GDPR question

[AndyPandy]

I run a Training Company. One of our Clients is a Council. It also runs training courses, part of which is handed off to us to deliver.
It has sent some of its training staff on a course with us and also the students on its course (we teach First Aid, hence why staff and students attend).

The Council has asked for Certificate copies for proof of qualification for its internal verifiers. We cannot provide this as we use an external Certifier and we do not keep certificate copies, nor will the Certifier issue copies in this situation. The Certificates have already gone out to the students, so I'm guessing it's a PITA/impossible to recall/get them copied.

As the Council organised the course and certificates were sent there for distribution to the students, they have already had sight of which students passed. Is there an issue, therefore, of subsequently sending a 'to whom it may concern' letter stating that the following students attended and passed such-and-such a course on s-a-s a date bearing in mind that information has already been sent by way of the Certificate?

Or of alternatively the Council sending us a list asking us to confirm?

What the Council does with the letter must be subject to GDPR, but would we be acting lawfully?

I've suggested to my contact that she runs this past the Council's Compliance team, but input from here is also appreciated (and probably much quicker).

Andy

[johnhemming]

nor will the Certifier issue copies in this situation.

That is probably the area to look at. The Certifier should be able to give some information about who has passed and who hasn't.

[didds]

Why cant the coucnil contact each person it sent on the course and ask them for proof?

other than you are a one stop shop?

ASide from that if they HAVE to use a one stop shop the certifying authority should be the people the coucnil are asking anyway, not you?

TBH, this doesn't sound like a GDPR question in itself, more a logistical one. You wouldn't ask your child's teacher to verify they passed their Maths GCSE after all.

didds

[redsturgeon]

Why don't you use the default position here and say that the data protection act prevents you from complying with their request.

John

[dionaeamuscipula]

What does your privacy policy say and what do you say to candidates?

Given that the certificates went to the council anyway, you have presumably told them that this sort of thing is going to happen.

As long as you don't ask for their consent for anything (which is a terrible idea, generally) then you would have a legitimate business reason for giving the council data they have already had in a different format.

Whether you want to of course is a different matter.

DM

[pochisoldi]

As the Council organised the course and certificates were sent there for distribution to the students, they have already had sight of which students passed. Is there an issue, therefore, of subsequently sending a 'to whom it may concern' letter stating that the following students attended and passed such-and-such a course on s-a-s a date bearing in mind that information has already been sent by way of the Certificate?

"We've already provided you with the evidence you are asking for when we sent the certificates to X on the Yth of Z. If you want to verify their validity please refer to the certifying organisation."

open brackets - stop trying to cover up your poor admin by passing the buck to us - close brackets

PochiSoldi

[Slarti]

As the Council organised the course and certificates were sent there for distribution to the students, they have already had sight of which students passed. Is there an issue, therefore, of subsequently sending a 'to whom it may concern' letter stating that the following students attended and passed such-and-such a course on s-a-s a date bearing in mind that information has already been sent by way of the Certificate?

"We've already provided you with the evidence you are asking for when we sent the certificates to X on the Yth of Z. If you want to verify their validity please refer to the certifying organisation."

open brackets - stop trying to cover up your poor admin by passing the buck to us - close brackets

PochiSoldi

What PochiSoldi said.

Slarti

[AndyPandy]

Sorry, wasn't clear. My bad.

We run the course, we then upload student data to the Certifier's Portal (including who has passed or failed). They verify our paperwork and, if happy, print and post Certificates to us. I can find out the names of who passed as I have the hard copy of the paperwork under lock and key and also access to the Certifier's Portal to look up Students' names if necessary. Getting the data is not a problem. Who I'm allowed to tell, is...

Yes, their admin is not up to scratch (who'd have thought that from a Council, eh?) but they are a regular client and one that we want to keep happy (whilst staying legal)

Our Privacy Policy states that we process user data for the purpose of running the course and issuing the Certificates and that we keep it for xx years thereafter. Not for compiling a list for their bosses when they fail to do so.....

[Lanark]

Sorry, wasn't clear. My bad.

I can find out the names of who passed as I have the hard copy of the paperwork under lock and key and also access to the Certifier's Portal to look up Students' names if necessary. Getting the data is not a problem. Who I'm allowed to tell, is...

I can't answer your main question, but I can tell you that personal records, even on paper and even 'safely locked away' are still subject to GDPR, if you don't have a business or legal reason for retaining them then they need to be handled according to your disposal policy.

I'm probably being paranoid, but part of me is wondering if this council request is really a sneaky way of checking up on your GDPR compliance.

[AndyPandy]

Sorry, wasn't clear. My bad.

I can find out the names of who passed as I have the hard copy of the paperwork under lock and key and also access to the Certifier's Portal to look up Students' names if necessary. Getting the data is not a problem. Who I'm allowed to tell, is...

I can't answer your main question, but I can tell you that personal records, even on paper and even 'safely locked away' are still subject to GDPR, if you don't have a business or legal reason for retaining them then they need to be handled according to your disposal policy.

I'm probably being paranoid, but part of me is wondering if this council request is really a sneaky way of checking up on your GDPR compliance.

That had occurred to me as well, but even if not, because it's a Council, they could be a target for a FoI request so I don't want to be giving information out willy nilly in case someone asks "why are you sharing my test results with xxx".

We do have a Business reason for retaining them for 3 years (the validity of the Certificate) as we could be inspected at any time. After 3 years they are destroyed. Our students are all made aware of this when they complete the course registration form on day 1. We are also registered with the ICO. I like to think we are compliant, but then you get something left field like this. Time to tweak our Policy to cover this I think.

[PaulBullet]

Who paid for the course, the student or the council?

If the council paid then they have a right to know I would suggest. If the students paid then they do not have a right to know

Paul