Last updated: 11/04/2019
Here at Best Companies we care about being transparent in how we use the personal data we receive. Please read our privacy notice below to understand what we do, and how we do it.
Who are Best Companies?
Hi, we are Best Companies, the workplace engagement people. Our primary purpose is to help make the world a better workplace. When employees are truly engaged, they are happier, more productive and more invested in an organisation’s success.
We provide the Best Companies Accreditation programme, which is the standard for workplace engagement. Accreditation tells your clients, partners, investors and employees that your organisation understands the importance of workplace engagement and genuinely values its people.
Best Companies is also the company that provides the research and data analysis, for The Sunday Times Best Companies to work for lists, with specific categories for small organisations, medium-sized organisations, large organisations and not-for-profit organisations.
We also publish other lists such as the Best Companies to work for regional lists and a list dedicated to housing associations.
The Best Companies Accreditation and The Sunday Times Best Companies to work for Lists uses our academically developed Methodology. This unique system looks for patterns, connections and correlations between employee responses, thus ensuring those that make a list or achieve a Best Companies Accreditation are truly worthy of being branded a Best Company.
Today we work with some of the world’s best-known organisations: measuring, improving and recognising great workplace engagement. Please visit our website at www.b.co.uk/about/ to find out more.
The below information outlines the processing we undertake.
The personal data we receive, directly from an individual completing a survey or from an organisation that we are providing a service to, or an enquiry from, will be used for the purposes outlined below.
We will never sell your personal data to anyone, ever.
Why and how do we collect information?
Our main purpose for holding your personal data is to provide the Organisation you work for with the tools and expertise that will enable your organisation to monitor engagement over time and improve. The features, services and websites we provide offer an accurate insight into the engagement levels within an organisation to assist them to monitor, meet and inform their people strategy needs.
We also conduct research with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of employee engagement. All research is conducted by Best Companies; we do not outsource our research to third parties.
Please watch the video in the link below to understand how we use the data we receive
We collect information through various ways. Below outlines, how we collect the information we hold:
Completing a b-Heard survey: The b-Heard survey can be received three ways, a) electronic survey (via email) b) paper survey c) login code (complete survey online by inserting a code). Your Employer will decide which type or combination of survey, best suits your organisation. Each survey is allocated to an individual, this is important as Best Companies needs to know who you are and where you sit in the organisation structure so we can create meaningful insightful reports for your organisation. You will notice there is nowhere to write your name. This is because we want you to be able to answer the b-Heard survey honestly, and for your survey responses to remain anonymous to your employer. Therefore, we can identify you, but your employer cannot.
We will ask you a range of questions about your employer, your manager and the management team and in some cases information about you. This is in order for us to accurately measure your organisations overall engagement and generate a customised reports for your organisation. It is important that you answer honestly, so that organisations receive a true reflection of their employee engagement stance. Data collected through a b-Heard survey will become part of the Best Companies Database. Survey responses do not become part of the Employers dataset, so we can ensure that the responses remain anonymous. The Diversity survey your organisation may ask us to include with the b-Heard survey is to assist your organisation with ensuring equality of opportunity or treatment within the organisation.
Requesting further information: If you request further information from us directly, through our website you will need to provide us with your email address. By providing your email address, you are consenting for us to contact you in order to respond to your enquiry. You may withdraw this consent at any time.
Businesses that use our Services: The services we supply to your employer requires them to provide certain personal data to us about you, in order for us to provide the services. Please read the information below relating to understand how we use the data we are provided to provision the services.
Best Companies Accounts: Your Employer will nominate personnel within the organisation or an external consultant to manage the process, review and access the reports, and provide additional information to allow Best Companies to provide the purchased services. Those individuals provided with Best Companies Accounts may include your organisation project manager(s), managers and/or your employers 3rd party consultants. The employer will determine who receives access to our website services such as The Dashboard, Workplace Insight Tool and MC3. In some of the websites, you may personalise your experience such as by uploading your photo. Anything you choose to add to your Best Companies account may be visible to others within your organisation where granted access and Best Companies employees where they have a requirement to access your account in order to provide the services. For our onsite applications Best Companies are the Data Controller.
