Privacy Policy

INDEX PAGE
1. INTRODUCTION
2. DATA PROTECTION PRINCIPLES
3. DATA WECOLLECT ABOUT YOU
4. HOW WE COLLECT YOUR INFORMATION
5. PURPOSES FOR WHICH WE USE YOUR INFORMATION
6. OUR LEGAL BASIS FOR PROCESSING YOUR DATA
7. SHARING YOUR DATA
8. WEBSITE USE AND COOKIES
9. DATA SECURITY
10.RETENTION OF DATA
11.YOUR RIGHTS
12.CHANGE OF PURPOSE
13.FAILURE TO PROVIDE INFORMATION
14.CHANGES TO THIS PRIVACY NOTICE
15.QUESTIONS OR COMPLAINTS

1. INTRODUCTION

This Privacy Notice explains, in clear and straightforward language, how CareChoice collects, uses, shares, stores and protects personal information. It is intended for prospective residents and service users, current residents and service users, representatives of residents and service users, and visitors.

CareChoice is committed to protecting your privacy and handling your personal data in accordance with applicable data protection law, including the General Data Protection Regulation (“GDPR”) and related Irish data protection law. CareChoice only uses personal data where it is necessary to provide, support and manage healthcare and related services, to meet legal and regulatory obligations, and for other legitimate purposes explained in this Privacy Notice.

CareChoice is the data controller for the personal data described in this Privacy Notice where we decide how and why that personal data is processed for the provision and management of healthcare and related services.

Our contact details are:
CareChoice
Block 10-2, Blanchardstown Corporate Park 1
Blanchardstown, Dublin 15, D15 A25K
Telephone: 01 223 3000
Email: dpo@carechoice.ie

This Privacy Notice explains what personal information we collect, hold, use, and share, why we do so, the legal bases we rely on, how long we keep information, and the rights available to you in relation to your personal data. If anything in this Privacy Notice is unclear, please contact the Data Protection Officer at dpo@carechoice.ie.

2. DATA PROTECTION PRINCIPLES

Under GDPR, personal data must be:

  • processed lawfully, fairly, and transparently
  • collected for specified, explicit and legitimate purposes
  • adequate, relevant, and limited to what is necessary
  • accurate and, where necessary, kept up to date
  • kept for no longer than is necessary
  • processed securely to protect against unauthorised or unlawful processing and
  • against accidental loss, destruction, or damage.

We apply these principles when collecting, using, storing, and sharing personal data in
connection with our services.

3. DATA WE COLLECT ABOUT YOU

Personal data means information relating to an identified or identifiable individual. It does not include information where identity has been removed so that the individual is no longer identifiable (anonymous data).

To support the delivery of appropriate care and treatment, to administer admission and  residency arrangements, to comply with contractual, legal, and regulatory obligations, and to support the safe and effective operation of our services, CareChoice may collect, store, and use the following categories of personal data.

A. Information about prospective and current residents/service users

This may include:

  • pre-admission assessment details
  • records and clinical information received from acute hospitals, transferring facilities or other healthcare providers, including referral letters, discharge summaries and other relevant information relating to a resident’s/service user’s care, treatment, condition or support needs.
  • your name, address and contact details, including email address and phone number
  • a recent photograph
  • date of birth, sex, and marital status
  • details of the date you were first admitted to the residential home/facility
  • details of discharge from the residential home/facility
  • details of transfer from the residential home/facility, where applicable
  • the name and address of any authority, organisation or other body that arranged admission to the residential home/facility
  • details of your GP and of any officer of the Health Service Executive whose duty it is to supervise your welfare
  • details of emergency contacts, including the name, address, and telephone number of next of kin or any person authorised to act on your behalf
  • records of legal, decision support or representative authority documents relevant to care, treatment, residence, financial administration or decision making, such as enduring powers of attorney, powers of attorney, decision making representation orders, and advance healthcare directive or designated healthcare representative documentation, where provided to us.
  • individual assessments and care plans
  • records of medical, nursing and, where appropriate, psychiatric condition at the time of admission
  • records relating to medication, nursing care, specialist healthcare, and nutrition
  • daily progress notes and nursing records
  • medication administration records
  • records of ongoing medical assessment, treatment and care provided by the residential home/facility and GP, including where relevant the initial Comprehensive Assessment Form, a copy of the Fair Deal Care Needs Assessment, dependency assessments, and individual assessments relating to specific needs such as continence, falls, and nutrition
  • vaccination records
  • records of medical referrals and follow-up appointments
  • records of decisions not to receive certain medical treatments or of refused treatment
  • records of accidents or incidents that occur during residence or treatment
  • records of specialist communication needs
  • records of money or valuables deposited within the residential home/facility
  • records of furniture brought into the residential home/facility
  • correspondence to or from the residential home/facility in relation to care, including the Contract of Care
  • records of complaints received from or about residents/service users.
  • PPS number where required for the administration of healthcare services, medical card processing or compliance with legal obligations.

