Yeah, I’m very confused by this. Why do the users notifying IT have to do the training?
I’ve worked a help desk before, while after dozens of people sending it in we don’t really need it forwarded anymore, people don’t know that until we get the I’d still rather people forward it than click it. Ignore and delete is best since I guarantee someone will forward it to IT, but forwarding (even forwarding and asking) is never bad and demonstrates good awareness.
You seem annoyed at either possibility here. Which would you prefer?
Because if they let third party scrapers access the private data without user action, it’s not private and they may as well not do this at all.