THE BCS PROFESSIONAL EXAMINATIONS Diploma April 2007 EXAMINERS REPORT Professional issues in Information Systems Practice

General comments The pass rate this sitting showed a welcome improvement but still around 30% of candidates gained marks of less than 30%. The pass rate was more or less the same for all centres with enough candidates to be statistically significant with the exception of one large centre where the pass rate was substantially lower. As usual, some candidates performed extremely well and showed a real and profound understanding of the material; as a result, they gained very high marks. Such candidates were to be found at all centres. Nevertheless, the high proportion of candidates gaining marks of less than 30% means that a large number of candidates are inadequately prepared for the examination and lack the necessary basic knowledge. With one exception, candidates showed no significant preferences in their choice of questions and the mean mark did not significantly differ from question to question. The exception was question 3, on the UK Freedom of Information Act. This question was answered by only a few candidates. Two of them answered it well; they were both from the same centre and were the only two candidates for the paper from that centre. It seems likely that they had been taught the topic. The others appeared to know nothing about the topic and were guessing randomly (and wrongly) what it might be about. The Freedom of Information Act is explicitly mentioned in section 1e of the syllabus. It is a matter of great importance and relevance for many IT professionals.

Question 1
a) Explain the three principles that are fundamental to the idea of a limited liability company. (9 marks)

The majority of the candidates answered this part of the question well, although there was still a significant minority who demonstrated remarkable ignorance. The three principles are: The company has corporate legal identity, that is, it is a legal person, completely separate from the people who work in it or the people who own it. The ownership of the company is divided into a number (usually large) of shares. These shares can be bought and sold individually. The people who own these shares are known as the members of the company or shareholders. In the event that the company incurs debts or other legal liabilities, the owners of the company have no obligation to pay these. The most that shareholders stand to lose is the money they paid for their shares. b) Setanta Software Ltd is a small but successful bespoke software company. It now wishes to set up a subsidiary, in the UK, to develop a pensions administration package. The UK government provides grants to encourage the growth of such companies in areas of high unemployment. As managing director, you are responsible for raising the capital required to get the new subsidiary up and running. You have three sources of finance available, i.e. UK government grant loan sale of equity in Setanta Software. Explain the characteristics of each of these possible sources and outline the issues to be considered in each case. (16 marks)

Only a small number of candidates answered all three parts correctly. Most correct answers were received for explaining the characteristics of, and outlining the issues to be considered in the case of, a loan. The two most common errors were stating that; 1. A grant must be repaid (with or without interest). 2. Sale of equity means selling furniture, software and other such assets. A grant is a sum of money given to the firm, which does not have to be repaid. Such grants are normally made by government (local or national) or occasionally by charities. They may be limited to a certain proportion of the investment made by the firm itself or be dependent on creating a certain number of jobs. There will often be some restriction on the way the grant is spent. The main issue is always whether the conditions that must be fulfilled in order to get the grant are compatible with the firms business plan. In the scenario it is quite likely that they will not be, because the grants are often not conceived with companies like Setanta in mind The essential point about a loan is that the repayment terms are independent of the companys performance. The company pays the same interest whether it makes a large profit or a large loss. Loans may be for a fixed term or open ended. The rate of interest may be fixed or variable. At times when interest rates are historically low, a firm will tend to prefer a fixed rate loan; at times when they are historically high, it will tend to prefer a variable rate lenders preferences will, of course, be the reverse. The loan may be secured or unsecured. Government schemes may offer unsecured loans to small businesses in certain circumstances. Otherwise, if the company has no significant assets of its own as may well be the case with Setanta the directors and/or major shareholders may be required to use there own property, in particular, their houses as security. The sale of equity in Setanta amounts to selling a part of the company. Raising capital in this way means that if the company performs well, the new shareholders will get some of the benefit but, if it performs badly, the new shareholders will share in the misery. However, the new shareholders will own a part of the company and may well want a share possibly a substantial share in running it and directing its policies. Whats more, the effect of selling part of the equity to raise capital is that it dilutes the value of the shares owned by the existing shareholders.

Question 2 Most candidates answered this question, and, as might be expected therefore, they did so with some confidence. Slightly more detailed versions of the sample answers below were expected for full marks. The parts that caused most difficulty were c) and d), where candidates seemed to lack knowledge; some candidates were confused about the detail of a) and b). In the context of the UK computing profession: a) describe the situation regarding the professional status of software engineers; There is no reservation of function or title, that is, anyone can call themselves a software engineer and anyone can practise software engineering. Membership of the BCS, chartered status as CITP or CEng are reserved titles. CEng can lead to registration with FEANI and thus, in practice, to the right to practise in European countries where the engineering function is reserved. Membership of the IEE can also lead CEng and registration with FEANI. b) identify the principal professional bodies and describe their relationship to each other and to other international bodies; The BCS and the IEE are the main bodies in this area. Both are members of the Engineering Council. They collaborate on a variety of matters, including the publication of IEE Proceedings Software. Each has links to similar bodies in other countries and to international groupings such as CEPIS and IFIP c) describe how computing-related university courses are accredited; Accreditation is carried out directly by the BCS and/or the IEE within the guidelines (formerly SARTOR, now UKSPEC) laid down by the Engineering Council. The institution makes a written submission describing the content of the course(s), the facilities available to students, its QA procedures and other matters. This is followed