B. Financial and payment information

This may include:

  • information provided when payment is made to us, such as financial information or credit card information
  • financial information relating to the Fair Deal contribution and any additional fees payable under the Contract of Care
  • financial information where CareChoice has been appointed as pension agent for a resident/service user
  • bank details, individual statements and invoices for care services provided
  • financial information relating to transitional funding.

C. Information about representatives, next of kin and family members

 

Where a person interacts with us as next of kin, representative or family contact for a
resident/service user, we may collect personal data such as:

  • name
  • phone number
  • postal address
  • email address
  • payment or card details where relevant to payments or billing.

 

D. Information about visitors

 

  • information recorded when signing the visitors’ book
  • information provided in any visitor questionnaire
  • CCTV images where CCTV systems operate for safety and security purposes.

 

E. Other records and operational information

 

  • notification forms that CareChoice is required to send to HIQA
  • risk assessments
  • images stored on CCTV systems used at our facilities for safety and security purposes
  • communications and digital content, including content shared through digital channels or social media in connection with community life, events, and organisational activities, which may include images of residents or service users participating in social activities.

 

F. Special category personal data

 

Some of the information we process is classed as special category personal data under GDPR and receives additional protection under law. This may include information about:

  • health, medical conditions, or disabilities
  • religion or beliefs
  • ethnicity
  • political opinions
  • sexual orientation
  • biometric data.

For clarity, not every category of information listed above will apply to every individual. The information we collect will depend on your relationship with CareChoice and the services or interactions involved.

 

4. HOW WE COLLECT YOUR INFORMATION

We may collect personal data from a range of sources, depending on the circumstances. These include:

  • directly from you, including during enquiry, admission, assessment, care, treatment, communication, or other interactions with us
  • forms completed by you
  • conversations with you
  • family members, representatives or next of kin
  • referring GPs or consultants
  • hospitals and other healthcare professionals
  • members of the multidisciplinary team.
  • acute hospitals, transferring facilities and other healthcare providers involved in your care or transfer.

In some cases, we may also generate personal data ourselves in the course of providing care, treatment, administration, safety, compliance, and service management, for example through care notes, incident records, assessments, billing records, complaint records, and CCTV footage.

 

5. PURPOSES FOR WHICH WE USE YOUR INFORMATION

 

We use personal data for the following purposes:

  • to process enquiries, assessments, and admissions
  • to deliver personalised care, treatment, and support
  • to create, maintain and review care plans and clinical records
  • to record, manage and communicate information relating to care, treatment and service delivery using secure digital systems
  • to communicate with residents/service users and, where appropriate, with family members, representatives or next of kin
  • to support clinical decision making
  • to manage medications, referrals, appointments, and ongoing care
  • to generate accurate billing, account records, invoices, and related financial administration
  • to manage Fair Deal, pension agency, and other funding-related administration where applicable
  • to respond to complaints, incidents, safeguarding concerns, and service issues
  • for auditing, quality assurance, compliance, governance, and service improvement
  • to comply with legal and regulatory obligations
  • to protect the safety and security of residents, service users, visitors, staff, and property, including through CCTV where in use
  • to communicate with residents’ families and representatives using secure digital tools
  • to verify who is authorised to make decisions, receive information, give instructions or act on behalf of a resident/service user in relation to care, treatment, residence, financial matters or other relevant arrangements.
  • to share information about community life, events and organisational activities through communications and digital channels, including social media, where appropriate.

