The principles of managing confidential information at KTI
KTI Property Information Ltd is an independent research organisation with the main objective of providing information and analytics on the property market for the benefit of its clients as well as developing and improving transparency in the property investment market. The confidentiality of client data and information, independence and objectivity are core values of KTI.
To facilitate its services, KTI collects data on property investment portfolios and specific properties from its clients and data contributors. Protecting the confidentiality of the data provided by the contributors is a key priority for KTI. This document presents the principles according to which KTI manages the data, protects its integrity and maintains its information security.
1) Usage of data
KTI uses the data provided by its data contributors only according to what has been agreed and specified in the information service contract, i.e. for maintaining the property market information database and providing information services based on it. Under no circumstances will KTI disclose client specific information externally unless explicitly otherwise agreed with the data contributor.
2) Principles for calculating and presenting results and indicators
Maintaining the anonymity of individual property portfolios and properties is a fundamental principle of KTI and consequently it is not possible to identify specific property portfolios or individual properties in the results and property market indicators provided by KTI. Hence, KTI will only provide results and market indicators where the relevant dataset includes a sufficient number of data contributors and observations (such as properties or leases). A single data contributor cannot be dominant and exceed 60-70% of all assets / leases / other observations in the relevant market sector or segment.. The relevant confidentiality rules and calculation principles for different KTI services are presented in the service specific service descriptions.
KTI ensures that it is not possible to identify individual contributor’s data in reports or presentations provided by KTI. The reports and presentations maintain the anonymity of the data contributors unless otherwise has been specifically agreed among all data contributors.
3) Information management at KTI
All KTI employees are obliged to follow the information management procedures defined by KTI. The procedures emphasise the importance of safeguarding the confidentiality of the data provided by the data contributors in all circumstances. The procedure encompasses both hardware and software as well as the proper use of both; how to manage data electronically and otherwise as well as procedures on how to receive, manage, store and send data.
In running its business, KTI utilises subcontractors. In such circumstances, KTI uses contracts and guidelines to ensure that the subcontractors follow the KTI data management procedures. KTI maintains non-disclosure agreements with every subcontractor and their relevant employees according to the specific considerations for the relevant assignment. KTI is liable for the activities of its subcontractors as if they were its own.
4) IT infrastructure
Data provided by data contributors are only managed in secure network environments, predominantly internal networks managed and controlled by KTI. Data transfers between IT networks and environments are secured. Access to IT systems and specific data are managed by individual user rights requiring identification. This also defines and ensures correct access and permissions to the data for the individual user. KTI monitors the usage of the IT infrastructure to ensure proper use and functioning of the data systems..
In preparing for unexpected business disruptions KTI maintains a backup and recovery plan including procedures and guidelines for resuming and returning to normal business operations. The plan emphasises a rapid recovery of business-critical data and systems even in the event of a severe disruption.
KTI maintains and develops the IT security of its IT systems and infrastructure continuously. The level of required IT security is regularly verified in third-party audits. The most recent external audit was performed in 2010 and the next IT security audit is scheduled for 2018.
5) Management of personal data
To the extent a data contributor provides KTI with personal data to facilitate service delivery (for example to conduct rental customer satisfaction surveys), both parties are committed to act in accordance with relevant data protection legislation and to follow procedures for processing of personal data that are compliant with the EU’s General Data Protection Regulation (GDPR). Employees of KTI have been trained and will be kept up to date in the contents and principles of GDPR as well as on the consequent changes to information and data management processes and procedures at KTI. KTI will also require its subcontractors to comply with relevant regulatory duties and responsibilities regarding management and processing of personal data.
A data provider that provides KTI with personal data to facilitate service delivery as defined in an information service agreement is regarded as data controller from a data protection legislative perspective, whereas KTI is regarded as data processor, that processes personal data on behalf of the controller. KTI processes the data with the sole purpose of delivering a service as mutually agreed in advance and reflected in the information service delivery agreement. The principles of processing personal data are presented in more detail in KTI’s service delivery agreement and the appendices to the relevant service documentation.
A data contributor has the right to verify that KTI data management systems and services provided by KTI are in compliance with data protection legislation as well as other relevant legislation. KTI will provide additional information on its data management systems and services upon the request of the data contributor.
To the extent that KTI acts as data controller as defined by legislation on data protection and processing of personal data, KTI will comply with the duties and responsibilities of the data controller as defined by legislation on data protection and processing of personal data.