Feedback Surveys: We may contact individuals from time to time for feedback on the services we are providing, including the Sunday Times Best Companies Awards Evening organisation contact, please be aware that we may at times use a 3rd party survey platform in order to conduct anonymous feedback surveys. You may opt to identify yourself within the feedback survey; this is in order for us to respond to you directly in relation to the experience you have received.
Your Data, Your Rights: You have a right to be informed of personal data processed by Best Companies, a right to request rectification/correction, erasure and to object to the processing. You also have the right to request access to your personal data. We can only adhere to a request if we hold personal data about you and are able to identify you. In the event that your employer provided the information to us, they are the Data Controller and you will need to send your request to them directly. Due to the extent of the processing Best Companies conduct, Best Companies also becomes a Data Controller in their own right separately to the employer organisation. The Employer is the main Controller and we will only continue holding personal data on their instruction in relation to the services, which is in the invested interest of the Employer who has purchased the services. Please be aware where your employer has provided us with personal data for the provision of services, the final decision on a request in relation to rectification, objection or deletion for any personal data that we store on behalf of your employer is with your employer who has purchased the services. Whilst your employer will consider a request they may not on every occasion be able to accept your request, where they require us to retain the data in their legitimate interest for the provision of the services. Where Best Companies has collected Personal Data directly from you such as through the b-Heard survey we are the Data Controller of this information. You also have the right to lodge a complaint with a supervisory authority.
Best Companies in association with The Sunday Times
Organisations that are successful in gaining a position on a Sunday Times Best Companies to work for List, Best Companies will as part of the List service process, provide the organisation PR contact and Project Manager(s) contact details to The Sunday Times. The names and contact details of the organisation representative are provided by the employer organisation within the organisation questionnaire, which is completed during survey setup by the organisation. This is required in order for The Sunday Times as a separate Data Controller, of this data, to confirm information where required in relation to The Sunday Times organisation profile; request organisation statements; and provide the opportunity for successful organisations to purchase additional awards, the Lists magazine, merchandise and licenses to use the Sunday Times Best Companies to Work for logo.
What information do we collect?
The b-Heard Survey Process
Where an employer or individual representing an entity has accepted our Terms of Service Agreement to receive the purchased service.
For all survey types, we require the first name, last name and a unique number/ payroll number of all your UK employees. This is to ensure data accuracy, quality control and fair processing.
When surveying by Paper or Login Code by Post, we require the final destination that the survey needs to be delivered to (Survey Delivery Location) e.g. head office, this will then be printed on the covering letter/Login Code by Post survey to assist with distribution.
Where employers opt for electronic survey delivery, we will require the employees email address. In line with best practice for security purposes, an electronic b-Heard survey (sent from [email protected]) email will be personalised to the employee, this is to assist in identifying a genuine email from Best Companies. We have also found there is a higher response rate when surveys are, personally addressed.
To get the most out of the reporting and your employer’s investment in our services we also require employers to provide demographics in advance; this saves the individual time in completing the survey and ensures data accuracy for the anonymous reports we create. These demographics include Employment Group, Manager Name, Job Grade, Date of Birth, Employment Start Date, Gender, Contracted Weekly Hours, Salary Band.
All details provided to us by your employer will remain hidden, as we do not need to request this information. Any remaining information that we need you to complete will be displayed for you to fill in.
Where we collect your employment start date and date of birth, this is converted and saved as a banding as part of the processing. The individual date or year of birth entry is deleted from our systems on the release of the reports to your employer.
Anonymity is the biggest concern individuals have when they complete a b-heard survey. In order for voices to be heard and actions to be taken, we require you to answer your b-Heard survey truthfully. Incorrectly responding to a b-Heard survey, you are rendering the survey as useless and therefore the result meaningless. Please be assured your individual responses are never accessible by anyone associated with you or at your workplace. Please be assured we will always keep your survey responses confidential.
At the end of the survey, you will be provided the opportunity to give direct feedback to your employer. We will not identify you with the feedback, however do take care not to identify yourself when providing feedback with these two comment boxes, these individual responses will be provided to your employer as anonymous feedback.