 

Where photographs, videos or similar images are used for optional communications, publicity, or social media purposes, we will rely on an appropriate lawful basis and, where consent is required, we will seek it separately. A refusal to participate in optional photography or publicity will not affect the care or services provided.

 

6. OUR LEGAL BASIS FOR PROCESSING YOUR DATA

Under GDPR, we must have a lawful basis for processing personal data. Where we process special category personal data, such as health information, we must also meet an additional condition under Article 9 GDPR. Depending on the circumstances, we rely on the following legal bases:

Article 6 GDPR lawful bases

  • Article 6(1)(b) – Contract
  • Where processing is necessary to take steps at your request before entering into a contract, or to perform a contract for care, accommodation, or related services.
  • Article 6(1)(c) – Legal obligation
  • Where processing is necessary for compliance with legal and regulatory obligations applying to CareChoice.
  • Article 6(1)(d) – Vital interests
  • Where processing is necessary to protect someone’s vital interests, for example in urgent or emergency situations.
  • Article 6(1)(f) – Legitimate interests
  • Where processing is necessary for the legitimate interests pursued by CareChoice or a third party, provided those interests are not overridden by your interests or fundamental rights and freedoms.
  • Consent – In some limited circumstances, we may rely on consent, particularly where processing is optional and not necessary for the provision of care or to comply with legal obligations. Where we rely on consent, you may withdraw it at any time, although this will not affect the lawfulness of processing carried out before withdrawal.

 

Article 9 GDPR conditions for special category data

 

Where we process special category personal data, including health data, we rely in particular on:

  • Article 9(2)(h) – processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services
  • Article 9(2)(c) – processing necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent, where relevant in emergency situations
  • any other condition permitted by applicable law where relevant in the particular circumstances.

The lawful basis that applies will depend on the nature of the relationship with you, the type of information involved, and the purpose of the processing.

 

7. SHARING YOUR DATA

We may share personal data where necessary and proportionate with:

  • healthcare providers, consultants, and other professionals involved in care or treatment
  • ambulance services
  • HIQA, the Health and Safety Authority, the Department of Social Protection, An Garda Síochána and other regulators, public authorities or statutory bodies where required or permitted by law
  • the Health Service Executive (HSE), where required to support the provision, coordination, oversight and regulation of health and social care services. In some cases, the HSE may process personal data on our behalf under data protection arrangements; in other cases, it may process personal data under its own statutory responsibilities
  • insurers
  • legal advisors or representatives, where necessary
  • the Coroner, where we are required or requested to disclose personal data, including health information, under the Coroners Acts 1962 to 2024 for the purposes of investigating and determining the cause and circumstances of a death.
  • attorneys, decision supporters, decision making representatives or designated healthcare representatives, where authorised and where relevant to the resident’s/service user’s care, treatment or other arrangements.
  • service providers and technology providers who support our systems and services, including care management systems, secure family engagement platforms, hosting providers, and other IT or administrative support providers. Where such providers process personal data on our behalf, they do so under contractual data protection and confidentiality obligations and only on our instructions.
  • relevant personnel and organisations where we are under a duty to disclose information to comply with a legal obligation or to perform contractual duties owed to you.

 

We do not share personal data more widely than is necessary, and where appropriate we take steps to ensure that recipients are subject to confidentiality and data protection obligations.

Some service providers may process personal data outside the European Economic Area (EEA). Where this occurs, we will ensure that appropriate safeguards are in place in accordance with data protection law, for example by relying on an adequacy decision or approved standard contractual clauses.

8. WEBSITEUSE AND COOKIES

CareChoice may collect personal data through its website where you provide it to us directly, for example through enquiry or contact forms. In addition, when you visit the website, certain technical information may be collected automatically, which may include:

  • IP address
  • browser type
  • device type
  • pages visited
  • time spent on site.

