facebook

  • There may be a case for emphasising the DBA aspects, but this is really a subtopic of professionalism, and how you go about establishing it. University courses are covering ethics in IT, and if you are a member of a professional body, or become a Chartered professional, you will normally have signed up to a Code of Conduct or Code of Ethics. It is up to employers, encouraged by the professional bodies, to require membership of the appropriate body, with all that it implies about an individual's commitment to act with integrity.

    Examples:

    BCS Code of Conduct

    BCS Code of Good Practice

    UKCHIP Code of Conduct

  • As mentioned by another contributor IT workers (inc DBA's) do not belong to professional bodies such as Doctors, Nurses etc where you can only get a job if you are a member of these bodies. Any members of these bodies who are struck off cannot work until reinstated. There are no such bodies in the IT industry.

    Having said this, in the EU there are already existing laws under which you can feasibly be prosecuted for disclosures/theft of data albeit the organisations that enforce/investigate these breaches are largely toothless and do not operate outside of the EU.

    So until the IT industry actually has a professional body with all the cumbersome overheads and membership dues all the talk about DBA ethics is interesting but unenforceable.

  • Richard Bradford (2/5/2009)


    So until the IT industry actually has a professional body with all the cumbersome overheads and membership dues all the talk about DBA ethics is interesting but unenforceable.

    In the UK this is exactly what the BCS is trying to achieve - complete with [rather painfully high] membership dues. It is held back (I think) by the youth of the IT profession (compared eg with medicine and law) and by the speed of change and innovation. You cannot practice as a doctor or a solicitor without the right professional standing and qualifications, but there is no similar need to be Chartered before you can work as an IT professional. And bright younger people with the latest skills can do it now, as well or better than time-served professionals who qualified with yesterday's skills. Employers want the technically able before those who are registered professionals.

    I am describing rather than criticising this situation - there are pluses and minuses - but it is why we still worry that ethics and professionalism are not embedded in IT.

  • Is the problem with a blanket set of rules not that DBAs work in varying industries? Many of these industries, particularly those with personal data, are covered by their own "code of ethics" and that applies to all staff, not just DBAs. Certainly in the financial industry in the UK, quality of data, accuracy of reporting, accessing data only with legitimate reasons and many of the other suggestions from the previous articles are already covered. Do we need separate legislation when we're already subject to the suggested restrictions?

  • Ethics has gone by the way side. I have gone into numerous systems from desktop to server to databases. That have no logic on how they where setup, design and/or managed. If an Code of Ethics is setup how is it enforced. You lose you membership? I don't know how things work in the world, but I have worked in states from the east coast to west coast in the US and even if you are required a license you can get by it with some loop hole or another.

    If certain requirements are put in place then who pays for them to be kept up to date. Customer are screaming about what fees we charge and don't realize how much time is put into any project. To pass on the cost of maintaining requirements will cause more problems.

  • Brad,

    A code of ethics is a nice idea but without a governing body that we all have to join I believe it is entirely unenforceable. Also most of us work for an employer who sets the rules for our behavior. What if we sign a code of conduct and our employer asks us to do something that violates the DBA code of conduct? The employer is paying the bills. Also I would be strongly against any vendor, Microsoft, Oracle, etc., setting the code of conduct. Who says they are ethical?

  • Generally speaking, DBAs do not run companies and therefore some general code of ethics for DBAs does not seem to me to be any effective effort. In fact, it might have the opposite result from the intent. I mean, if we have a DBA code of ethics, do we need an Administrative Assistant code of ethics? How about a janitorial code of ethics? Any given position below the executive level should be governed by the executive level. Thus, I think it would be more fruitful to come up with agreements DBAs would sign at the time of employment, and then monitor and enforce those codes from the top-down. I don't think DBAs need to be singled out anymore than programmers, data entry clerks or information collectors - all of whom also work with sensitive data.

    Over the years I find I am more concerned that the industry still has no real definition of what a DBA "is" - that is, I have interviewed many people applying for DBA positions who were not really DBAs. I don't consider someone who "did SQL backups" and yet cannot write a simple query, a DBA, although many who have applied over the years do.

