The American company Amazon has made headlines several times for monitoring its workers in warehouses across Europe and beyond.1 What is new is that a national data protection authority has recently issued a substantial fine of €32 million to the e-commerce giant for breaching several provisions of the General Data Protection Regulation (gdpr) with its surveillance practices. On 27 December 2023, the Commission nationale de l’informatique et des libertés (cnil)—the French Data Protection Authority—determined that Amazon France Logistique infringed on, among others, Articles 6(1)(f) (principle of lawfulness) and 5(1)(c) (data minimization) gdpr by processing some of workers’ data collected by handheld scanner in the distribution centers of Lauwin-Planque and Montélimar.2 Scanners enable employees to perform direct tasks such as picking and scanning items while continuously collecting data on quality of work, productivity, and periods of inactivity.3 According to the company, this data processing is necessary for various purposes, including quality and safety in warehouse management, employee coaching and performance evaluation, and work planning.4 The cnil’s decision centers on data protection law, but its implications reach far beyond into workers’ fundamental right to health and safety at work. As noted in legal literature and policy documents, digital surveillance practices can have a significant impact on workers’ mental health and overall well-being.5 This commentary examines the cnil’s decision through the lens of European occupational health and safety (EU ohs). Its scope is limited to how the French authority has interpreted the data protection principle of lawfulness taking into account the impact of some of Amazon’s monitoring practices on workers’ fundamental right to health and safety.
MULTIFILE
In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
DOCUMENT
Data collected from fitness trackers worn by employees could be very useful for businesses. The sharing of this data with employers is already a well-established practice in the United States, and companies in Europe are showing an interest in the introduction of such devices among their workforces. Our argument is that employers processing their employees’ fitness trackers data is unlikely to be lawful under the General Data Protection Regulation (GDPR). Wearable fitness trackers, such as Fitbit and AppleWatch devices, collate intimate data about the wearer’s location, sleep and heart rate. As a result, we consider that they not only represent a novel threat to the privacy and autonomy of the wearer, but that the data gathered constitutes ‘health data’ regulated by Article 9. Processing health data, including, in our view, fitness tracking data, is prohibited unless one of the specified conditions in the GDPR applies. After examining a number of legitimate bases which employers can rely on, we conclude that the data processing practices considered do not comply with the principle of lawfulness that is central to the GDPR regime. We suggest alternative schema by which wearable fitness trackers could be integrated into an organization to support healthy habits amongst employees, but in a manner that respects the data privacy of the individual wearer.
MULTIFILE
In today’s world, information security is a trending as well as a crucial topic for both individuals and organizations. Cyber attacks cause financial loss for businesses with data breaches and production loss. Data breaches can result in loss of reputation, reduced customer loyalty, and fines. Also due to cyber attacks, business continuity is affected so that organizations cannot provide continuous production. Therefore, organizations should reduce cyber risks by managing their information security. For this purpose, they may use ISO/IEC 27001 Information Security Management Standard. ISO/IEC 27001:2013 includes 114 controls that are in both technical and organizational level. However, in the practice of security management, individuals’ information security behavior could be underestimated. Herein, technology alone cannot guarantee the safety of information assets in organizations, thereby a range of human aspects should be taken into consideration. In this study, the importance of security behavior with respect to ISO/IEC 27001 information security management implementation is presented. The present study extensively analyses the data collected from a survey of 630 people. The results of reliability measures and confirmatory factor analysis support the scale of the study.
MULTIFILE
Human rights groups are increasingly calling for the protection of their right to privacy in relation to the bulk surveillance and interception of their personal communications. Some are advocating through strategic litigation. This advocacy tool is often chosen when there is weak political or public support for an issue. Nonetheless, as a strategy it remains a question if a lawsuit is strategic in the context of establishing accountability for indiscriminate bulk data interception. The chapter concludes that from a legal perspective the effect of the decision to litigate on the basis of the claim that a collective right to group privacy was violated has not (yet) resulted in significant change. Yet the case study, the British case of human rights groups versus the intelligence agencies, does seem to suggest that they have been able to create more public awareness about mass surveillance and interception programs and its side-effects
LINK
Slachtofferschap van ransomware – software die bestanden of systemen versleutelt als drukmiddel om slachtoffers losgeld te laten betalen – is een groeiend probleem voor bedrijven in Nederland. Tot wel 17% van de Nederlandse mkb’ers zegt ooit slachtoffer te zijn geworden van dit delict. Toch nemen ondernemers nog te weinig maatregelen om hun bedrijf tegen ransomware en andere vormen van cybercriminaliteit te beschermen. Hoe kunnen we de weerbaarheid van het mkb vergroten?
DOCUMENT
Een grote groep Nederlanders wordt jaarlijks slachtoffer van phishing. Burgers en bedrijven nemen echter in te beperkte mate zelfbeschermende maatregelen. In dit onderzoek wordt in kaart gebracht welke factoren bijdragen aan de intentie om zelfbeschermende maatregelen te nemen tegen phishing door drie risicogroepen, namelijk jongeren, ouderen en mkb’ers. We passen de Protection Motivation Theory toe, en onderbouwen een uitbreiding van dit model met twee factoren: affectieve respons en subjectieve normen. Data is verzameld middels vragenlijstonderzoek bij een panelbureau onder jongeren (N=1179), ouderen (N=1191) en mkb’ers (N=1020). De sterkste voorspeller voor de intentie tot het nemen van zelfbeschermende maatregelen tegen phishing bleek de affectieve respons (zorgen maken om phishing), gevolgd door een negatief effect van zelfeffectiviteit en positieve effecten van waargenomen ernst (jongeren en mkb’ers) en subjectieve norm (mkb’ers). Implicaties van de bevindingen voor handhavers en interventies worden besproken.
DOCUMENT
In recent years, a step change has been seen in the rate of adoption of Industry 4.0 technologies by manufacturers and industrial organizations alike. This article discusses the current state of the art in the adoption of Industry 4.0 technologies within the construction industry. Increasing complexity in onsite construction projects coupled with the need for higher productivity is leading to increased interest in the potential use of Industry 4.0 technologies. This article discusses the relevance of the following key Industry 4.0 technologies to construction: data analytics and artificial intelligence, robotics and automation, building information management, sensors and wearables, digital twin, and industrial connectivity. Industrial connectivity is a key aspect as it ensures that all Industry 4.0 technologies are interconnected allowing the full benefits to be realized. This article also presents a research agenda for the adoption of Industry 4.0 technologies within the construction sector, a three-phase use of intelligent assets from the point of manufacture up to after build, and a four-staged R&D process for the implementation of smart wearables in a digital enhanced construction site.
DOCUMENT
In operatiekamers heeft de luchtkwaliteit vanzelfsprekend de meeste aandacht in verband met het risico op postoperatieve wondinfecties bij de patiënt. Echter het belang van thermisch comfort moet niet onderschat worden. In dit onderzoek wordt subjectief (perceptie) en objectief (metingen) de situatie onderzocht in operatiekamers met verschillende ventilatiesystemen. Uitgangspunt is een vergelijk met de theorie.
DOCUMENT
