Author: Barbara

  • Who Owns Your Work Data When AI Is Watching

    Who Owns Your Work Data When AI Is Watching

    Your company says AI will “boost productivity”; however, it also quietly captures keystroke data, tool usage, message tone, and output speed.

    That data does not float in the air. Someone owns it. Someone queries it. Someone can profile you with it.

    What is “work data” today

    • Activity traces: Logins, app usage, files opened, meeting joins
    • Communication signals: Email or chat metadata, sentiment, response times
    • Output artefacts: Drafts, code diffs, slide versions, tickets
    • Derived scores: Productivity, risk, “influence”, compliance

    Default reality

    • The company owns work systems and their telemetry.
    • Vendors process that data under contract.
    • You often do not see derived scores that affect opportunities or reviews.

    Why is this risky for you

    • Models freeze early impressions. Yesterday’s sprint becomes today’s label.
    • Scores leak beyond their original use, such as promotions, assignments, and terminations.
    • Appeals are informal or nonexistent.

    Your five questions for HR and IT

    1. What exact data sources feed into any productivity or risk scoring? Name them.
    2. Who can see raw traces versus just aggregates? List job roles.
    3. What decisions may use these scores? Promotion, Performance Improvement Plan (PIP), Reduction in Force/Layoffs (RIF), pay, and access.
    4. How can I correct errors? What is the human review route and Service Level Agreement (SLA)?
    5. How long do you retain my traces and derived scores? Do you delete on request?

    Minimum viable policy you should ask for

    • Published inventory of monitoring tools and models.
    • Documented human review process with timelines.
    • Ban on using monitoring data for health or off-work activity.
    • Access log: Who viewed my data and when.
    • Retention limits: Raw traces short, derived scores audited.

    Manager checklist

    • Tell your team what is captured in writing.
    • Use monitoring to remove friction. Not to micromanage.
    • Review cases with two humans when scores drive outcomes.
    • Allow people to review and correct their records quarterly.
    • Reward documented impact. Not a noisy activity.

    You cannot manage trust with a black box.

    Get the weekly Human Defence Brief: plain English scripts to protect your job, your money, and your rights.

    Subscribe to our Newsletter.

    Latest posts

  • How to challenge an AI decision about you in the UK

    How to challenge an AI decision about you in the UK

    When to use this

    • You were denied a service or flagged at work, and the decision felt automated.
    • A payment, claim, loan, or moderation outcome arrived with no human you can reach.
    • You suspect monitoring or scoring is running in the background.

    The 90-second version

    1. Ask if automation was used: “Was an automated system involved in this decision, yes or no?”
    2. Ask for a human review: “I want a documented human review of my case.”
    3. Ask for an explanation: “Explain the main factors and data used. Include any accuracy score or confidence level if available.”
    4. Correct the record: “Here is new or corrected information that changes the outcome.”
    5. Get it in writing: Request a dated response from a named person, along with a contact route for appeal.

    Email template for first request

    Subject: Request for human review and explanation of automated decision

    Hello [Team or Contact],

    I received [decision or outcome] on [date]. Please confirm whether any automated system was used. If yes, I am requesting:

    • A documented human review of my case.
    • A plain-English explanation of the main factors and data used.
    • Any available accuracy or confidence information.
    • A route to appeal and the time limits.

    Here is the context that may change the outcome. [short bullet points only]

    Please reply in writing within [10 working days] with a named contact.

    Regards,
    [Name]
    [Email]
    [Reference number or account if relevant]

    Email template for escalation

    Subject: Escalation – No response yet to automated decision review

    Hello [Manager or Complaints Team],

    I requested a human review on [date] and have not received a sufficient response. Please escalate this as a formal complaint. I am again requesting:

    • A human review by a qualified person.
    • A plain-English explanation of the factors and data used.
    • A clear route to appeal with dates.

    If external escalation is needed, confirm the correct ombudsman or regulator.

    Regards,
    [Name]

    Short call script

    “Before we continue, please confirm whether automation was used. I am requesting a human review and a written explanation of the main factors. I will send this as an email now so we have a record.”

