Privacy Notice 

 As part of its clincial podiatry service The Leaf Hospital,  the University of Brighton collects and processes personal data relating to you and your health. The University is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations. 

Data Controller 

The Data Controller is University of Brighton, Mithras House, Lewes Road.  If you would like information about how the University uses your personal data please contact, 01273 642010 

Data Protection Officer  

The Data Protection Officer is responsible for advising the University on compliance with Data Protection legislation and monitoring its performance against it. If you have any concerns regarding the way in which the University is processing your personal data, please contact the Data Protection Officer: Rachel Page, Head of Data Compliance and Records Management, 01273 642010, 

What information does the University Collect? 

The University collects a range of information about you. This includes: 


  • your name, address and contact details, including email address and telephone number; 

  • whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process; 

  •  Your health and medical history including any prescriptions you have been issued with


The University collects this information in a variety of ways.For example, data might be contained in application forms, obtained from your identity documents, or collected through interviews or other forms of assessment. 


 The University will also collect personal data about you from third parties, such as health records supplied by the NHS or GPs 


Why do we collect your data? 

We take your details to understand the issues you are reporting about your foot health so that we may begin to plan your treatments, assign you to the appropriate clinic or practitioner and determine what other support you might need in realtion to your foot health.  The University processes this data as part of a contract we have with you to deliver your treatment.

The University has a legitimate interest in processing personal data this process and keeping records of the process. This includes the provision of clinical care which offer learning opportunities for our students, and for patients allows the University to manage  treatment process, assess patient's risk factors in order to decide to whether it is suitable for us to treat them. The University may also need to process data from patients to respond to and defend against legal claims. 


Where the University relies on legitimate interests as a reason for processing data, it has considered whether or not those interests are overridden by the rights and freedoms of employees or workers and has concluded that they are not. 


The University processes Article 9 (2) special category data – in particular your health, under condition H for the purposes of health and social care.



The University will not use your data for any purpose other than those mentioned above


How your data is held 

Your personal data is held within our email system briefly before being trnasferred to our patient records system and accessed by staff within the Leaf Hospital administrative and clinical teams. 

Who has access to data? 

 Your information will be shared internally for the purposes of planning and carrying out your treatment. This includes members of the clinic reception team, clinic manager, clinical staff and stuents involved in your treatments. 

 The University will not share your data with third parties with the singler exception of the NHS if you have been referred from them or are referred onto one of their services by us.


How does the University protect data? 

 The University takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.  

 Where is your data held? 

Your data is held on the University servers on our patient records system and securely stored paper records within the Leaf hospital. 

All data relating to ther Leaf Hospital Podiatry services is held within the EEA and will not be transferred outside of the EEA. 

How long we will keep your data? 

We will retain your data for a period of seven years for adult patients and 20 years for child patients as per the law on retention of medical records

Privacy notices and/or consent 

You have the right to be provided with information about how and why we process your  personal data. Where you have the choice to determine how your personal data will be used, we will ask you for consent. Where you do not have a choice (for example, where we have a legal obligation to process the personal data), we will provide you with a privacy notice. A privacy notice is a verbal or written statement that explains how we use personal data. 

Whenever you give your consent for the processing of your personal data, you receive the right to withdraw that consent at any time. Where withdrawal of consent will have an impact on the services we are able to provide, this will be explained to you, so that you can determine whether it is the right decision for you. 

Data subject's rights  

Data Subjects have a number of rights – including access, rectification and erasureInformation on how to exercise these rights can be found at Requesting information (  or by contacting , tel 01273 642010  

We will not use your personal data for automated decision making / or profiling about you as an individual. 


Changes to this notice 

 We keep our privacy notices under regular review. This privacy notice was last updated in May 2022

Other privacy notices 

 We do our utmost to protect your privacy. Please be aware that other privacy notices exist within the university in respect of data held, including but not limited, to activities in relation to your enquiries, application, current students, alumni and use of our websitePrivacy notices and Record of Processing Activities (