Last updated: 31/01/2020
Here at Best Companies we care about being transparent in how we use the personal data we receive. Please read our privacy notice below to understand what we do, and how we do it.
Who are Best Companies?
Hi, we are Best Companies, the workplace engagement people. Our primary purpose is to help make the world a better workplace. Employees truly engaged, are happier, more productive and more invested in an organisation’s success.
We provide the Best Companies Accreditation programme, which is the standard for workplace engagement. Accreditation tells your clients, partners, investors and employees that your organisation understands the importance of workplace engagement and genuinely values its people.
Best Companies is also the company that provides the research and data analysis, for The Sunday Times Best Companies to work for lists, with specific categories for small organisations, medium-sized organisations, large organisations and not-for-profit organisations.
We also publish other lists such as the Best Companies to work for regional lists and a list dedicated to housing associations.
The Best Companies Accreditation and Best Companies to work for Lists uses our academically developed Methodology. Our unique system looks for patterns, connections and correlations between employee responses, thus ensuring those that make a list or achieve a Best Companies Accreditation are truly worthy of being branded a Best Company.
Today we work with some of the world’s best-known organisations: measuring, improving and recognising great workplace engagement. Please visit our website at www.b.co.uk/about/ to find out more.
The below information outlines the processing we undertake.
The personal data we receive, directly from an individual completing a survey or from an organisation that we are providing a service to, or an enquiry from, will be used for the purposes outlined below.
We will never sell your personal data to anyone, ever.
Why and how do we collect information?
Our main purpose for holding your personal data is to provide the Organisation you work for with the tools and expertise that will enable your organisation to monitor engagement over time and improve. The features, services and websites we provide offer an accurate insight into the engagement levels within an organisation to assist them to monitor, meet and inform their people strategy needs.
We also conduct research with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of employee engagement. All research is conducted by Best Companies; we do not outsource our research to third parties.
Please watch the video in the link below to understand how we use the data we receive
We collect information through various ways. Below outlines, how we collect the information we hold:
Completing a b-Heard survey: The b-Heard survey can be received three ways, a) electronic survey (via email) b) paper survey c) login code (complete survey online by inserting a code). Your Employer will decide which type or combination of survey, best suits your organisation. Each survey is allocated to an individual, this is important as Best Companies needs to know who you are and where you sit in the organisation structure, so we can create meaningful insightful reports for your organisation. You will notice there is nowhere to write your name. This is because we want you to be able to answer the b-Heard survey honestly, and for your survey responses to remain anonymous to your employer. Therefore, we can identify you, but your employer cannot.
We will ask you a range of questions about your employer, your manager, the management team and in some cases information about you. This is in order for us to accurately measure your organisations overall engagement and generate a customised report for your organisation. It is important that you answer honestly, so that organisations receive a true reflection of their employee engagement stance. Data collected through a b-Heard survey will become part of the Best Companies Database. Survey responses do not become part of the Employers dataset, so we can ensure that the responses remain anonymous. The Diversity survey your organisation may ask us to include with the b-Heard survey is to assist your organisation with ensuring equality of opportunity or treatment within the organisation.
Requesting further information: If you request further information from us directly, through our website you will need to provide us with your email address. By providing your email address, you are consenting for us to contact you in order to respond to your enquiry. You may withdraw this consent at any time.
Businesses that use our Services: The services we supply to your employer requires them to provide certain personal data to us about you, in order for us to provide the services. Please read the information below to understand how we use the data we are provided to provision the services.
Best Companies Accounts: Your Employer will nominate personnel within the organisation or an external consultant to manage the process, review and access the reports, and provide additional information to allow Best Companies to provide the purchased services. Those individuals provided with Best Companies Accounts may include your organisation project manager(s), managers and/or your employers 3rd party consultants. The employer will determine who receives access to our website services such as The Dashboard, Workplace Insight Tool and MC3. In some of the websites, you may personalise your experience such as by uploading your photo. Where you choose to add content to your Best Companies account, this may be visible to others within your organisation where granted access and Best Companies employees where they have a requirement to access your account in order to provide the services. For our onsite applications, Best Companies is the Data Controller.
