This Privacy Notice (Notice) describes how Novalis Trust collects and uses your personal data. All our data processing is carried out in accordance with our obligations under the EU General Data Protection Regulation (GDPR).


This Notice tells you what personal data Novalis collects, why we need it, how we use it and what protections are in place to keep it secure.

Key Terms

The terms the Trust, we, us and our mean or refer to Novalis Trust.

personal data means information about individuals (including you), and information from which such individuals could be identified.

young people/residents means any young person at Cotswold Chine School or resident at Paradise House.

you means any individual whose personal data we process, including young people/residents, their family members or representatives, local authority personnel, healthcare and other welfare practitioners, other professional advisors, suppliers, supplier personnel and general business contacts.

Data Controller

Novalis Trust is the Data Controller in relation to your personal data and we take care to protect the privacy rights of individuals.

Information Protection Manager

We are not required under the GDPR to appoint a Data Protection Officer. We have, however, appointed an Information Protection Manager, currently Marcus Rowland, who is responsible for overseeing our compliance with the GDPR and any other applicable data protection legislation and regulation.

The Information Protection Manager can be contacted at  

How does the Trust obtain your personal data?

In some circumstances, we may obtain your personal data from you directly, including through your use of this website, but more typically, we will obtain your personal data from a third-party source, for example, we may collect information from local authorities.

What about personal data relating to others which you provide to the Trust?

If you provide information to us about someone else (such as one of your family members or employees) you must ensure that you are entitled to disclose that information to us and that the person understands that we, without taking any further steps, may process that information in accordance with this Notice.

What personal data does the Trust collect from (and about) you?

We may collect and use various types of personal data about you, which will vary in nature depending on the circumstances and purpose of processing. Here are some illustrative and non-exhaustive examples:

  • personal data about you: name, address, date of birth, marital status, nationality, race, gender, preferred language, job title, work life and restrictions and/or required accommodations, and possibly personal data about your family life;
  • personal data to contact you at work or home: name, address, telephone, and email addresses;
  • personal data to process any payment we might need to make to you personally: bank account details, HMRC numbers and references (where applicable);
  • personal data to monitor your use of our website: see the ‘website cookies and trackers’ section below.

Why do we need to collect and use your personal data?

We may need to collect and use your personal data for one or more of a number of reasons, the primary purpose being to provide care and education to our young people/residents, and this may involve the use of your personal data in one or more of the following (non-exhaustive) ways:

  • to contact you in relation to a young person/resident, whether in your professional or personal capacity;
  • to better understand the background, family history and the care/therapy/educational needs of a young person/resident;
  • to enable us to take into account your views and wishes in connection with the care and/or education of any young person/resident with whom you are connected or for whom you are responsible;
  • to enable the exchange of information between the Trust and external professionals and advisers.

We may also process your personal data for management purposes, which are likely to involve the use of your personal data in one or more of the following (non-exhaustive) ways:

  • to engage and contact suppliers;
  • to carry out internal reviews, investigations and audits;
  • to conduct reporting and analytics;
  • to help measure performance and improve our services;
  • for regulatory and legislative compliance and related reporting; and
  • for the prevention and detection of crime.

What is the Trust’s lawful basis for processing your personal data?

Under the GDPR, we must identify a lawful basis for processing your personal data, and that basis may vary according to the type of personal data processed and the individual to whom it relates, and the nature of the processing.

Performance of a contract with you (where applicable)

If you are a supplier or other individual with a direct contractual relationship with us, we are entitled to process the personal data we require in order to fulfil our obligations under our contract with you.

The legitimate interests of the Trust or a third party

We may process your personal data on the lawful basis that it is in our legitimate interests and/or the legitimate interests of a third party to do so. This will primarily apply to our services as a provider of care, therapy and educational services to young people/residents. Our legitimate interest in such instances is the proper performance of our role as a regulated provider of care, therapy and educational services. The young people/residents also have a legitimate interest (and a more general right in law) in obtaining the care and education that they require.

Our broad interest in the provision of care and educational services as a basis for processing your personal data, and the corresponding interest of the young people/residents in the receipt of such services, can be broken down into more discrete categories which may include (but are not limited to):

  • contacting individuals relevant to matters involving young people/residents, which may involve the use of your personal data;
  • reviewing documents and correspondence that have been disclosed to us which may contain your personal data;
  • preparing documents, plans and correspondence which may contain your personal data;
  • disclosing documents, plans and correspondence which may contain your personal data to various parties in the furtherance of the needs of young people/residents;
  • instructing external professionals or welfare practitioners on behalf of young people/residents;
  • receiving payments from third parties and facilitating payments to young people/residents and third parties; and
  • to allow for all of the above, the secure management and storage of your personal data within our IT environment and hard copy filing systems.

