Acceptable Use Policy (Clients)

Privacy Policy and User Data Policy

MCare NI

Effective date: 1 May 2026
Last updated: 1 May 2026

This Privacy Policy explains how M CARE (NI) LTD, trading as MCare NI, collects, uses, stores, shares, retains and deletes personal data when you use our website, mobile application, online forms, client portal, staff portal, care services, recruitment services or any other service operated by us.

This policy applies to:

  • clients and service users;
  • family members, representatives and emergency contacts;
  • healthcare assistants, care workers, employees and contractors;
  • job applicants;
  • website, app and portal users;
  • professionals, commissioners, suppliers and other people who interact with us.

This policy is intended to meet the requirements of the UK General Data Protection Regulation, the Data Protection Act 2018 and applicable privacy laws.

We are committed to protecting your privacy and handling personal data lawfully, fairly and transparently.

1. Who we are

MCare NI is a trading name of M CARE (NI) LTD.

Company name: M CARE (NI) LTD
Company number: NI633898
Registered in: Northern Ireland, United Kingdom
Registered office: Graham House, Knockbracken Healthcare Park, Saintfield Road, Belfast, Antrim, BT8 8BH
Telephone: 028 9070 3703
Website: www.mcareni.co.uk
Privacy contact email: dpo@mcareni.co.uk

For the purposes of data protection law, M CARE (NI) LTD is the data controller for the personal data we decide how and why to process.

If you have any questions about this Privacy Policy, your personal data, data retention or data deletion, please contact us at:

Data Protection Officer / Privacy Contact
MCare NI
Graham House, Knockbracken Healthcare Park
Saintfield Road
Belfast
Antrim
BT8 8BH
Email: dpo@mcareni.co.uk
Telephone: 028 9070 3703

2. What personal data we collect

The personal data we collect depends on your relationship with us and how you use our services.

2.1 Clients and service users

We may collect and process:

  • full name;
  • address;
  • telephone number;
  • email address;
  • date of birth;
  • gender;
  • emergency contact details;
  • next of kin details;
  • care needs;
  • health conditions;
  • medication information;
  • mobility information;
  • disability information;
  • allergies;
  • care preferences;
  • care plans;
  • risk assessments;
  • appointment, visit and rota information;
  • notes recorded by care workers;
  • safeguarding information;
  • incident records;
  • complaints and feedback;
  • billing and payment information;
  • communications with you, your family, representatives, commissioners or healthcare professionals.

2.2 Family members, representatives and emergency contacts

We may collect:

  • name;
  • relationship to the client or service user;
  • telephone number;
  • email address;
  • address;
  • communication records;
  • information provided in connection with care planning, safeguarding, complaints or emergency situations.

2.3 Healthcare assistants, care workers, employees and contractors

We may collect:

  • full name;
  • address;
  • telephone number;
  • email address;
  • date of birth;
  • national insurance number;
  • right-to-work information;
  • identity documents;
  • employment history;
  • CV and application information;
  • references;
  • qualifications;
  • training records;
  • professional registrations;
  • AccessNI, DBS or background-check information where required;
  • payroll information;
  • bank details;
  • tax and pension information;
  • rota, attendance and timesheet information;
  • performance records;
  • disciplinary or grievance records;
  • accident, incident or safeguarding records;
  • communications with us;
  • system login and app usage records.

2.4 Job applicants

We may collect:

  • name;
  • contact details;
  • CV;
  • employment history;
  • qualifications;
  • references;
  • interview notes;
  • right-to-work information;
  • background-check information where relevant;
  • recruitment communications;
  • equal opportunities monitoring information where provided.

2.5 Website, app and portal users

When you use our website, app, online forms or portals, we may collect:

  • name;
  • email address;
  • telephone number;
  • account login details;
  • username or user ID;
  • password or authentication information;
  • IP address;
  • device information;
  • browser type;
  • operating system;
  • app version;
  • access times and dates;
  • pages viewed;
  • form submissions;
  • messages sent through our systems;
  • audit logs;
  • security logs;
  • cookie and tracking information.