Feedback Surveys: We may contact individuals from time to time for feedback on the services we are providing, including Project Managers and your Awards Evening organisation contact. Please be aware that we may at times use a 3rd party survey platform in order to conduct anonymous feedback surveys. You may opt to identify yourself within the feedback survey; this is in order for us to respond to you directly in relation to the experience you have received.
Your Data, Your Rights: You have a right to be informed of personal data processed by Best Companies, a right to request rectification/correction, erasure and to object to the processing. You also have the right to request access to your personal data. We can only adhere to a request if we hold personal data about you and are able to identify you. In the event that your employer provided the information to us, they are the Data Controller and you will need to send your request to them directly. Due to the extent of the processing Best Companies conduct, Best Companies also becomes a Data Controller in their own right separately to your employer. We recognise your Employer as the main controller of data they have shared with us. Therefore we will only continue holding personal data on their instruction in relation to the services, which we only retain in the invested interest of the Employer for the provision of the services. The final decision on a request in relation to rectification, objection or deletion for any personal data that we store on behalf of your employer is with your employer who requested the services. Whilst your employer will consider a request, they may not be able to accept your request, where they require us to retain the data in their legitimate interest for the provision of the services. Where Best Companies has collected Personal Data directly from you such as through the b-Heard survey we are the Data Controller of this information. You also have the right to lodge a complaint with a supervisory authority.
Best Companies in association with The Sunday Times
Organisations that are successful in gaining a position on a Sunday Times Best Companies to work for List, Best Companies will as part of the List service process, provide the organisation PR contact and Project Manager(s) contact details to The Sunday Times. The names and contact details of the organisation representative are provided by the employer organisation within the organisation questionnaire, which is completed during survey setup by the organisation. This is required in order for The Sunday Times as a separate Data Controller, to confirm information where required in relation to The Sunday Times organisation profile; request organisation statements; and provide the opportunity for successful organisations to purchase additional awards, the Lists magazine, merchandise and licenses to use the Sunday Times Best Companies to Work for logo.
What information do we collect?
The b-Heard Survey Process
Where an employer or individual representing an entity has accepted our Terms of Service Agreement to receive the purchased service.
For all survey types, we require the first name, last name and a unique number/ payroll number of all your UK employees. This is to ensure data accuracy, quality control and fair processing.
When surveying by Paper or Login Code by Post, we require the final destination that the survey needs to be delivered to (Survey Delivery Location) e.g. head office, this will then be printed on the covering letter/Login Code by Post survey to assist with distribution.
Where employers opt for electronic survey delivery, we will require the employees email address. In line with best practice for security purposes, an electronic b-Heard survey (sent from [email protected]) email will be personalised to the employee, this is to assist in identifying a genuine email from Best Companies. We have also found there is a higher response rate when surveys are, personally addressed.
To get the most out of the reporting and your employer’s investment in our services we also require employers to provide demographics in advance; this saves the individual time in completing the survey and ensures data accuracy for the anonymous reports we create. These demographics include Employment Group, Manager Name, Job Grade, Date of Birth, Employment Start Date, Gender, Contracted Weekly Hours, Salary Band.
All details provided to us by your employer will remain hidden, as we do not need to request this information again from you. Information that we need you to complete will be displayed for you to fill in.
Where we receive an employment start date and date of birth, this is converted and saved as a banding as part of the processing. The individual date of birth entry is deleted from our systems on the release of the reports to your employer.
Anonymity is the biggest concern individuals have when they complete a b-heard survey. In order for voices to be heard and actions to be taken, we require you to answer your b-Heard survey truthfully. Incorrectly responding to a b-Heard survey, you are rendering the survey as useless and therefore the result meaningless. Please be assured your individual responses are never accessible by anyone associated with you or at your workplace. Please be assured we will always keep your survey responses confidential.
Where employers have a duty to monitor diversity levels, they may request that we include a diversity questionnaire alongside the b-Heard survey. Where this additional questionnaire has been requested, you may be asked to provide responses to questions that are deemed to be more sensitive to you e.g. race, religion, sexual identity, gender identity and disability. We will be the Data Controller of this data as we are for your responses to the questions on the b-Heard survey. Your individual survey responses will not form part of your employer’s dataset.
