Skip to content

GDPR guidelines for Academic Advisors

As Academic Advisors (AA’s) we need to be mindful of the requirements of GDPR compliance which relates to data protection. These guidance notes have been developed in conjunction with Helen Williamson, Head of Information Governance, Directorate of Governance, Legal and Sector Regulation at Sheffield Hallam University and are also available as a Word document.

Notes relating to students

Any notes about students or records of meetings that are taken in paper format (this includes proformas and notes in notebooks) can be retained by academic staff if they feel they might be of use or relevant to supporting that student in the future. However, in line with GDPR they should be retained in a secure way, for example in a locked drawer or cabinet. 

Data protection legislation requires us to keep personal data secure and only accessible to those who need to access the data for legitimate work purposes.  Unauthorised access to personal data would constitute a data breach in the same way that loss or theft of data would be a breach.  All personal data breaches should be reported immediately to the IT Helpdesk (Tel 3333) – see Data Security Incidents ( for further information.

Notes of meetings should be made in Learning Analytics, in line with the Guidance for Note Taking Function of Learning Analytics and the ‘How to Guide’ for making notes in Learning Analytics.

Emails about students

Emails that contain information relating to students that are sent within the University network/firewall/email system, for example to their Course Leader will also be in a secure format and so processed in line with GDPR. It is recommended that AA file emails related to the students in a specific folder for ease of management and erasure of them after the expiration period (see * below). Best practice in terms of file management would be to have a folder for each cohort, with any trailing students added to the relevant folder at the end of each academic year.

Communications from Academic Advisers to Student Support Advisers should be made through the Student Support Referral Form accessed via the Academic Adviser page of the Student Support Triangle SharePoint page as this is in line with GDPR security requirements.

However AAs should be aware that they should only forward information provided by students/about students if the recipient has a legitimate reason to know the information for their role. There is specific information that academic staff should be particularly careful about sharing – termed special category data;

racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• data concerning health
• data concerning a natural person’s sex life or sexual orientation
• genetic data
• biometric data for ID purposes

This may include information about;

• Disability
• Complex family circumstances
• Sickness absence
• Personal assault
• Gender transitioning

If an academic member of staff thinks special category data that a student has disclosed to them in confidence needs to be shared then they should gain consent from the student to do so, unless in a situation where they are genuinely concerned about a students’ safety. Sharing and other processing of data in a student’s vital interests (i.e. life and death circumstances) and for safeguarding purposes are permitted but need to relate to safety and significant wellbeing issues. 

Please contact the Information Governance Team for further advice if considering sharing data for these purposes outside the University.

* Deleting/Destroying/Erasing information

Academic staff can retain notes/emails/information about students for the duration of their studies, but it should be erased typically one year after students exit the course.

Where a student has appealed or complained the university will collate information from a range of areas (including academic advisors) and hold it centrally for ‘last action on case’ plus six years. In exceptional cases where there is a complex profile you may need to refer back to or there are other ongoing issues, you can retain for student exit plus six years.

Paper records containing personal data should be disposed of via the confidential waste process (white sacks available from Facilities Directorate) or by shredding. Personal data should not be put into recycling bins, general waste bins, or skips.

Data Subject Rights

Academic Advisors should familiarise themselves with the rights that students have with respect to their personal data. One of these rights is the right of subject access which allows students to obtain copies of all their personal data held by the University. This includes access to copies of documents, handwritten notes and emails held by AAs.

In Summary

Academic staff must consider the following when recording information about students:

  • What information have we recorded? – Are we recording information for a legitimate reason?
  • Who are we sending information to? – Does the recipient really need the level of information you are providing in order to do their role?
  • Where are we storing the information? – Is it held in a secure way? (Locked draw, in secure network location, via university email)
  • How long should we retain it for? – One year after exit for standard students. Six years after exit for students with more complex profiles.
  • Is the data accurate? – We have a duty to ensure that personal data is accurate and, where necessary, up to date.
For advice on GDPR please contact the Information Governance Team:
For urgent issues: please call 0114 225 ext. 3361 or 6496 or 2818

Last updated: 17th September 2021 NB