2.6 Special category data

Because we provide care-related services, we may process special category data, including:

  • health information;
  • disability information;
  • care needs;
  • medication information;
  • safeguarding information;
  • information about physical or mental health;
  • information about racial or ethnic origin, religious beliefs or similar information where relevant to care preferences or equal opportunities monitoring.

We only process special category data where we have a lawful basis and an additional legal condition under UK data protection law.

3. How we collect personal data

We may collect personal data directly from you when you:

  • visit our website;
  • use our mobile app or portal;
  • complete an online form;
  • request care services;
  • contact us by phone, email, post or online message;
  • register for an account;
  • apply for a job;
  • attend an interview;
  • provide documents to us;
  • receive care or support from us;
  • make a complaint or enquiry;
  • provide feedback.

We may also receive personal data from third parties, including:

  • family members;
  • representatives;
  • emergency contacts;
  • healthcare professionals;
  • hospitals;
  • GPs;
  • social workers;
  • local authorities;
  • NHS bodies;
  • commissioners;
  • recruitment agencies;
  • referees;
  • training providers;
  • background-check providers;
  • regulators;
  • safeguarding authorities;
  • public bodies where lawful and necessary.

4. Why we use personal data

We use personal data for the following purposes:

  • to provide care and support services;
  • to assess care needs;
  • to create, update and manage care plans;
  • to arrange care visits;
  • to allocate healthcare assistants or care workers;
  • to manage rotas, attendance and timesheets;
  • to communicate with clients, families, representatives and professionals;
  • to manage safeguarding concerns;
  • to record incidents, accidents and complaints;
  • to monitor quality and safety;
  • to manage accounts, payments and invoices;
  • to recruit and onboard staff;
  • to verify identity and right to work;
  • to conduct background checks where required;
  • to manage employment, payroll, training and performance;
  • to comply with legal, regulatory, tax, employment and care obligations;
  • to maintain secure systems;
  • to prevent fraud, misuse and unauthorised access;
  • to respond to enquiries;
  • to improve our website, app, systems and services;
  • to establish, exercise or defend legal claims.

5. Lawful basis for using personal data

We only use personal data where we have a lawful basis under data protection law.

Depending on the circumstances, we may rely on one or more of the following lawful bases:

Contract

We may process personal data where it is necessary to provide services to you, manage a care arrangement, manage an employment relationship or take steps before entering into a contract.

Legal obligation

We may process personal data where we are legally required to do so, including for employment law, tax law, care regulation, safeguarding, health and safety, financial record keeping and regulatory reporting.

Legitimate interests

We may process personal data where it is necessary for our legitimate business interests, provided your rights and freedoms do not override those interests.

Our legitimate interests include:

  • running and improving our services;
  • managing communications;
  • protecting our systems;
  • preventing fraud and misuse;
  • ensuring service quality;
  • managing complaints and disputes;
  • keeping appropriate business records.

Vital interests

We may process personal data where necessary to protect someone’s life, health or safety, including in medical emergencies or safeguarding situations.

Public task

Where applicable, we may process personal data where necessary for functions carried out in the public interest, including care, safeguarding or commissioned services.

Consent

We may rely on consent where required, such as for certain optional communications, optional cookies or specific uses of personal data.

Where we rely on consent, you can withdraw your consent at any time.

6. Special category data and health information

Where we process health, disability, medication, safeguarding or care-related information, we do so only where necessary and lawful.

We may process this information for:

  • the provision of health or social care;
  • care planning;
  • risk assessment;
  • safeguarding;
  • health and safety;
  • employment obligations;
  • occupational health purposes;
  • legal claims;
  • substantial public interest reasons;
  • protecting vital interests.

Access to special category data is restricted to authorised people who need it for their role.