We use this information to operate, secure, and improve the website, to understand how the website is used, and to support performance and user experience analysis.

Some technical information may be collected through analytics technologies used to understand how the website is used and to improve its performance. Where optional cookies or analytics technologies are used, these will only be activated where you have provided consent through the website’s cookie banner.For information about cookies, please refer to our Cookie Policy. Our Cookie Policy explains the types of cookies we use, including essential cookies required for the operation of the website and optional cookies, such as analytics cookies where used. It also explains how you can accept or decline non-essential cookies, how your cookie preferences are remembered, and how long cookies remain on your device.

9. DATA SECURITY

We take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

These measures include:

  • password-controlled access to digital systems
  • multi-factor authentication (MFA), where appropriate, for access to digital systems and accounts.
  • role-based access controls so that only authorised staff can access personal data where needed for their work
  • secure storage of paper records
  • staff confidentiality obligations, policies, and training
  • incident response procedures for personal data breaches.
  • secure hosted systems and infrastructure used to manage care records and operational information

 

No organisation can eliminate all risk entirely, but we work to maintain appropriate safeguards and to review and improve them over time.

 

10. RETENTION OF DATA

 

We retain personal data only for as long as necessary for the purposes for which it was collected, including to provide care, to comply with legal, regulatory, contractual, safeguarding, financial and operational obligations, and to establish, exercise or defend legal claims where necessary.

Retention periods may vary depending on the type of record. For example, different periods may apply to care and clinical records, financial and billing records, complaints records, visitor records, enquiry records, and CCTV footage.

Further detail about applicable retention periods is set out in our Data Retention Schedule, which is available on request.

 

11. YOUR RIGHTS

Subject to the conditions and limitations set out in data protection law, you may have the right to:

  • request access to the personal data we hold about you
  • request correction of inaccurate or incomplete personal data
  • request erasure of personal data in certain circumstances
  • object to processing in certain circumstances, including where we rely on legitimate interests. Where we rely on legitimate interests, we will consider any objection and will respect it unless we have compelling legitimate grounds to continue the processing or another lawful basis applies
  • request restriction of processing in certain circumstances
  • request data portability, where applicable
  • withdraw consent at any time, where processing is based on consent
  • lodge a complaint with the Data Protection Commission.

You may exercise your rights by contacting the Data Protection Officer at dpo@carechoice.ie or by post to:

Data Protection Officer

CareChoice Block 10-2, Blanchardstown Corporate Park 1

Blanchardstown, Dublin 15, D15 A25K.

 

12. CHANGE OF PURPOSE

We will only use personal data for the purposes described in this Privacy Notice unless we reasonably consider that another use is compatible with the original purpose and permitted by law. If we need to use personal data for a new purpose that is not compatible with the original purpose, we will notify you and, where required, explain the legal basis for that further processing.

 

13. FAILURE TO PROVIDE INFORMATION

Where personal data is required so that we can assess admission, provide care or treatment, comply with legal or regulatory obligations, administer contracts, or ensure safety, failure to provide that information may mean that we cannot admit you, provide the care or services requested, or meet our obligations properly. Where information is optional, we will aim to make that clear.

 

14. CHANGES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time to reflect changes in our services, practices, legal requirements or regulatory guidance. The most recent version will be made available on our website or on request.

 

15. QUESTIONS OR COMPLAINTS

If you have any questions, concerns, or complaints about how your personal data is handled, please contact:

Data Protection Officer

Email: dpo@carechoice.ie

Post: CareChoice, Block 10-2, Blanchardstown Corporate Park 1, Blanchardstown,

Dublin 15, D15 A25K.

You also have the right to lodge a complaint with the Data Protection Commission, which is the supervisory authority for data protection in Ireland. Information about how to make a complaint is available from the Data Protection Commission.

 

We encourage you to contact us first so that we can try to resolve your concern, but you are always entitled to contact the Data Protection Commission directly.

©2026 All rights reserved | Privacy Policy