d)

e)

by visit from a panel from one or other (or both) of the professional bodies, in which particular attention is paid to what students on the course have to say. describe either the BCS Industry Structure Model (ISM) or the SFIAplus model that has recently replaced it; The ISM is a matrix in which each column corresponds to a functional speciality (e.g. communications, databases, system development) and each row corresponds to a level of responsibility, from trainee up to senior manager or consultant. Associated with a cell, there is a description of the qualifications and experience expected of someone entering that cell and of the tasks that a person in the cell can be expected to undertake. It is claimed that any job in the IT industry can be mapped on to a cell in the matrix. identify five responsibilities of the BCS. (5 marks each) Any five from : disseminating knowledge and good practice in the field set related education standards; defining standards for professional conduct; advising UK Government; disseminating knowledge and good practice in the field; set related education standards; defining standards for professional conduct; advising UK Government.

Question 3 See the remarks about this question in the General Comments section. a) Briefly outline why the UK Freedom of Information Act 2000 was introduced, and explain the type of data that it covers. (6 marks) The Freedom of Information Act 2000 was created to give people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector. (4 marks) The Act covers data held by a public authority, however it specifically does not include personal data. (2 marks) b) Assume that you are an IT manager in a UK hospital. You have been asked to prepare a presentation to staff within the hospital regarding the impact of the UK Freedom of Information Act 2000 upon health service provision. Outline the material you would include in your in your presentation, under the headings: obligation to publish, the publics right to ask for information, the circumstances in which a charge may be made and the circumstances under which the information may be withheld. (19 marks) The UK Freedom of Information Act 2000 enables people to gain access to information held by public authorities either via publication schemes or the general right of access. Every public authority must make some information available as a matter routine of through a publication scheme. Information that is included in such a scheme must be made available to the public. A publication scheme is both a public commitment to make certain information available and a guide to how that information can be obtained. (5 marks)

Any person has the right to make a request for information held by a public authority. The authority must usually respond to this request within 20 working days. The person making the request is entitled to be informed in writing by the public authority whether it holds information of the description specified in the request, and if that is the case, to have that information communicated to him. (5 marks) A public authority to whom a request for information is made may, within the period for complying, give the applicant a notice in writing (a "fees notice") stating that a fee of an amount specified in the notice is to be charged by the authority for providing the information. Where a fees notice has been given to the applicant, the public authority is not obliged to provide the information requested unless the fee is paid within the period of three months beginning with the day on which the fees notice is given to the applicant. (5 marks) The Act recognises that there will be valid reasons why some kinds of information may be withheld, such as if its release would prejudice national security or damage to commercial interests. Exempt information includes: Law enforcement; Health and safety; Environmental information and Personal information. (4 marks) Question 4 Candidates generally answered this question well, but would be recommended to ensure the answer is fully developed to achieve higher marks. a) ToughAlloy is a large specialist steel producer. The company forges and rolls steel, and has large furnaces to heat the steel prior to rolling or forging. It has commissioned the company you work for, Real Software, to develop a real-time control system to monitor the steel in the furnace and manage the flow of items in and around the furnace. This project is important to your company and the scheduled finish will be difficult to meet. However you have spotted that there is an error in the design of the flow algorithm that you suspect would cause a problem with the processing of the metal. When you mention this to your project manager in Real Software he tells you that it is not your problem and to ignore it. Discuss the ethical issues involved in this situation, showing how the British Computer Societys Code of Conduct might apply to your action. (10 marks) Part a) was covered very well. Some candidates tried to bring in other aspects (e.g. conflict of interest) which were not always very relevant, but where suitable points were made then credit was given. This situation hinges on whether the error is significant, and if so what the employer does about it. So clause 1 is key to ensuring that the programmer raises the risk and indicates the consequences of ignoring it. As part of the team the member has the responsibility to deliver the work according to the contract , but would need to decide if the delivery date or the quality of the product was more important / more likely to cause a problem. The most obviously relevant clauses are : 1. You shall carry out work or study with due care and diligence in accordance with the relevant authority's requirements, and the interests of system users. If your professional judgement is overruled, you shall indicate the likely risks and consequences. 8. You shall not disclose or authorize to be disclosed, or use for personal gain or to benefit a third party, confidential information except with the permission of your relevant authority, or at the direction of a court of law. 9. You shall not misrepresent or withhold information on the performance of products, systems or services, or take advantage of the lack of relevant knowledge or inexperience of others. 17. You shall accept professional responsibility for your work and for the work of colleagues who are defined in a given context as working under your supervision

b)

