Data Policy
Last Updated: January 20, 2026
This Data Policy explains how The Enchanté Network (operating as The Enchanté Network) (“TEN”, “we”) manages data across our programs, research, operations, and digital services. It complements our Privacy Policy and focuses on governance, quality, access, and responsible use.
Our goal is to use data to serve people—not to surveil them. We prioritize consent, clarity, and care.
Purpose and scope
This policy applies to:
Data collected via our website, forms, surveys, and digital tools.
Data created through programming, events, evaluation, and research.
Operational data (finance, HR, procurement) and communications data (email lists, CRM).
Data shared with us by partners or funders.
Core principles
Minimum necessary: collect only what’s needed.
Transparency: clear explanations of what we collect and why.
Consent and choice: meaningful participation and opt-outs where possible.
Equity and harm reduction: reduce risk for structurally excluded communities and avoid data practices that could enable discrimination.
Quality and integrity: maintain accurate, fit-for-purpose data.
Security by design: safeguard data throughout its lifecycle.
Accountability: clear roles, auditability, and continuous improvement.
Data classifications
We classify data by sensitivity to apply the right safeguards.
A. Public
Information intended for public release (e.g., published reports, web content).
B. Internal
Operational information not meant for public distribution (e.g., internal planning, non-sensitive metrics).
C. Confidential
Personal information and sensitive operational data (e.g., contact lists, contracts, invoices).
D. Highly sensitive
Information that could cause harm if misused or exposed, including:
Sensitive identity or lived-experience information (where collected).
Health-related information.
Safety/security-related information.
Information about minors.
Rule: Highly sensitive data requires explicit purpose justification, restricted access, and stronger security controls.
Data lifecycle management
A. Collection
Collect using secure, approved tools.
Provide privacy notices at the point of collection.
Where appropriate, use optional fields for sensitive questions and explain “why we ask.”
B. Storage
Store data in approved systems (e.g., Google Workspace/Microsoft 365, CRM, data warehouse) with access controls.
Avoid storing personal data in personal devices or unmanaged spreadsheets.
C. Use
Use data only for stated purposes.
De-identify or aggregate whenever possible.
Use role-based access (least privilege).
D. Sharing
Share only what’s necessary.
Use agreements (e.g., data sharing agreements, NDAs) where appropriate.
Use secure transfer methods (encrypted links, access-controlled folders).
E. Retention and disposal
Define retention schedules by data type.
Dispose securely: delete from systems and backups where feasible, revoke links, purge exports.
Data quality standards
We aim for data that is usable, accurate, and respectful.
Minimum standards
Accuracy: routine checks and correction pathways.
Completeness: required fields only when necessary.
Consistency: standardized definitions and formats.
Timeliness: refresh cycles for dashboards and reports.
Documentation: clear data dictionaries and survey instruments.
De-identification, anonymization, and aggregation
When reporting or sharing insights, we prioritize:
Aggregated reporting.
Removal of direct identifiers (names, emails, phone numbers).
Reduction of indirect identifiers when small groups could be identifiable.
Research and evaluation data
When we collect data for research/evaluation:
Provide a clear participation statement (purpose, voluntary nature, risks, benefits).
Use consent language that is understandable.
Separate identity/contact info from response data where possible.
Ensure sensitive data is collected only with a clear justification and added safeguards.
AI, automation, and decision-making
If we use AI tools or automation:
We use them to support workflows (e.g., summarization, drafting), not to make high-stakes decisions about individuals.
We avoid using sensitive personal information as inputs unless explicitly approved and protected.
We document when AI-assisted outputs inform reporting.
Roles and responsibilities
A. Data Owner
Accountable for a dataset’s purpose, legality, and access decisions.
B. Data Steward
Responsible for day-to-day quality, documentation, and controls.
C. Data Users
Use data according to approved purposes and complete required training.
D. Privacy lead / DPO (if applicable)
Oversees privacy compliance, incident response, and data requests.
Access management
Access rules
Role-based access (least privilege).
Time-bound access for contractors.
Two-factor authentication where available.
No shared accounts.
Access requests
Requests should include:
Dataset needed
Purpose and intended outputs
Duration
Security plan
Approvals are documented.
Data sharing and third parties
We only engage vendors who meet reasonable privacy and security standards.
For external sharing, we use one or more of:
Data sharing agreement (DSA)
Confidentiality agreement
Vendor terms with privacy/security clauses
Incident response
A “data incident” includes suspected loss, unauthorized access, or exposure.
Steps
Contain: revoke access, disable links, isolate systems.
Assess: what happened, what data, who may be affected.
Notify: internal leadership, affected individuals where required, relevant regulators where applicable.
Recover: restore services, patch vulnerabilities.
Improve: document lessons learned and update controls.
Report incidents immediately to: info@enchantenetwork.ca.
Training and compliance
All staff/contractors with data access complete onboarding on privacy, security, and equity-informed data practices.
We review this policy at least annually.
Requests and complaints
For questions, data access/correction requests, or concerns:
Email: info@enchantenetwork.ca
Mailing address: Toronto, Ontario, Canada