Where employers have a duty to monitor diversity levels within the organisation, they may request us to conduct a Diversity questionnaire alongside the b-Heard survey. Where your employer has selected for employees, to take part in our diversity questionnaire; this will involve you providing responses that are referred to as Special Categories of Data. We will be the Data Controller of this data and will only report the total counts of each diversity field, of the responses we receive to the Employer. Your individual responses will remain anonymous. This processing is conducted under the lawful basis of Article 6(f); the lawful condition of Article 9(2)(j) and in accordance with Article 89(1) of the GDPR.
Before you complete the diversity questionnaire, we will inform you we are now collecting information that is considered more sensitive, to assist your employer in monitoring diversity levels for the purpose of equality of opportunity or treatment.
Our websites and cookies
We collect usage data, such as information collected by cookies (with your consent) about the Best Companies pages viewed, links clicked, and other actions taken when accessing our Website or Services; Activities, interactions, and other computer and connection information (such as IP address) relating to use of our Website and Services. This information is used to evaluate how users use our websites, and to compile statistical reports on activity for us. We will use this information to improve our websites, by making them more user-friendly, more valuable, and easier to use. Third-party analytics software will not share your personal data or associate your personal data with any other data held by them.
2Q Instant Insight Service
If you are an individual or your employer has registered for the 2Q Instant Insight, this is a separate service not covered by this privacy notice, please read the privacy notice for this service at https://2q.b.co.uk/
Links to third party sites
Our websites may contain links to other websites that are not owned or controlled by Best Companies. Please be aware that we are not responsible for the privacy practices of such other websites or third parties. We encourage you to be aware of when you leave our websites and also to read the privacy notices of each and every website that collects personal information.
Website registration and web forms
When you register to the website, you may be asked for personal information about yourself in order to register and/or download content. This information may include, but is not limited to, your name, the company you work for, your e-mail address and telephone number. By providing this information, you are consenting to us contacting you in relation to your request or enquiry. We will only collect information from you that is necessary for us to provide you with any services or assistance connected with your enquiry. If you would like more information on our services, do get in touch by completing our online enquiry form at https://www.b.co.uk/contact. You may withdraw your consent at any time.
Best Companies uses WorldPay a third-party service provider for managing credit card processing. WorldPay does not store, retain, or use Billing Information except for the purpose of credit card processing on Best Companies behalf.
At the Awards evening we will take images of winners of the awards and attendees at the event.
These images will be released into the public domain and used to promote the Awards Evenings and The Sunday Times Best Companies to work for lists by both Best Companies and The Sunday Times, they may also be used by organisations for them to promote their achievement.
We may also collect from you on the night of your Awards Evening, with your consent, your name, organisation name, and email address. This is in order to provide you with the images taken of you and your colleagues at the photo booth. The contact data collected on the Photo Nomination Voucher(s) will be retained by the photographer (the data processor), for a period of 3 months, to assist us with any enquiries and by Best Companies (the Data Controller) for a period of 12 months. You may withdraw your consent and ask us to remove your personal data from our systems at any time.
Our Security Statement and Processors
Best Companies is dedicated to protecting all personal data we receive in line with industry standards and best practise. All data is only accessible by authorised personnel and Best Companies employees who are all contractually subject to confidentiality. We take all reasonable steps to protect information we receive from you from loss, misuse or unauthorised access, disclosure, alteration, and/or destruction. We have put in place appropriate physical, technical, and administrative measures to safeguard and secure your information, and make use of privacy-enhancing technologies such as encryption. An external auditor conducts an annual vulnerability assessment and penetration test on our systems. We also continually monitor our security posture as part of our ongoing risk management strategy.
Best Companies has been independently verified and certified for Cyber Essentials Plus, which is a UK Government-backed cyber security certification scheme. We are also registered with the Information Commissioners Office. Our internal Data Protection Officer monitors our ongoing processing operations to ensure they are lawful and compliant with data protection laws and regulations, such as the UK Data Protection Act 2018, the General Data Protection Regulation (GDPR) and the Privacy and Electronic Communications Regulation (PECR). We view our compliance, as GDPR ready. We continue to focus on ongoing GDPR requirements, such as evaluating the data protection impact of new products and services on our users’ personal data, training employees about protecting the privacy of personal information. We have documented procedures for Incident Management and Data Subject Requests, and have implemented appropriate company policies in order to protect the data we hold. We keep a record of our data processing activities as required under GDPR and where applicable complete a legitimate interests assessment. Data Protection Impact Assessments (DPIAs) are created, when there is a material change or as dictated as a requirement under GDPR.