Diversity Reporting: Where the diversity questionnaire is used, we will provide your employer with a report of the total counts of each diversity field. In order to comply with the general equality duty, some organisations need to have an adequate evidence base for their decision-making. By collecting and using the equality information, we may work with organisations to create bespoke reporting (on request) to better understand the needs of staff from different protected groups and thereby improve the efficiency of the organisation.
Before you complete the diversity questionnaire, we will inform you that the information that we are about to collect is considered to be more sensitive and is to assist your employer in monitoring diversity levels for the purpose of equality of opportunity or treatment. Our research team will then use the collated diversity data responses, with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of equality.
Your individual responses will remain anonymous. This processing is conducted under the lawful basis of Article 6(f); the lawful condition of Article 9(2)(j) and in accordance with Article 89(1) of the GDPR.
At the end of the survey, you will be provided the opportunity to give direct feedback to your employer. We will not identify you with the feedback, however do take care not to identify yourself when providing feedback with these two comment boxes, these individual responses will be provided to your employer as anonymous feedback.
Our websites and cookies
We collect usage data, such as information collected by cookies (with your consent) about the Best Companies pages viewed, links clicked, and other actions taken when accessing our Website or Services; Activities, interactions, and other computer and connection information (such as IP address) relating to use of our Website and Services. This information is used to evaluate how users use our websites, and to compile statistical reports on activity for us. We will use this information to improve our websites, by making them more user-friendly, more valuable, and easier to use. Third-party analytics software will not share your personal data or associate your personal data with any other data held by them.
2Q Instant Insight Service
If you are an individual or your employer has registered for the 2Q Instant Insight, this is a separate service not covered by this privacy notice, please read the privacy notice for this service at https://2q.b.co.uk/
Our websites may contain links to other websites that are not owned or controlled by Best Companies. Please be aware that we are not responsible for the privacy practices of such other websites or third parties. We encourage you to be aware of when you leave our websites and also to read the privacy notices of each and every website that collects personal information.
We have implemented Google Analytics for tracking events, location and page hits that assist us in the improvement and optimisation of the analysis of data supplied via the Best Companies Platform for content enrichment, our marketing activities and lead generation purposes, including Google location API, and any necessary notices or consents for the collection and sharing of the data with Google.
Website registration and web forms
When you register to the website, you may be asked for personal information about yourself in order to register and/or download content. This information may include, but is not limited to, your name, the company you work for, your e-mail address and telephone number. By providing this information, you are consenting to us contacting you in relation to your request or enquiry. We will only collect information from you that is necessary for us to provide you with any services or assistance connected with your enquiry. If you would like more information on our services, do get in touch by completing our online enquiry form at https://www.b.co.uk/contact. You may withdraw your consent at any time.
Best Companies uses WorldPay a third-party service provider for managing credit card processing. WorldPay does not store, retain, or use Billing Information except for the purpose of credit card processing on Best Companies behalf.
At the Awards evening we will take images of winners of the awards and attendees at the event.
These images will be released into the public domain and used to promote the Awards Evenings and The Sunday Times Best Companies to work for lists by both Best Companies and The Sunday Times, they may also be used by organisations for them to promote their achievement.
We may also collect from you on the night of your Awards Evening, with your consent, your name, organisation name, and email address. This is in order to provide you with the images taken of you and your colleagues at the photo booth. The contact data collected on the Photo Nomination Voucher(s) will be retained by the photographer (the data processor), for a period of 3 months, to assist us with any enquiries and by Best Companies (the Data Controller) for a period of 12 months. You may withdraw your consent and ask us to remove your personal data from our systems at any time.
Our security statement and sub-processors
Best Companies is dedicated to protecting all personal data we receive in line with industry standards and best practise. All data is only accessible by authorised personnel and Best Companies employees who are all contractually subject to confidentiality. We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorised access, disclosure, alteration, and/or destruction. We have put in place appropriate physical, technical, and administrative measures to safeguard and secure your information, and make use of privacy-enhancing technologies such as encryption. An external auditor conducts an annual vulnerability assessment and penetration test on our systems. We also continually monitor our security posture as part of our ongoing risk management strategy.