You have just joined Medico, a company that specialises in hospital technology. Following a visit to a large hospital by the sales manager, he has identified an opportunity to sell a new product to this client based upon a system you created for your previous employer, HealthSys. To create this product he has asked you to use your password, which has not yet been removed, to access the HealthSys network to obtain the technical design and create a fresh product with different program code and user interface. Discuss the ethical and legal issues involved in this situation, showing how the British Computer Societys Code of Conduct, and UK employment and computer law might apply to your action. (15 marks) This part of the question required candidates to draw from across the syllabus to achieve a full discussion. Most were able to identify the key points, but did not always develop the issues related to employment contracts or the complexities of IPR in this regard. The issue here revolves around the reuse of knowledge from a previous employment. The employee can use the skills and knowledge that they have acquired in that employment, but not their confidential knowledge of the product design. In particular this cannot be achieved through espionage. To act in this way is likely to be a criminal offence under the Computer Misuse Act as well as giving rise to liability for infringement of copyright, breach of employment contracts and breach of the rights of the previous employer. Relevant clauses include: 3. You shall have regard to the legitimate rights of third parties. The term 'third Party' includes professional colleagues, or possibly competitors, or members of 'the public' who might be affected by an IS project without their being directly aware of its existence. 4. You shall ensure that within your professional field/s you have knowledge and understanding of relevant legislation, regulations and standards, and that you comply with such requirements. As examples, relevant legislation could, in the UK, include Computer Misuse law, 8. You shall not disclose or authorize to be disclosed, or use for personal gain or to benefit a third party, confidential information except with the permission of your relevant authority, or at the direction of a court of law. Also: Unless the contract of employment specifically states otherwise, which would be most unusual, IPR generated by the employee belongs to the employer and the obligation not to reveal confidential information continues after the employment is terminated. Computer Misuse Act is clearly breached if you access data in the unauthorised manner envisaged in the scenario.

Question 5 Part a) of this question was generally answered well with candidates showing an understanding of opting-in and opting-out. Parts b) and c)were also answered well. In part d) some candidates confused the Data Protection Act with the Computer Misuse Act. a) Outline the difference between opting-in and opting-out in terms of e-mail marketing by an e-business website. (6 marks) Under the UK Data Protection Act 1998 organisations should use an opting-in policy for email marketing whereby customers have to indicate on the website that they wish to receive email marketing before it can be sent to them. (3 marks) Previously organisations should have used an opting-out policy for email marketing whereby customers had to indicate that they did not wish to receive email marketing, otherwise it could have been sent to them. (3 marks)

b)

Explain why it is necessary to display terms and conditions of purchase on an ebusiness website. (6 marks) Displaying terms and conditions of purchase such as the policy on returns and refunds and which national law should apply to purchases on the e-business website is necessary in order to attempt to avoid consumer disputes and to comply with the UK Consumer Protection (Distance Selling) Regulations 2000. (6 marks)

c)

Discuss why it is necessary to have a disclaimer on an e-business website to inform users that the website uses cookies. (6 marks) A UK organisation conducting electronic commerce could potentially end up being in breach of the UK Data Protection Act 1998 if they do not make it clear to customers that cookies are collecting their personal data. Cookies can invade the privacy of electronic commerce customers by covertly gathering personal data in an unfair manner. (6 marks)

d)

What legal remedies does an e-business have if someone hacks into its site and makes alterations to it? (7 marks) This would be a clear case of unauthorised access to a computer and could be prosecuted under Section 1 of the Computer Misuse Act but it also constitutes unauthorised modification, an offence under Section 3 of the Act, which carries a much more severe penalty (5 years in prison or an unlimited fine). If the offender had the funds to make it worthwhile and it could be shown that serious financial damage had been caused to the e-business, it could also sue for damages. (7 marks)

Question 6 a) Explain what is meant by the terms recruitment and selection. (4 marks)

The majority of respondents could not correctly explain the term recruitment. In many cases they confused selection with recruitment. Most candidates explained the term selection correctly. Recruitment is the process of attracting candidates to the organisation. Selection is the process of choosing the successful candidate(s) from those who applied b) Describe briefly FOUR ways in which selection may be carried out. (8 marks)

This part of the question was answered very well by about half the candidates. A small number listed four ways but failed to explain them at all.. Candidates were expected to produce any four from: individual interviews, interviews by a panel, situational assessment, task assessment, references, aptitude testing, etc. c) Increasingly, recruitment is being outsourced to specialist agencies. Suggest reasons why this is happening and discuss the advantages and disadvantages of this from the point of view both of the job-seeker and the employer. (13 marks) Most candidates answered this part of the question badly. A common error was to confuse the outsourcing of recruitment with outsourcing in general e.g. supplying staff to run the accounts, marketing or IT divisions. The main reason why recruitment is being outsourced is probably the tendency (fashion?) for organisations to concentrate on their core business and to oursource everything else to specialists.

From the employers point of view the main advantage is that the recruitment agency has specialist expertise in recruitment and extensive contacts with prospective employees. The disadvantage is that it may be profoundly ignorant of the employers business and that its extensive list of contacts will include the employees it has introduced to them, so that in about 18 months time the agency will be approaching these employees and suggesting that it is time for them to move on. From the job seekers point of view, being on the books of a good agency will make sure that they will be considered for any suitable jobs that may turn up, without having to put in lots of speculative applications. One disadvantage is that as soon as they apply for one job the agency advertises they are on its books and may get pestered to apply for or even attend interviews for jobs that they are not interested in or which are not suitable.