We may also process your personal data on the basis that it is necessary for our legitimate interest in the effective management and running of the Trust, which may include (but is not limited to): engaging suppliers and supplier personnel; ensuring that our systems and premises are secure and running efficiently; for regulatory and legislative compliance and related auditing and reporting; for insurance purposes; and to facilitate, make and receive payments.

We do not consider that the processing of your personal data on the basis of our legitimate interests as described above (whatever such interests might be) is likely to result in any unwarranted prejudicial effect on your rights and freedoms or your own legitimate interests.

Compliance with a legal obligation to which the Trust is subject

In certain circumstances, we may be obliged process your personal data in order to comply with our legal obligations. This might include, but is not limited to, processing required for the purposes of dealing with regulatory inspections or enquiries by Ofsted or the Care Quality Commission, safeguarding purposes, tax and accounting purposes; and to enable us to fulfil our compliance and other obligations under relevant legislation or regulation.

More information relating to the lawful bases for processing personal data can be found on the Information Commissioner’s website (see details below) or by contacting our Information Protection Manager (contact details below).

Special category personal data

If we process any special category personal data, which is data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health data, biometric data or sexual orientation, we will obtain your explicit consent to that processing, unless this is not required by law (because, for example, it is processed for the purpose of exercising or defending legal claims) or the information is required to protect your health in an emergency. Where we are processing personal data based on your consent, you have the right to withdraw that consent at any time.

To whom do we disclose your personal data?

We may disclose your personal data to third parties (outside the Trust), but only when it is necessary to do so, and subject to our obligations of confidentiality. Such recipients include but are not limited to: other professionals; our insurance brokers and underwriters; our bank, auditors and accountants; our outsourced IT providers and other suppliers; HMRC; Ofsted; the Care Quality Commission; and law enforcement agencies.

We may also need to disclose your personal data to our consultants who operate in the UK and in the USA. We take suitable steps to ensure that, where the other party concerned is a data processor, they have appropriate data security systems in place and process data solely in accordance with our instructions.

Is your personal data transferred outside the EEA, and if so what safeguards are in place?

Some of the third party service providers we use and some of our consultants are based in, or carry out their activities in, countries outside the European Economic Area (EEA). If in the course of providing services to us any of these service providers process personal data, we have made sure to include in their contract with us standard clauses approved by the European Commission (sometimes called ‘the EU Model Clauses’) to ensure that their processing meets the security standards required within the EU.

How do we protect your personal data?

We have security arrangements in place to guard against unauthorised access, use, alteration or destruction of, or the accidental loss of, your personal data. We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that any personal data we hold is not accessed by anyone unauthorised to access it. We have in place, and strictly comply with, an Information Security and Retention Policy which determines the security standards we use to protect your personal data.

When we use third-party organisations to process your personal data on our behalf, we require them to have appropriate security arrangements in place, they must comply with our contractual requirements and instructions, and they must ensure compliance with the GDPR and any other relevant data protection legislation, all as required under the GDPR.

How long will your personal data be retained by the Trust?

It is our policy to retain your personal data for no more than the length of time required for the specific purposes for which it is processed by us and which are set out in this Notice. However, we may be obliged to keep your personal data for a longer period, for example, where required by our legal and regulatory obligations, or in order to ensure we have effective IT back-up systems. In such cases, we will ensure that your personal data will continue to be treated in accordance with this Notice, we will restrict access to any archived personal data, and ensure that all personal data is held securely and kept confidential.

Website cookies and trackers

Our website uses ‘analytical’ cookies to allow us to recognise and count the number of visitors and to see how visitors move around the site when they are using it. A cookie is a small file of letters and numbers that we put on your computer if you agree. These cookies allow us to distinguish you from other users of our website, which helps us to provide you with a good experience when you browse our website and also allows us to improve our site.

For more information about cookies generally, please visit All About Cookies.

What are your rights?

You have various rights in relation to your personal data under the GDPR:

  • the right of access to a copy of the personal data we hold about you;
  • the right to require us to correct any inaccuracies in your personal data;
  • the right to object to decisions about you being taken by automated means (although we do not make any decisions by automated means);
  • where we have sought your consent, the right to withdraw your consent at any time; and
  • the right to ask us not to process your personal data for direct marketing purposes.

You may also have the following rights in relation to your personal data in certain circumstances:

  • the right to restrict or object to our use of your personal data;
  • the right to require us to provide a copy of your personal data to others; and
  • the right to require us to erase your personal data.

If you wish to exercise any of your rights please contact our Information Protection Manager at

There are exceptions to the rights of individuals in relation to their personal data. However, we will respect your personal data at all times and seek to be as transparent as possible but please be aware that in some instances we may be restricted from even acknowledging that we process your personal data.

How to make a complaint

If you have a question about the information provided in this Notice, or you have a concern or complaint about the way in which we process your personal data, please contact our Information Protection Manager at  In any event you have the right to address a complaint to the Information Commissioner. The Information Commissioner can be contacted at: –

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF The ICO helpline number is 0303 123 1113.