7. How we use app and website data

If you use our website, app, portal or digital systems, we may collect and use data to:

  • create and manage user accounts;
  • authenticate users;
  • provide access to relevant services;
  • process forms and requests;
  • maintain security;
  • detect unauthorised access;
  • prevent misuse;
  • monitor system performance;
  • troubleshoot technical issues;
  • keep audit records;
  • improve digital services.

We do not sell your personal data.

We do not allow third parties to use your personal data for their own marketing unless you have given valid consent or the law allows it.

8. User account security

If you are given a username, password, access code or any other login credential, you must keep it confidential.

You must not:

  • share your login details with anyone else;
  • allow anyone else to use your account;
  • attempt to access another person’s account;
  • access personal data unless authorised;
  • copy, download or disclose personal data without permission;
  • use our systems for unlawful or unauthorised purposes.

We may suspend, disable or delete accounts where we believe there has been misuse, unauthorised access, a security risk, or a breach of this policy.

9. Confidentiality obligations

Clients, staff, healthcare assistants, contractors and authorised users must treat all personal data, care information and confidential information accessed through our systems or services as strictly confidential.

You must only access, use or disclose personal data where you are authorised to do so and where it is necessary for the proper use of our services or the proper performance of your duties.

You must take reasonable steps to protect personal data, including:

  • locking computers, phones and tablets when unattended;
  • using secure passwords;
  • not sharing login details;
  • avoiding viewing confidential information where others can see it;
  • securely storing paper records;
  • securely deleting information when no longer needed;
  • not saving personal data to unauthorised personal devices;
  • reporting suspected breaches immediately.

10. Who we share personal data with

We may share personal data where necessary and lawful with:

  • healthcare assistants and authorised staff;
  • family members, representatives or emergency contacts where appropriate;
  • healthcare professionals;
  • hospitals, GPs, social workers or other care professionals;
  • local authorities;
  • NHS bodies;
  • commissioners;
  • safeguarding authorities;
  • regulators;
  • payroll providers;
  • pension providers;
  • accountants and auditors;
  • banks and payment providers;
  • insurers;
  • IT, software, hosting and app providers;
  • recruitment agencies;
  • training providers;
  • background-check providers;
  • professional advisers;
  • courts, law enforcement or public authorities where legally required.

We only share the personal data that is necessary for the relevant purpose.

Where we use service providers, they must protect personal data and only process it in accordance with our instructions and applicable law.

11. International transfers

We aim to store and process personal data within the United Kingdom or the European Economic Area where possible.

If personal data is transferred outside the United Kingdom or European Economic Area, we will ensure that appropriate safeguards are in place. These may include:

  • adequacy regulations;
  • approved contractual clauses;
  • appropriate technical and organisational safeguards;
  • other lawful transfer mechanisms.

12. How long we retain personal data

We do not keep personal data for longer than necessary.

The length of time we keep personal data depends on:

  • the type of data;
  • why it was collected;
  • the nature of our relationship with you;
  • legal and regulatory requirements;
  • safeguarding obligations;
  • employment obligations;
  • tax and accounting obligations;
  • whether the data may be needed for complaints, disputes or legal claims.

Our standard retention periods are set out below.

Type of dataRetention period
Website contact form enquiriesUp to 12 months after the enquiry is resolved
General email enquiriesUp to 12 months after the enquiry is resolved
Client account recordsUp to 7 years after the end of the service relationship
Care plans and care delivery recordsUp to 7 years after the end of care, unless a longer period is required
Health, disability and medication recordsUp to 7 years after the end of care, unless a longer period is required
Safeguarding recordsUp to 7 years after closure, or longer where required for safeguarding, legal or regulatory reasons
Incident and accident recordsUp to 7 years after closure
Complaint recordsUp to 7 years after the complaint is closed
Billing, payment and invoice records6 years from the end of the relevant financial year
Employee and worker recordsUp to 6 years after employment or engagement ends
Payroll, tax and pension records6 years from the end of the relevant financial year
Training and qualification recordsUp to 6 years after employment or engagement ends, or longer if required for regulatory purposes
Recruitment records for unsuccessful applicantsUp to 12 months after the recruitment process ends
AccessNI, DBS or background-check recordsKept only for as long as necessary and in line with legal and regulatory requirements
User account recordsFor the life of the account, then up to 12 months after account closure unless needed for legal, security or regulatory reasons
App and portal usage logsUsually between 6 months and 2 years
Security and audit logsUsually between 6 months and 2 years, or longer if needed to investigate security incidents
Cookie consent recordsUp to 12 months, unless refreshed sooner
Marketing consent recordsUntil consent is withdrawn or the data is no longer required
Suppression recordsAs long as necessary to ensure we do not contact people who have opted out
Legal claims and dispute recordsUp to 7 years after the matter is resolved, or longer where legally required