    As well, granting some DBA code of ethics seems to me to be clapping with one hand. Are people in general now so lax in their basic ethical behavior that we need to spell this out with some formal document? And what if we do? Does this mean that an unethical DBA is suddenly going to behave? I don't think so.

    This sounds more like some narcissistic, self-important, "oh look at me, I'm ethical" monkey business - a complete waste of time serving no purpose and surely not being enforceable. What are we going to do? Send unethical DBAs to a prison on some island like say, Cuba?

    I would rather put my efforts (and see other's efforts) go to just plain good old fashioned ethical behavior because that is the right thing to do. Lets face it, as we see today with all the Wall Street baloney, unethical behavior might make you rich for a while, but it hurts thousands and can screw up an entire country if not world. If thats not a big enough incentive for people to behave themselves, then no code of ethics is going to matter - we would be truly doomed.

    It would be much better if people would just do the right thing because its the right thing to do.

    There's no such thing as dumb questions, only poorly thought-out answers...
  • As Brad said "it really is down to SQLServerCentral.Com to take the lead, and create a code of ethics using the input of the largest DBA community on Earth"

  • Speaking both as a member of the PASS Board of Directors and as a concerned DBA, it's an interesting and tricky subject. I do believe it has value for our profession if it can be done right,and my definition of right is:

    - It has to be strictly ethics, not anything tied to any "best practice". If a business wants to use RAID 0 or a consumer grade PC for a server or deploy shoddy code, in general that is their right and shouldn't challenge our ethics

    - We have to realize that these are guidelines with no power to enforce other than our own conscious. Are you willing to resign a position if they would ask you to violate one of the ethics rules?

    - It can actually be used to support us by pointing to an industry standard definition of ethical behavior, in many cases I think employers might go "hey, there is guidance out there"

    - It needs to include some add-on coaching. Let's say you work in banking and are pretty sure there is a sql injection vulnerability and you notify the business - does that complete your obligation, or are you in a position to have be a whistle blower?

    Which may or may not be the right definition. I guess I see it having a lot of value for inexperienced DBA's that see something bad happening, just helping them understand how bad and how much responsibility/liability would be a useful thing.

  • A written code of ethics is an admission of failure.

    Everyone knows what ethical behavior is. Having written guidelines are nothing more than a feel good measure to sooth the conscious of those who feel they must do "something", no matter how ineffectual.

    Those who are ethical do not require a written code, those who are not would not adhere to it. So in the end, what is the point?

    Put another way, the underlying assumptions behind a written code are:

    1. No one knows what the rules (ethics) are.

    2. Writing them down will (magically) make everyone follow them.

    Both assumptions are false.

    I understand this post is very strongly worded, because this is for me a core belief. Those who need a written code of ethics have no business being trusted--at all, in any capacity. You learn ethics in kindergarten. Just because you're in a position of power the rules don't change.

    Frankly, it's disturbing that anyone (in any profession) ever felt the need to produce a written guideline for ethical behavior. Maybe for first graders as a remedial course. But not for adults.

  • Question is this ethics board going to be willing to stand up for a member that has been asked to do something unethical and they are terminated for not compiling?

  • Well said, Andy Warren.

    roger.plowman (2/5/2009)


    Everyone knows what ethical behavior is.

    If only.

    Ethics comes from an individual considering their moral position, and can be assisted but not defined by a "Code". It is about being aware of the wider context and the implications for other people of what you do, in addition to anything that laws, regulations and employers' terms say.

    If, to become a member of a professional body, you have to be informed about and to reflect on the ethical dimensions of your work, you can be expected to notice and avoid or query ethically questionable behaviour, and be challenged where you have failed to do so. This is not about enforcing a set of rules, it makes it possible to debate whether you should have acted differently despite rules, or the lack of them.

    An employer may set a "code of ethics", but the idea is that the individual see things from a perspective far wider than their current job, and get better at doing the "right" thing. It's all very fuzzy and grey, and yes, we learn it from childhood but get better by continued learning, considering and reflecting.

Viewing 15 posts - 1 through 15 (of 50 total)

You must be logged in to reply to this topic. Login to reply