    What to attach

    • Screenshots or PDFs of the decision.
    • Dates and times of any calls or messages.
    • Only the facts that directly change the outcome.

    Red flags that justify escalation

    • No one will confirm whether automation was used.
    • You receive only a generic stock reply.
    • The explanation does not match the decision.
    • “Computer says no” with no appeal route or timeline.

    Manager’s view – If you run teams

    • Publish a human review route with a named role and a response SLA.
    • Keep an appeals log:- decisions, dates, outcome, fixes.
    • Never use “urgent” to override fairness or due process.

    Get the weekly Human Defence Brief: plain English scripts to protect your job, your money, and your rights.

    Subscribe to our Newsletter.

    Latest posts

  • Deepfake Payroll Fraud: The Quiet Theft Inside UK Teams

    Deepfake Payroll Fraud: The Quiet Theft Inside UK Teams

    If a “boss” phones or messages with an urgent bank detail change, treat it as a red alert. Here’s the playbook normal teams need but rarely enforce.

    What changed

    Criminals don’t need to ‘hack your bank.’ They imitate trust.

    Cheap synthetic voice and video (“deepfakes”) + scraped org info + an urgent story = you move money for them.

    It looks like leadership. It sounds like leadership. It isn’t.

    How the scam actually plays out (three real-life patterns)

    1. The 4:55 pm call: Finance receives a ‘quick favour’ from the CEO: ‘Change a supplier’s bank details for a payment run.’ Voice sounds right. Context sounds right. You act fast. Money’s gone.
    2. The travel trap: A WhatsApp voice note from the CFO: ‘At the airport…’ asks to bypass a control ‘just this once.’ You’re being helpful. They’re taking cash.
    3. The fake Teams invite: A short video call shows your “exec” under time pressure. You see a face, you hear a voice, you comply.

    Why normal controls fail

    • Familiar voice overrides scepticism.
    • Urgency collapses the process.
    • People want to be helpful to leaders.
    • Policies exist. They’re not enforced when it feels awkward.

    Your 15-minute defence drill (do this today)

    1. Break the channel: Never respond/act in the thread that made the request. Call back on a number from your corporate directory (not the number they gave you).
    2. Use a challenge phrase: Agree a simple ‘code question’ between Finance and Execs (e.g., “What’s the internal project name for [X]?”). If they fail it, you fail the payment.
    3. Two-person rule for bank changes: Any change to supplier/customer bank details requires two approvers who are not on the same team. No exceptions.
    4. Cooling-off period: Institute a minimum delay (e.g., 2 hours) for urgent bank changes. “Urgent” isn’t a control; it’s a vulnerability.
    5. Template lockdown: Payment templates cannot be edited by the same user who executes them. Separation of duties – always.
    6. Log the attempt: Keep an ‘incident note’:- date/time, request content, channel, who you verified with, and outcome. It protects you later.

    Exact scripts to use (copy/paste)

    • When you get the request:
      “I can’t move money or change bank details based on chat/call alone. I’ll call your main line now and loop in a second approver.”
    • When they insist on speed:
      “The control is for your protection as well as the company’s. If this is legitimate, it survives a 2-hour delay.”

    If money has already moved

    1. Call your bank’s fraud team immediately and request a recall/freeze.
    2. Notify your insurer and record keeper; preserve messages, call logs, and payment screenshots.
    3. Report to Action Fraud.
    4. Do not shame the person who complied. Fix the system that made compliance possible.

    For schools, charities and councils

    You are specifically targeted because you’re helpful, short-staffed, and process-light. Publish the two-person rule. Print the callback policy. Run a 10-minute simulation in the next team meeting.

    Manager checklist (today)

    • Publish the callback number and challenge phrase policy.
    • Add the two-person rule to your finance SOP (standard operating procedure).
    • Disable voice approvals entirely.
    • Schedule a quarterly “red team” drill – can we trick ourselves?

    Urgency is not a business case; it’s a social-engineering tactic.

    Want the one-page Human Defence Checklist (the five questions to ask when AI is used against you)? Get it free in our weekly brief.

    Subscribe to our Newsletter.

    Latest posts