When a retention period expires, we will securely delete, anonymise or archive the data where appropriate.

We may retain limited information for longer where necessary to:

  • comply with legal obligations;
  • comply with regulatory obligations;
  • protect vulnerable individuals;
  • manage safeguarding concerns;
  • resolve complaints;
  • prevent fraud;
  • investigate misuse;
  • establish, exercise or defend legal claims;
  • maintain tax, accounting or business records.

13. How personal data is deleted

When personal data is no longer required, we will delete, destroy, anonymise or securely archive it.

Deletion may include:

  • deleting electronic records from live systems;
  • anonymising records so they no longer identify an individual;
  • securely destroying paper records;
  • closing or removing user accounts;
  • removing access rights;
  • deleting files from operational systems;
  • instructing relevant service providers to delete data where appropriate.

Some deleted data may remain temporarily in encrypted backup systems. Backup data is not used for ordinary business purposes and is overwritten or deleted in line with our backup retention cycle.

Where immediate deletion is not technically possible, we will restrict access and ensure the data is not used for any new purpose.

14. How to request deletion of your data

You can ask us to delete your personal data at any time.

To request deletion, contact us at:

Email: dpo@mcareni.co.uk
Post: Data Protection Officer, MCare NI, Graham House, Knockbracken Healthcare Park, Saintfield Road, Belfast, Antrim, BT8 8BH
Telephone: 028 9070 3703

Please include enough information for us to identify you and the personal data you want deleted.

We may ask for proof of identity before processing your request.

We will respond to deletion requests within one month, unless the request is complex or we are legally allowed more time.

The right to deletion is not absolute. We may need to keep some personal data where we have a lawful reason, including where the data is required for:

  • care records;
  • safeguarding;
  • legal obligations;
  • regulatory obligations;
  • employment records;
  • tax or accounting records;
  • complaints;
  • fraud prevention;
  • system security;
  • legal claims.

If we cannot delete all of your data, we will explain why, unless the law prevents us from doing so.

15. How to close or delete an app or portal account

If you use an MCare NI app, client portal, staff portal or online account, you may request account deletion by contacting:

dpo@mcareni.co.uk

Please use the subject line:

Account deletion request

In your request, please include:

  • your full name;
  • the email address or phone number linked to the account;
  • whether you are a client, family member, representative, healthcare assistant, employee, contractor or applicant;
  • any details needed to identify the account.

When an account deletion request is approved, we will remove or disable account access and delete personal data that is no longer required.

Some information may still be retained where necessary for legal, regulatory, safeguarding, care, employment, accounting, security or dispute-resolution purposes.

16. Your data protection rights

Depending on the circumstances, you may have the following rights:

  • the right to be informed about how your personal data is used;
  • the right to access your personal data;
  • the right to correct inaccurate or incomplete data;
  • the right to request deletion of your personal data;
  • the right to restrict processing;
  • the right to object to certain processing;
  • the right to data portability;
  • the right to withdraw consent where processing is based on consent;
  • the right not to be subject to certain automated decisions.

To exercise your rights, contact:

dpo@mcareni.co.uk

We may ask for proof of identity before responding to a request.

17. Cookies and similar technologies

Our website may use cookies and similar technologies.

Cookies may be used to:

  • make the website work;
  • remember user preferences;
  • improve website performance;
  • understand how visitors use the website;
  • keep forms and accounts secure;
  • support analytics;
  • support security and fraud prevention.