To provide the purchased services we use a select number of trusted external service providers (known as Data Processors) for technical data analysis, processing and/or storage offerings. These service providers are carefully selected and meet high data protection and security standards. We only transfer information that is required for the services offered and we contractually bind them to keep any information we share with them as confidential and to process personal data only according to our instructions. The data processors, we use for the provision of the purchased services are situated within the United Kingdom and European Economic Area, and data is not transferred outside of these areas. We will continue to monitor new guidance on best practice, GDPR certification and the UK Data Protection Act as they become available.
Our service providers include:
Microsoft Azure and SQL database (Location: United Kingdom) required to host our live websites and to store and process the site files and data.
Barracuda Networks (Location: United Kingdom) Data from our on premise server cluster, is replicated securely to the Barracuda data centre to provide our offsite cloud backup.
Salesforce (Location: European Economic Area) used by Best Companies to maintain business operations, customer relationship management.
FreshWorks and FreshService (Location: European Economic Area) used by Best Companies to maintain business operations, and IT service management.
DataSend UK (Location: United Kingdom) A secure way to transfer large files or confidential information to Best Companies, which we may also use to transfer data at your request securely to an individual or organisation.
Google Analytics: for tracking events, location and page hits that assist us in the improvement and optimisation of the analysis of data supplied via the Best Companies Platform for content enrichment, our marketing activities and lead generation purposes, including Google location API
International transfers of personal data
EU data protection rules apply to the European Economic Area (“EEA”), which includes all EU countries and the non-EU countries of Iceland, Liechtenstein and Norway. Best Companies is located in the United Kingdom, our Data Processors which are assisting us in processing personal data, are located within the UK and the EEA.
The United Kingdom is set to leave the European Union on the 31st of October 2019. Where there is a requirement by our EU clients, to make a restricted transfer of EEA personal data, we will ensure the transfer of personal data will remain protected. Where the EU Commission has not made a full finding of an adequacy decision regarding the United Kingdom, Best Companies will agree to the EU Standard Contractual Clauses, where the UK has left the European Union.
Lawful basis for the processing
The processing between Best Companies and your employer does not rely on consent, but is being done with the legal basis found in Article 6(1)(f) of the GDPR in that the processing is necessary for the organisations legitimate interests. The employer has legitimate interests in sharing the data, for Best Companies to process, in order to: measure employee engagement in the organisation; to inform the people strategy; and to improve engagement in the workplace. Processing is required in order to; ensure that the organisation are a good employer; who are looking after their employees; being recognised as a ‘Best Company’ on gaining an Accreditation or place on the List(s); for the national PR should Client make the list; and retention and attraction of top talent. Best Companies and your Employer share personal data between our companies on the legal basis of Legitimate Interest.
The UK Information Commissioners Office acknowledges that companies may have a: “Legitimate interest in processing data as long as the processing does not have a disproportionate impact on the individual. On balance, the legal basis of legitimate interest against the individual impact: the services are reasonable, the company’s interests in the services appear compelling, and with there being little impact on the individual (services are not considered high risk processing).
Best Companies processing for research purposes
Best Companies conducts additional research on the survey responses and demographical data under the lawful basis of Legitimate Interest as sole Data Controller, under the GDPR historical, scientific and statistical research is deemed compatible processing. This processing is required for:
To the extent possible all data provided to our Research and Data Insight teams for the above research purposes is pseudo-anonymised.
Information regarding our MC³ Product
MC³ is intended as a development tool for organisations to reflect on what they are getting from their managers and their relationship with their team. MC³ should be used and considered as a resource, and when reviewing data the organisation should also consider the wider context of the team. The purpose for MC3 is to help focus managers on those areas that will make them great people-managers.
