To make a GDPR subject access request?

[Mistigri]

My employer uses an outside company to run IT security awareness programmes which are mandatory and which I always complete despite the fact that they are patronising and badly designed.

I'm now being told that I haven't completed mandatory training. The website is so badly designed that it is impossible to tell what information has been recorded about my previous log-ins.

Would I be unreasonable to do a subject access request under the GDPR?

Yes. This is not a battle worth fighting - just do the training again. Things like this usually only take 10 mins and are purely box ticking.

Oh for goodness' sake, just do the training again.

bet you're a joy of an employee

GDPR relates to personal information. What personal information would you be requesting to see from the training company?

I'm an employee of 30 years standing. They appear to have lost the records from 7 or 8 training modules.

I have no intention of redoing the training.

I want to know what records they hold about my previous log-ins and the results obtained.

Oh you're one of those I've been here so long I shouldn't have to do as I'm told anymore' type people. Just cause a fuss and ask for those records if they say no then perhaps take it further. Unless it takes hours and hours I would just redo it on the proviso it was logged somewhere else as proof it's all up to date.

You would be unreasonable, just either do it again or escalate through your workplace that you are having issues with it registering.

you've answered your own question with your 10:27 post.

I've escalated it already.

I don't object to doing training. I object to doing it twice because the company which provides the training can't store my data accurately.

Whether or not you've completed training is not personal information and therefore isn't covered by GDPR.

Don't you have to do them annually anyway?

It is personal information m as it will be connected on the training system to th OPs name or other identifier, and those records are being used to make decisions about the OP.

If your manager is telling you yo redo it, you have to redo it. Otherwise, in their eyes, you are the problem. Besides which, I don't think what you are asking for is covered by gdpr.

Both my manager and I have asked the IT department to check their records to ensure that my account has not been duplicated, and they haven't responded.

I accept that it is a sledge hammer to crack a nut, and unreasonable from that point of view, but if GDPR can't be used to ascertain what data a service provider holds on you (in this case, whether it holds two accounts with my details) what can it be used for?

What ‘personal data’ do you think the training company holds on you? It’s got to make you identifiable. So it might be covered under an access request.
Even so I really wouldn’t do this as you’re likely to be earmarked as being difficult if it’s an IT error.

It may well be personal data because the fact of whether you have done the training or not is about you. But the organisation I suspect you need to ask is your employer, not the training provider, because the provider sounds like a third party processor which is processing data on your employer's behalf, not - for these purposes - a controller in its own right.

I really don’t think I could be bothered with this.

You say you completed it - they say you haven’t. So you’re likely to end up with a record saying you haven’t completed it and then you have to do it again.

Just do it again and screenshot once complete. It’s a pain in the arse for sure but I don’t really understand why you wouldn’t just do it?

Perhaps if they've lost your data, there's been a data breach? Have they reported it to the Information Commissioner?
When I do these things, I get a certificate at the end which I save as a PDF to prove I've done it. I wouldn't call these things training anyway, all they are is evidence that the employer has ticket a box. You don't actually learn anything from it!

Btw we have similar online training where I work, it's quite clunky so what happens is you go through the questions to the end but miss the very last bit to say you've completed it and the system therefore fails to record you having done it. Could that be happening with your tests?

Perhaps if they've lost your data, there's been a data breach?

A data breach normally means that the records have been accessed by an outside party, not that the data is actually lost.

The ICO is not going to be interested in one person's training record being inaccurate.

YANBU to ask them to check records of log ins and whether you have a duplicate account

YABU to make a gdpr request over something so petty.

the ICO is not going to be interested in one person's training record being inaccurate

This ^^

i had a similar problem going over a few months at work, and I totally understand the OP's frustration.

OP - I don't know how you can get it resolved, but in my case, work requires that I complete professional training. About six months ago they started to roll out content on a new system, and I always completed the training within the week (we were given up to a month).

I had major issues completing the training on a work computer (sound problems and there were no transcripts of the training content), eventually spending quite a few hours on the call to an IT Helpdesk. I got it sorted every time, did the training (about half a day per module, multiple modules). I often did it in the evenings and on a couple of occasions at weekends to get the problems sorted.

then, when the final big "milestone" compliance audit was taken, my name was on a "not compliant" list which was distributed to Heads of Department. it was mortifying. I raised it as a problem with our learning team, and they basically told me to just get the training completed as they had no record of it.

I could provide dates and rough times that i'd reviewed the content/did the assessments, but it was a case of "computer says no". i couldn't have literally fitted all the missing training in by the "final final deadline" they gave as an ultimatum.

I ended up in such a stressed, tearful state that I basically refused to re-do the whole lot and told them to take it up as an HR disciplinary matter, and copied in my head of dept.

a few days later i got a short sorry email from the learning contact saying there had been a few people with the same problem, and it was some issue where the new system hadn't "linked" correctly with our employee records.

i still get stressed and anxious when i think about it now, and i didn't even have to re-do all the work! even reading your post made me feel like i did when no one at work was even trying to help figure out what had gone wrong.

so, this isn't helpful to you OP but i totally, totally sympathise, it's a rotten situation. do you have a manager who's easily available/can force them to check their audit records/something else which means the onus isn't all on you to sort out their problem...?

I am a data protection officer.

1. It would be classified as personal information. Unless they anonymise your data and replace your actual name with a number or user name. Personal data is anything which can identify a living person.

1. A data breach doesn't have to be someone maliciously hacking your software. Poor storage. Losing it. Giving it out to the wrong person by accident. Lost or stolen work mobile. Just a few examples of a breach.

1. The ICO would probably acknowledge your email and provide some advice. They wouldn't dedicate much more to it.

That aside. I wouldn't bother making a subject access request for this. Id think about what outcome I actually wanted. I'd complain and tell them I had attended training and for them to amend your records.

Unless it's negatively impacting you (is it affecting any reviews, or projects you are working on) I'd respectfully suggest discretion is the better part of valour, and to just redo the modules.

You could make a GDPR request. However, if I had setup training with outside agencies, unless explicitly directed to (in writing) I would have made them use non-personal references which could only be identified from within the company proper. Purely because I wouldn't trust any 3rd parties with personal data - no matter what they've signed. If there's no personally identifiable data, there's nothing to disclose.