Best Companies has been independently verified and certified for Cyber Essentials Plus, which is a UK Government-backed cyber security certification scheme. We are also registered with the Information Commissioners Office. Our internal Data Protection Officer monitors our ongoing processing operations to ensure they are lawful and compliant with data protection laws and regulations, such as the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulation (PECR). We view our compliance, as GDPR ready. We continue to focus on ongoing GDPR requirements, such as evaluating the data protection impact of new products and services on our users’ personal data, training employees about protecting the privacy of personal information. We have documented procedures for Incident Management and Data Subject Requests and have implemented appropriate company policies in order to protect the data we hold. We keep a record of our data processing activities as required under GDPR and where applicable, we have completed a legitimate interest’s assessment. Data Protection Impact Assessments (DPIAs) are created, when there is a material change or as dictated as a requirement under GDPR.
To provide the purchased services we use a select number of trusted external service providers. These third-party suppliers perform the particular functions described below and are considered sub-processors under applicable data protection laws (“Sub-processors”) for technical data analysis, processing and/or storage offerings. These service providers are carefully selected and meet high data protection and security standards. We only transfer information that is required for the services offered and we contractually bind them to keep any information we share with them as confidential and to process personal data only according to our instructions. The sub-processors, we use for the provision of the purchased services are situated within the United Kingdom and European Economic Area. Personal data is not transferred outside of these areas.
Best Companies sub-processors:
Microsoft Azure and SQL database (Location: United Kingdom) required to host our live websites and to store and process the site files and data.
Barracuda Networks (Location: United Kingdom) Data from our on-premise server cluster, is replicated securely to the Barracuda data centre to provide our offsite cloud backup.
Salesforce (Location: European Economic Area) used by Best Companies to maintain business operations, customer relationship management.
Mailgun Technologies (Location: Germany) required to manage our transactional email delivery to clients.
FreshWorks and FreshService (Location: European Economic Area) used by Best Companies to maintain business operations, and IT service management.
DataSend UK (Location: United Kingdom) A secure way to transfer large files or confidential information to Best Companies, which we may also use to transfer data at your request securely to an individual or organisation.
International transfers of personal data
European Union (“EU”) data protection rules apply to the European Economic Area (“EEA”), which includes all EU countries and the non-EU countries of Iceland, Liechtenstein and Norway. Best Companies is located in the United Kingdom, our Data Processors that are assisting us in processing personal data, are located within the UK and the EEA.
From the 31st January 2020, the United Kingdom (“UK”) is legally outside of the European Union but will remain within a transition period, until 31st December 2020, which requires the UK follow the same rules as an EU member state.
For our EEA clients, in preparation for a no deal scenario Brexit; in order to maintain the free flow of personal data into the UK, where required, please return a counter signed copy of the EU Standard Contractual Clauses agreement (which can be accessed here).
Lawful basis for the processing
The processing between Best Companies and your employer does not rely on consent, processing is completed under the legal basis found in Article 6(1)(f) of the GDPR in that the processing is necessary for the organisation’s legitimate interests. The employer has legitimate interests in sharing the data, for Best Companies to process, in order to: measure employee engagement in the organisation; to inform the people strategy; and to improve engagement in the workplace. Processing is required in order to; ensure that the organisation is a good employer; who are looking after their employees; being recognised as a ‘Best Company’ on gaining an Accreditation or place on the List(s); for the national PR should Client make the list; and retention and attraction of top talent. Best Companies and your Employer share personal data between our companies on the legal basis of Legitimate Interest.
The UK Information Commissioners Office acknowledges that companies may have a: “Legitimate interest in processing data as long as the processing does not have a disproportionate impact on the individual. On balance, the legal basis of legitimate interest against the individual impact: the services are reasonable, the company’s interests in the services appear compelling, and with there being little impact on the individual. The services are not considered high risk processing.
Best Companies processing for research purposes
Best Companies conducts additional research on the survey responses and demographical data under the lawful basis of Legitimate Interest as sole Data Controller, under the GDPR historical, scientific and statistical research is deemed compatible processing. This processing is required for:
To the extent possible all data provided to our Research and Data Insight teams for the above research purposes is pseudo-anonymised.