The UK Data Protection Act 2018, which includes the General Data Protection Regulation, advises that you can carry out this type of decision-making when it is necessary for the lawful basis of performance of a contract. Therefore where your organisation purchases the MC3 product, the lawful basis of this product is Article 6(1)(b), where processing is necessary for the performance of a contract to which the data subject (employee) is party. Your organisation will have a contract of employment with the employee that MC³ is reporting on, which will include clauses, or can reasonably refer to one or more of the following:
On balance, we have reasonably determined that MC³ benefits the individual by identifying what they are good at, and it identifies areas where they can focus on to improve. This level of insight will not only benefit the organisation for meaningful conversations, but it can also really help the manager with their own personal development and becoming a better manager.
The organisation hierarchy provided by the organisation will have been reviewed for accuracy by your project manager(s) within the organisation, to ensure individuals are aligned correctly to the reporting manager. Managers will be asked to verify their reporting structure at the end of the survey. MC3 is an automated decision making process, should an individual disagree with the results, we are able to review manually. We recommend that organisations actively inform their managers that they have purchased the MC³ product and how to make best use of the learning outcomes. For further information on MC³ please view the Best Companies website at https://www.b.co.uk/products/mc3/.
We require a minimum number of survey responses, in order to provide MC3 reporting to ensure anonymity.
Employers have an invested interest for us to retain personal data for up to three years after the end of the survey year. Should an employer go through an organisation restructure or require further insight from the data, we can restructure the personal data held from the previous year(s) participation, in order to correlate the reports from the newest b-heard survey. Following an organisation restructure, employers have a real need to understand the impact it has made on their employees. The ability to be able to alter the reporting to reflect the new organisation structure provides organisations with valuable data that reflects the true position of the organisation against those previous years surveyed.
We only continue to retain the personal data after the provision of services for the benefit of the employer. An employer can make a written request, at any time after the provision of services for us to delete the personal data we are holding on their behalf, should they no longer require us to retain the personal data. We delete personal data through an anonymisation process. We retain demographics and employee responses indefinitely to continue our research into employee engagement. To ensure fairness and transparency to the Employee, we would not accept a request to extend the max retention period.
We use a process of anonymisation at the end of the retention period or earlier upon written request from the employer. Anonymisation means we delete the personal identifiers, therefore anonymising the remaining statistical data for our continued research. This is in line with the Information Commissioners Office (ICO) Anonymisation code of practice. The employee responses, which are attached to employee demographical data, are not removed; this would result in the inability to perform any future engagement reporting. This would also similarly affect benchmark data and where organisations are being assessed for Accreditation and a position on our List(s). The Data Protection Act and General Data Protection Regulation (GDPR) does not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.
We retain the statistical data for our continued research with the goal of discovering useful information, informing conclusions, and supporting decision-making into better understanding of employee engagement. Once anonymisation has been completed, we are unable to reverse this process.
Best Companies uses a third-party service provider for managing credit card processing. The service provider does not store, retain, or use billing information except for the purpose of credit card processing on the Company’s behalf.
Best Companies reserves the right to use or disclose information provided if required by law or if the Company reasonably believes that use or disclosure is necessary to protect the Company’s rights and/or to comply with a judicial proceeding, court order, or legal process. We will ensure the confidentiality of all survey responses, unless we are required to reveal them in exceptional circumstances (in which case we will maintain as high a level of confidentiality as possible in those circumstances) or as required by law.
Privacy Notice Changes
Best Companies may make changes to this privacy notice to align with our operations and evolving laws. If we make changes to this privacy notice, we will post those changes here and in other appropriate places. We reserve the right to modify this privacy notice at any time, so please review it regularly. If we make significant changes, we will notify you here, or by other reasonable means. This privacy notice is currently only available in English. In the event non-English translations of this privacy notice are provided, it is done so for convenience only. In the event of any ambiguity or conflict between translations, the English version shall always take precedence
If you have a question about this privacy notice, or if you want to contact us regarding your individual rights, you can write or e-mail your request, marked for the attention of the Data Protection Officer to:
The Data Protection Officer
Best Companies Ltd
E-mail: [email protected]
Please allow up to 72 hours for a response.