Skip to navigation

Empowering autistic and neurodiverse individuals to thrive with dignity, choice, and independence.

Masthead feature image

You are here: Home Privacy Statement

Privacy Statement

Marcus and Marcus provide individual packages of support to enable people affected by Autism or a Learning Difficulty to live an ordinary life in their community

Marcus & Marcus Service User Privacy Notice

Introduction

Marcus & Marcus is a private company. We are paid by public organisations like the NHS and local councils to support people who are autistic or have a learning difficulty. We help people live safely and independently in their own community.

We follow the UK’s data protection laws. These are called the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These laws give you rights over your personal information. They also mean we must be open and honest about what we do with your data.

We take your privacy seriously. We do everything we can to keep your personal information safe. This privacy notice explains:

  • What information we collect about you
  • Why we collect it
  • What your rights are
  • How to contact us if you have any questions or worries

If you want to know more about the type of information we use, why we use it, or how long we keep it, just contact us. Our details are in this notice. We’re happy to help explain anything.

Data Controller

Marcus & Marcus is the Data Controller of the personal data to which this privacy policy relates. This means that we are responsible for making sure that we process your personal data in a safe and lawful way.

We are registered with the Information Commissioner’s Office, who regulate the data protection laws in the UK. Our registration number is Z273820X.

Marcus & Marcus is part of the RCI Group. Where we refer to Marcus & Marcus in this privacy notice, this includes authorised members of the wider RCI Group where necessary. An intra-group data sharing agreement is in place to ensure personal data is shared lawfully and securely between group entities for specified purposes, such as central governance, safeguarding, finance, and IT support.

Our Contact Details

Should you have any queries in relation to your information or this privacy notice please contact us directly with the information provided below:

  • Full Name: Marcus & Marcus Ltd
  • Email address: administration@marcusandmarcus.co.uk
  • Registered Office: Unit 46 The Wenta Business Centre, Electric Ave, Enfield, EN3 7XU
  • Telephone: 0208 366 8131

Data Protection Officer

You can contact our data protection officer via email on RCI-DPO@rcigroup.co.uk

Personal Data Processed

Personal data is any information we have that can identify you, such as your name, date of birth, or medical history.

Our data retention period, which is the length of time we hold your personal data, is informed by our commissioners and the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council.

We might also keep some information that doesn’t identify you to help improve our business and our services as well as helping with health research. We do this by removing your identifiable information such as your name, date of birth, contact details to form ‘de-identified’ data.

We process the following personal data for the purposes listed. Where we use personal data, we will only use the minimum necessary personal data for that purpose.

Your Personal Information

We collect some personal information about you. This includes things like:

  • Your name and contact details
  • Your date of birth and address
  • Your NHS number and National Insurance number
  • Information about who supports you, like your next of kin
  • Information about your financial support and bank details

We may also collect private or sensitive information about you. This might include:

  • Details about your health or your support needs
  • Your background or things that are important to your care

We only collect the information we need to support you properly. Because we are funded by public organisations like the NHS and local councils, the law allows us to use this information to provide your care. This is called a public task under the law. When we use health or care information, the law says we can do this because it is necessary for your care and support.

This means we are using your information legally and fairly.

CCTV

We use CCTV at our office for security purposes and at certain locations, client’s home where it is deemed necessary for safeguarding and operational safety. We are the data controller for all CCTV systems we operate. Prior to implementation at any service location, a Data Protection Impact Assessment (DPIA) is conducted to ensure lawful, proportionate, and transparent use in accordance with data protection regulations. CCTV signage is clearly displayed, access is restricted to authorized staff, and footage is retained for 30 days.

Why we use your Information

We use your information to help plan and provide the care and support that’s right for you. This includes:

  • Understanding your care needs
  • Making a support plan that suits you
  • Speaking with you and the people who help you, like your family or professionals
  • Arranging any payments or funding
  • Keeping you safe and meeting our legal responsibilities

We are allowed to use your information because we are a care provider working on behalf of public services like the NHS or local councils. This means we are using your information in a fair and legal way to support your health and wellbeing.

We only use the information that is relevant. We do not collect more than we need.

Who We Share Your Information With

We sometimes need to share your information with people or organisations that are involved in your care and support.

We may share your information with:

  • NHS staff, such as your GP or hospital team
  • Social workers or care managers from your local council
  • Other care providers who help look after you
  • Organisations that fund your care
  • Regulators or inspectors who check we are doing things properly
  • Emergency services like the ambulance or police (if needed to keep you or others safe)
  • Legal professionals or safeguarding teams (when required)
  • Trusted companies that help us run our services, like our IT provider

If we share your information, we make sure it is only done when necessary, safe, and allowed by law. We always protect your privacy.

We are also part of a group of companies called the RCI Group. Sometimes we may need to share your information with other organisations in this group. This is only done for important things like safeguarding, finance, or IT support. We have a special agreement in place to make sure your information stays safe and is only used when it should be.