Where required, we will ask for consent before using non-essential cookies.

You can control cookies through your browser settings or any cookie controls provided on our website.

18. Marketing communications

We may send marketing or service information where permitted by law.

You can opt out of marketing communications at any time by:

  • clicking the unsubscribe link in an email, where available;
  • contacting dpo@mcareni.co.uk;
  • contacting us by phone on 028 9070 3703.

We may still send important service, care, account, legal or safety communications even if you opt out of marketing.

19. Security measures

We use appropriate technical and organisational measures to protect personal data.

These may include:

  • access controls;
  • password protection;
  • authentication controls;
  • encryption where appropriate;
  • secure servers and hosting;
  • secure disposal procedures;
  • staff confidentiality obligations;
  • staff training;
  • audit logs;
  • system monitoring;
  • device security;
  • role-based access;
  • incident reporting procedures;
  • limiting access to personal data on a need-to-know basis.

No website, app, portal or electronic system is completely secure. However, we take reasonable steps to protect personal data and respond promptly to suspected security incidents.

20. Data breaches

If we become aware of a personal data breach, we will assess the risk and take appropriate action.

Where required by law, we will notify the Information Commissioner’s Office and affected individuals.

Users must notify us immediately if they become aware of:

  • unauthorised access to personal data;
  • accidental disclosure of personal data;
  • lost or stolen devices;
  • lost or stolen paper records;
  • misuse of login details;
  • suspected hacking;
  • suspected cyber incidents;
  • any other personal data breach.

Reports should be sent to:

dpo@mcareni.co.uk

21. Children and vulnerable individuals

Our services may involve personal data relating to vulnerable adults and, in limited circumstances, children.

We take additional care when handling information about vulnerable individuals.

We only process this data where necessary and lawful, including for:

  • care planning;
  • safeguarding;
  • health and safety;
  • service delivery;
  • communication with authorised representatives;
  • legal or regulatory obligations.

Where appropriate, we may share relevant information with family members, representatives, healthcare professionals, commissioners, safeguarding bodies or public authorities.

22. Acceptable use of our website, app and systems

You may only use our website, app, portal and systems for lawful and authorised purposes.

You must not:

  • use our systems unlawfully or fraudulently;
  • access personal data without authority;
  • share login details;
  • copy, download, photograph or disclose personal data without permission;
  • interfere with the operation or security of our systems;
  • upload viruses, malware or harmful code;
  • attempt to gain unauthorised access;
  • misuse care, health or confidential information;
  • harass, threaten, abuse or exploit other users;
  • use our systems in a way that may damage MCare NI, clients, staff, healthcare assistants or others.

We may suspend, restrict or terminate access where we believe a user has breached this policy or created a legal, security, safeguarding, operational or reputational risk.

23. Links to other websites

Our website or app may contain links to third-party websites.

We are not responsible for the privacy practices, security or content of third-party websites.

You should read the privacy policy of any third-party website before providing personal data to it.

24. Complaints

If you are unhappy with how we handle your personal data, please contact us first so we can try to resolve the issue.

Contact:

dpo@mcareni.co.uk

You also have the right to complain to the Information Commissioner’s Office.

Information Commissioner’s Office
Website: www.ico.org.uk
Telephone: 0303 123 1113

25. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

When we make changes, we will update the “last updated” date at the top of this page.

Where changes are significant, we may notify users by email, website notice, app notice or another appropriate method.

You should check this page regularly to make sure you understand how we handle personal data.

26. Contact details

For privacy questions, access requests, correction requests, deletion requests, complaints or data protection concerns, please contact:

Data Protection Officer / Privacy Contact
MCare NI
M CARE (NI) LTD
Graham House, Knockbracken Healthcare Park
Saintfield Road
Belfast
Antrim
BT8 8BH

Email: dpo@mcareni.co.uk
Telephone: 028 9070 3703
Website: www.mcareni.co.uk