To make a GDPR subject access request?

[Mistigri]

My employer uses an outside company to run IT security awareness programmes which are mandatory and which I always complete despite the fact that they are patronising and badly designed.

I'm now being told that I haven't completed mandatory training. The website is so badly designed that it is impossible to tell what information has been recorded about my previous log-ins.

Would I be unreasonable to do a subject access request under the GDPR?

@DanielCraigsUnderpants
It would be classified as personal information. Unless they anonymise your data and replace your actual name with a number or user name
I believe under GDPR, pseudonymised data is also classed as personal data, as it can still be linked back to the data subject. To be classed as anonymous data, user names/numbers etc cannot be used to replace the real-life name. Even if the data isn't pseudonymised, the data itself could still be identifiable if those specific answers were only given by one person.

I used to be one of the managers for a learning management system in a large company. The system was fucking appalling. I'm not at all surprised they've lost the records of you having completed the training. It happened in our system all the time.

I don't know about your training, but our modules took a significant amount of time to complete, and it would be a total waste of time and company money to be expected to do them again.

Usually as a system manager I could track down things like whether or not someone had started a module, whether they had completed it, and where the data had been lost.

I would request again that IT ensure this process is gone through before they insist you take the modules again. You may well find other staff have had the same problem as you.

I'd also suggest to your company that they find a better training provider.

Mistakes happen, you just need to alert those responsible to fix it. Send an email to whoever issued the compliance request and to the IT training support address stating "I completed training X on Y date and Z compliance sheet says I haven't, please can you resolve this between you. I found the system hard to navigate, so if I missed a form submission somewhere please can someone let me know and guide me through the submission process by phone."
You think you're being clever referring to GDPR, but when you haven't done the normal step of just telling someone there's an error it makes you sound like an immature fool with a penchant for dramatics. If they don't resolve it then you can make a normal complaint. And just calm down! Breathe!

Your training log ins and scores are NOT personal data. They cannot be used to identify you. You can ask what personal information they hold on you but requesting details of your training scores would not fall under the remit of a subject access request.

Stop quoting GDPR for everything. It's the worst bugbear I have at work. And clearly you need to redo your training if you think this would fall under the GDPRs remit.

Thanks for the helpful responses.

I've had no response to my question about a possible duplicated account.

I don't intend to redo the training unless explicitly required to by my manager, because if I'm right about the duplicate account then redoing the training doesn't resolve the underlying problem: any future training modules are also going to be flagged up as not completed on one of the accounts.

I don't know about your training, but our modules took a significant amount of time to complete, and it would be a total waste of time and company money to be expected to do them again.

Yes, this. The system is rubbish - when you log on it's impossible to tell which modules you have completed, the process for doing the training is very clunky and the multiple choice questions are poorly designed. I expect it is costing a fortune too.

It's not a retail bank is it? I had the same situation and had to firmly tear them a new one.

No not a bank. Big company though. I think they all use the same useless IT providers. What is it about British companies and IT?!

We do some things well - for example I have nothing but praise for the (also compulsory) ethics and anti-trust training.

Nothing in my inbox this morning and I strongly suspect that the reason I haven't had a response is that they have been inundated with managers escalating other people's identical issues.

A mildly worded email containing the magic words "data protection" eventually elicited the response that I have indeed done the training and a confirmation that it was a duplicate account problem.

So it was all a big fuss about nothing that could have been and was sorted by one email. The mildly worded email would have achieved the same result without you erroneously talking about data protection.

In fact it took several emails from both me and my manager. Very inefficient and it turns out that there was indeed a data management issue.