Information regarding our MC³ Product
MC³ is intended as a development tool for organisations to reflect on what they are getting from their managers and their relationship with their team. MC³ should be used and considered as a resource, and when reviewing data, the organisation should consider the wider context of the team. The purpose for MC3 is to help focus managers on those areas that will make them great people-managers.
The UK Data Protection Act 2018, which includes the General Data Protection Regulation, advises that you can carry out this type of decision-making when it is necessary for the lawful basis of performance of a contract. Therefore, where your organisation purchases the MC3 product, the lawful basis of this product is Article 6(1)(b), where processing is necessary for the performance of a contract, to which the data subject (employee) is party. Your organisation will have a contract of employment with the employee that MC³ is reporting on, which will include clauses, or can reasonably refer to one or more of the following:
On balance, we have reasonably determined that MC³ benefits the individual by identifying what they are good at, and it identifies areas where they can focus on to improve. This level of insight will not only benefit the organisation for meaningful conversations, but it can also really help the manager with their own personal development and becoming a better manager.
Your project manager within the organisation, to ensure individuals are aligned correctly to the reporting manager, will have reviewed the organisation hierarchy provided by the organisation for accuracy. Managers will be asked to verify their reporting structure at the end of the survey. MC³ is an automated decision-making process, should an individual disagree with the results, we are able to review manually. We recommend that organisations actively inform their managers that they have purchased the MC³ product and how to make best use of the learning outcomes. For further information on MC³ please view the Best Companies website at https://www.b.co.uk/products/mc3/.
We require a minimum number of survey responses, in order to provide MC3 reporting to ensure anonymity.
Employers have an invested interest for us to retain personal data for up to three years after the end of the survey year. Should an employer go through an organisation restructure or require further insight from the data, we can restructure the personal data held from the previous year(s) participation, in order to correlate the reports from the newest b-heard survey. Following an organisation restructure, employers have a real need to understand the impact it has made on their employees. The ability to be able to alter the reporting to reflect the new organisation structure provides organisations with valuable data that reflects the true position of the organisation against those previous years surveyed.
We only continue to retain the personal data after the provision of services for the benefit of the employer. An employer can make a written request, at any time after the provision of services for us to delete the personal data we are holding on their behalf, should they no longer require us to retain the personal data. We delete personal data through an anonymisation process. We retain demographics and employee responses indefinitely to continue our research into employee engagement. To ensure fairness and transparency to the Employee, we would not accept a request to extend the max retention period.
We use a process of anonymisation at the end of the retention period or earlier upon written request from the employer. Anonymisation means we delete the personal identifiers, therefore anonymising the remaining statistical data for our continued research. This is in line with the Information Commissioners Office (ICO) Anonymisation code of practice. The employee responses, which are attached to employee demographical data, are not removed; this would result in the inability to perform any future engagement reporting. This would also similarly affect benchmark data and where organisations are being assessed for Accreditation and a position on our List(s). The Data Protection Act and General Data Protection Regulation (GDPR) does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
We retain the statistical data for our continued research with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of employee engagement. Once anonymisation has been completed, we are unable to reverse this process.
Best Companies uses a third-party service provider for managing credit card processing. The service provider does not store, retain, or use billing information except for the purpose of credit card processing on the Company’s behalf.
Best Companies reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process. We will ensure the confidentiality of all survey responses, unless we are required to reveal them in exceptional circumstances (in which case we will maintain as high a level of confidentiality as possible in those circumstances) or as required by law.
Privacy Notice Changes
Best Companies may make changes to this privacy notice to align with our operations and evolving laws. If we make changes to this privacy notice, we will post those changes here and in other appropriate places. We reserve the right to modify this privacy notice at any time, so please review it regularly. If we make significant changes, we will notify you here, or by other reasonable means. This privacy notice is currently only available in English. In the event non-English translations of this privacy notice are provided, it is done so for convenience only. In the event of any ambiguity or conflict between translations, the English version shall always take precedence.
If you have a question about this privacy notice, or if you want to contact us regarding your individual rights, you can e-mail your request to [email protected], or write to:
The Data Protection Officer
Best Companies Ltd
Please allow up to 72 hours for a response.