What Is The Lawful Basis For Sharing Of Client Employee Data?

Best Companies is located in the United Kingdom (UK) and our processing will be conducted in line with UK data protection legislation as a minimum standard. Data protection legislation across many countries around the world has rules in place similar to the General Data Protection Regulation (GDPR), where there are rules and a criterion for making the processing of data legitimate. All data needs to be processed fairly and lawfully. This means that data must be collected for specified, explicit and legitimate purposes, and not further processed in a way that is incompatible with those purposes.    

Organisations are required to demonstrate that they are compliant and have appropriate policies and processes. This means demonstrating properly through considered documentation, which lawful basis applies to each processing purpose and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. Documenting will support compliance with accountability obligations.    

To ensure transparency and fair processing to the individuals (data subjects) whose personal data is being processed, why, what and how Best Companies uses the personal data is explained in the Best Companies privacy notice, available at www.b.co.uk/privacy-notice. The individual is provided with multiple opportunities to view the privacy notice throughout the processing period.  

What are the lawful bases for processing?  

In UK data protection legislation, there are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. At least one of these must apply when processing personal data: 

• Consent: the individual has given clear consent for you to process their personal data for a specific purpose.  

• Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.  

• Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).  

• Vital interests: the processing is necessary to protect someone’s life.  

• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 

• Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)  

 If you wish, you can read the guide to the UK data protection legislation available on the Information Commissioner's Office (ICO) website. 

Registration with the Information Commissioner’s Office (ICO)

Under the Data Protection (Charges and Information) Regulations 2018, individuals and organisations that process personal data need to register and pay a data protection fee to the Information Commissioners Office (ICO), unless they are exempt.  
Best Companies Limited is registered with the ICO. 

Registration Number: Z8349843  

Data Collection and Sharing of Personal Data

Survey Responses: All survey responses provided directly to Best Companies from the client employees do not become part of the client dataset. To allow the employees to answer honestly without risk of reprisal, Best Companies bears responsibility as data controller for this data.  

b-Heard Survey - Lawful Basis, Legitimate Interest 

Organisations that survey with Best Companies generally do so on the legal basis found in Article 6 (1) (f) of the UK, General Data Protection Regulation (GDPR) - Legitimate Interest. The GDPR acknowledges that organisations may have a legitimate interest in processing data as long as the processing does not have a disproportionate impact on the individual.  
  
An organisation has legitimate interests in processing the data in order to measure employee engagement, to inform the people strategy and to improve engagement. It is required to ensure that the organisation is identifying areas to improve and be recognised as a good employer, who are looking after their employees. In turn this will assist in retaining and attracting top talent – which will have been determined by a Legitimate Interests Assessment.  
  
In order for an organisation to make a balanced assessment on the lawful basis of legitimate interest and the individual impact, our services could be seen as reasonable to employees – for their data to be processed for this purpose and the organisation’s interests appear compelling – with there being little impact on the individual.  
  
It is reasonable to determine that for any organisation participating in Best Companies services would also directly benefit the employee (data subject). Promoting a culture of employee engagement makes for a better working environment, improves employee job satisfaction and the employee may also benefit by increased organisation growth and the positive publicity that comes from being recognised as a “Best Company”. 

Special Categories of Data 

Those organisations that have a requirement to monitor diversity within their workplace (such as public authorities) may request to include our set of diversity questions. The organisation will need to identify both a lawful basis for general processing and an additional condition for processing this type of data and should document both to demonstrate compliance and accountability. This is because special category data is more sensitive, and, therefore, needs more protection. For example, information about an individual’s:  

• Race 

• Ethnic origin 

• Politics  

• Religion 

• Trade union membership 

• Genetics 

• Biometrics (where used for ID purposes) 

• Health; or  

• Sexual orientation  

The ICO has released guidance on special category conditions, which can be viewed on their website.   
  
The special category data is collected directly from the individual (data subject). The individual is clearly informed at the point of the data collection that reporting data will be shared anonymously with their employer (our client) for monitoring diversity within their organisation. 
  
The lawful condition that majority of our UK clients rely upon for the above purpose is:  
GDPR Article 9(2)(j) processing is necessary for statistical purposes in accordance with Article 89(1) based on law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject, on the basis of Data Protection Act 2018 Schedule 1, Part 2, s8 for the purpose of equality of opportunity or treatment.  

MC³ - lawful basis, contractual 

MC³ is intended as a development tool for organisations to reflect on what they are getting from their managers and the relationship with their team. MC³ should be used and considered as a resource, and when reviewing data, the organisation should also consider the wider context of the team. The purpose for MC³ is to help focus managers on those areas that will make them great people managers.  
  
UK data protection legislation advises that you can carry out this type of decision-making when it is necessary for the lawful basis of performance of a contract. Therefore, where an organisation purchases MC³, the lawful basis for this processing activity is, where processing is necessary for the performance of a contract to which the data subject (employee) is party. The organisation will have a contract of employment with the employee that MC³ is reporting on, which will include clauses, or can reasonably refer to one or more of the following:  

1. managing a team
2. completing the job function to a certain standard; and/or 
3. personal development  

On balance, Best Companies has reasonably determined that MC³ benefits the individual by identifying what they are good at, and it identifies areas where they can focus on to improve. This level of insight will not only benefit the organisation for meaningful conversations, but it can also really help the manager with their own personal development and in becoming a better manager.  
  
The client hierarchy provided by the client will have been reviewed for accuracy by the client project manager(s), to ensure individuals are aligned correctly to the reporting manager. Managers will be asked to verify their reporting structure at the end of the survey. MC³ is an automated decision-making process, should an individual disagree with the results, we are able to review manually. We recommend that organisations actively inform their managers that they have purchased MC³ and how to make best use of the learning outcomes. We require a minimum number of survey responses, to provide MC3 reporting to ensure anonymity.  

Best Companies - Compatible Processing 

The compatible processing conducted by Best Companies as a separate controller will (as required) be conducted on the same lawful basis as the client’s lawful basis for processing. Recital 50 of the GDPR, allows for the processing of personal data where the processing is compatible with the purposes for which the personal data were initially collected.  Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered compatible, lawful processing operations.  
  
In order to provide accurate and anonymous reporting to the client, Best Companies will conduct statistical analysis on the employee survey responses and benchmarking across other surveyed organisations nationwide and where required in sector, to provide the client with a Best Companies Index (BCI) Score. Best Companies will use the data to consider the client’s application for a Best Companies Accreditation and where the organisation scores high enough and requested, they may be considered, for a position on Best Companies Lists. 
  
To ensure fair competition, where clients are applying for Accreditation and Lists, they are required to supply details of all employees. This is for every employee to receive a survey and have the opportunity to respond. Employee response to the survey is optional for every question.  
  
Best Companies also conduct further statistical research through data analysis on the statistical data (demographics and survey responses). This data analysis involves a process of inspecting, cleansing, transforming, and modelling the statistical data with the goal of discovering new information, suggesting conclusions, and supporting decision-making.  
  
Best Companies may conduct data analysis on behalf of third parties, such as organisations who want further insights and correlations in how the data collected compares with other organisations in their sector or nationally. Independent research, where conducted may also be made publicly available. 
  
All reports released or made publicly available are anonymous.   

For additional support please call us on 01978 856222, or click the 'Get in Touch' button at the top of this page.