Information We Receive About You

Sometimes we receive information about you from other people or services who are involved in your care. This helps us understand your needs better and provide you with the right support.

We may receive information from:

  • The NHS or your GP
  • Hospitals or clinics
  • Your local council or social care team
  • Previous care providers
  • Legal representatives or advocates who support you

We only use this information to support your health and wellbeing and to carry out our responsibilities as your care provider.

Where we store and process your data

We store your personal information securely on cloud and computer systems. These are managed by trusted companies who help us run our services.

Your information is not stored or processed outside the UK or the European Economic Area (EEA).

Protecting Your Personal Data

We take the protection of your information very seriously.

Here are some of the ways we keep your data safe:

  • Your information is stored securely on protected computer systems
  • Only staff who need to see your data can access it
  • We use passwords and extra security checks (like multi-factor authentication)
  • All staff are trained every year on how to keep information safe
  • We follow national standards, including the NHS Data Security and Protection Toolkit
  • Our systems have role-based access, so people only see what they need to do their job
  • We also review our systems regularly to make sure they stay secure

How long we keep your data

We only keep your information for as long as we need it.

  • If you are an adult, we keep your care records for 8 years after you stop using our service or after your death.
  • If you are under 18, we keep your records until your 25th birthday, or for 8 years after your death if that happens sooner.

We also keep other types of records for different lengths of time. For example:

  • Health and safety or fire safety records
  • Complaints or incidents
  • Staff or contractor details

These are kept according to the law and guidance from our commissioners and professional bodies. We regularly review our records and delete information when we no longer need it.

We keep CCTV footage for 30 days.

Personal Data Relating to Suppliers, Contractors, and Commissioners

In addition to supporting our service users, we collect and process personal information about individuals we work with, including suppliers, contractors, consultants, and commissioning bodies such as the NHS and local authorities.

What We Collect

The personal data we hold may include:

  • Full name, job title, and professional contact details
  • Employment or company information (e.g. role, employer, service area)
  • DBS certificate information, where required for safeguarding
  • Qualifications, references, or professional registration details
  • Bank or payment details (for sole traders or reimbursements)
  • Communications, meeting notes, and relevant correspondence

Why We Collect It

We use this information to:

  • Manage contracts, agreements, and professional relationships
  • Ensure service delivery and quality monitoring
  • Carry out safeguarding and due diligence checks
  • Communicate about the services we provide
  • Comply with legal, regulatory, and audit obligations

Lawful Basis

Our lawful basis for processing this information will usually be:

  • Contract – where we have a working agreement with you
  • Legitimate Interests – for managing our business relationships and keeping accurate records
  • Legal Obligation – for safeguarding, compliance, and statutory record keeping

Our legitimate interests include:

  • Keeping up-to-date records of who we work with
  • Managing contracts and communication with partners or suppliers
  • Ensuring the safe and lawful running of our organisation
  • Protecting our staff and service users through due diligence, safeguarding, and quality checks

Who We Share It With

We may share supplier or commissioner details with:

  • Relevant staff and managers within Marcus & Marcus
  • Commissioning organisations and contract leads
  • Regulatory bodies or auditors
  • Legal advisers or safeguarding authorities (where appropriate)

We only share information, when necessary, with safeguards in place.

How Long We Keep It

We keep records relating to suppliers and contractors for up to 7 years after the end of the working relationship, in line with financial and legal requirements. If the data forms part of a safeguarding record or legal file, we may retain it for longer as required by law.

We review commissioner and partner contact details regularly and remove or update them when individuals leave their role or when no longer needed.

Keeping It Secure

This information is stored securely in our internal systems and protected by the same safeguards we use for service user data, including role-based access controls and secure cloud storage.

Individual Rights

You have rights under data protection law. This means you can:

  • Ask to see the information we hold about you
  • Ask us to correct any information that is wrong or out of date
  • Ask us to delete your information (in some cases)
  • Ask us to stop or limit how we use your information
  • Say no to us using your information in certain ways
  • Ask us to send your information to someone else (this is called data portability, and only applies in some situations)

These rights are not always guaranteed. Sometimes we may need to keep using your information because of the law or to keep you or others safe. If that happens, we will explain why.

If you want to use any of these rights, please contact us by email at: administration@marcusandmarcus.co.uk

We will always try to help.

Right to Complain to the ICO

We work hard to treat your information properly. But if you are worried about how we use your data, you can contact us to talk it through.

If you’re still not happy, you have the right to make a complaint to the Information Commissioner’s Office (ICO). This is the organisation that checks whether people are following data protection laws. Their contact details are:

By phone: 0303 123 1113 (Monday–Friday, 9 am–5 pm)
By email: casework@ico.org.uk
By post:
Customer Contact
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

This privacy notice was last reviewed on 01.12.2025