Far from apologizing for what they do, many in the data industry say they perform a valuable function for society. "One of the key things that fuels our economy is easy access to credit information," says Equifax's Crutchfield. "You can buy a car in an hour because the auto company can see [your credit data] instantly."

Business-intelligence software vendor Business Objects SA tries to convince companies that aren't in the information business that they're passing up a potentially large source of revenue by not analyzing and selling data they collect. "We ran a seminar session called 'You're Sitting On A Gold Mine And Don't Know It,'" says David Kellogg, senior VP of marketing at Business Objects.

Another vendor touts the capability of its products to go beyond the generally accepted norm of aggregation--categorizing data by demographic details without referencing specific names--as a competitive advantage. "Marketers can indeed target personally identifiable individuals, going beyond aggregation," says Paul Rodwick, VP of market development and strategy at E.piphany Inc. "Companies want a deep relationship with their customers, and technologies like ours help prevent spam because marketers can do finer segmentation and market to people who are actually interested in what they're selling."

That all makes sense to at least one IT professional. "To me, there's nothing bad here," says database designer Hoberman. "I don't see anything wrong with collecting all this information about us. I live for information. The more information you have, the better. It's all good stuff."

Are there guidelines or an ethical code to help database experts sort out their responsibilities? Should there be? Some senior IT managers say database professionals don't bear much responsibility at all. "I never really thought about [usage of data] from the database administrator's position," says Lou Saviano, director of IT services and infrastructure development at Osram Sylvania, the Danvers, Mass., division of Osram GmbH. "A database administrator would never make the decision on how the data is used. That would be a sales and marketing call."

That also goes for outside consultants who create databases for clients, says Trey Johnson, a data-warehouse architect for Encore Development, an E-business consulting firm in Jacksonville, Fla. "We're just building tools," Johnson says. "The customers are ultimately responsible for how they're using these tools." Johnson admits it's possible that Encore would create a tool that would collect data at a fairly personal level, but the responsibility for how that technology is used "falls squarely on the shoulders of the companies that use these tools," he says. "That's where privacy starts and ends."

Tang, of the Palo Alto Medical Foundation, has a different view--that IT professionals should go beyond creating the tools and take an active role in building their companies' privacy policies. Not only has Palo Alto implemented strict policies for users of patient medical data, it's also adopted policies for how the IT department handles such information. "Every time you make a purchase or upgrade of a system, you should consider the security features built in and make sure they're sufficient to handle privacy regulations, governed either by professional ethics or law," he says. "I don't think that's been at the top of mind for any industry, including health care. We live in a new world, and this should be a key component of any new system."

The ethical "duties" of a database administrator revolve around maintaining the integrity, security, reliability, and availability of a company's data, says Bill Burke, director of information services, strategic operations, at supply-chain software vendor i2 Technologies Inc. That means preventing information about a consumer's credit history or an employee's human-resources records from becoming corrupted, that no "inadvertent or malicious damage" is done to the data, Burke says. Making such data secure, both from access by outside hackers and inappropriate use by internal employees, is also part of a database administrator's ethical responsibility. "You have the salary of everyone from the janitor to the CEO on file," Burke says.

A mitigating factor is that database professionals have limited control over the operation of other parts of the companies they work for, says Kimberly Floss, who recently left a job as a database administrator for the Leo Burnett advertising agency in Chicago. For example, responsibility for data integrity, while primarily the database administrator's, also lies with the organizations that operate the applications that supply data to the company's database and even with the third-party application providers that supply that software. But database administrators have to be knowledgeable about those systems as well as their own, Floss says. "The responsibility of the DBA, in my view, has increased."

When it comes to data privacy and the changes that IT is bringing, the industry hasn't done enough to raise ethical questions, says David Ozar, director of the Center for Ethics at Loyola University in Chicago. The speed at which things are changing is no excuse. Ozar compares it with human genome research, where technology may be outstripping the ethical debate, but there's at least an active discussion about it in the professional and academic community. "There was a self-conscious effort to say 'Let's talk about the fundamental questions here,'" Ozar says. "I don't think IT has anything comparable."

The problem is that many IT people don't know very much about the privacy debate. "You find that there's a general lack of understanding about privacy, about the laws and regulations," says Larry Ponemon, president of Guardent Inc., a Waltham, Mass., security service provider. Before Guardent, Ponemon was a partner with PricewaterhouseCoopers, where he established the consulting firm's ethics and corporate-compliance practice. He's considered one of the leading experts on privacy. "[IT professionals] will say things like 'We know our company has a privacy policy, but I don't know where it is.' They don't understand how it affects their business processes," Ponemon says.

That's dangerous, says Ira Rothken, principal of the Rothken Law Firm in San Francisco. Rothken is a lead counsel in a class-action lawsuit in California against online data marketer DoubleClick Inc. in a privacy-invasion dispute over the use of cookies, the Internet device many Web sites use to keep track of visitors. While Rothken says IT executives aren't likely to be cited in a data-privacy lawsuit unless they've done something criminal, they should understand the legal environment. "An IT person would be acting below the standard of care not to know the laws and regulations in their area," he says.

Where do IT professionals find training in ethics? Not in college--at least not yet. Database designer Hoberman says he never once discussed ethics during his time at Carnegie Mellon. "I don't really mention the word ethics. I talk about privacy and security," says Daniel Norris, a professor of management information systems at Iowa State University who specializes in teaching database management and computer security. The subject of ethics comes up only in relation to security, he says, and the students themselves never bring it up. "If it won't help them on the job, they don't want to talk about it," he says.

Norris says there's a push at Iowa State to integrate ethics into the curriculum and that the school has created an ethics center. As far as the computer-science department is concerned, "it's going to be a slow process," he says.

But not if Doris Lidke can help it. Lidke is a professor of computer and information sciences at Towson University in Towson, Md. She's also a member of the Accreditation Board of Engineering and Technology, which accredits computer-science departments across the country.

Lidke recently headed a task force to explore the possibility of creating a computer-science curriculum that specializes in very large systems, to prepare graduates to work with, say, air-traffic control systems. The task force was made up of equal parts academics and business executives, the latter from companies such as Boeing Co. and Citibank as well as a large phone company and a large computer manufacturer. In developing a list of potential subjects for such a curriculum, Lidke and her colleagues were surprised to see one nontechnology topic score as high in terms of priorities as user-interface and systems integration. "We were quite surprised that [ethics] was one of the things that absolutely had to be in the curriculum," she says. This summer, the Accreditation Board of Engineering and Technology will add a new subject to its list of mandatory courses: one credit hour of ethics study.

The teaching of business ethics has grown rapidly in recent years, but linking ethics to IT, and to decisions about the way data is collected and used, is long overdue. Jody Giles, VP and CIO of shoemaker Vans Inc. in Santa Fe Springs, Calif., says he had to rely on the expertise of @Once, the company's E-mail-distribution partner, when Vans began marketing to teen-agers online. "Had they not made me aware of the Children's Online Privacy Protection Act, I wouldn't have known a thing about it," Giles says. "This is a new, emerging issue that comes with the technology. They didn't teach me about it when I was taking ethics classes in business school."

--with Eileen Colkin, Robin Gareiss, Diane Rezendes Khirallah, Chris Murphy, and Rick Whiting