Tier 4 · Deploy & answer4.315 min

te Tiriti and Māori data

Looking up through a nīkau palm canopy, sunlight coming through the frondsAgents at Work — CC BY 4.0

The last lesson listed, among the Privacy Commissioner’s expectations, one line that is easy to read past and shouldn’t be: engage Māori about the risks to the taonga of their information. It sits in the guidance next to “do a privacy impact assessment” and “keep a human in the loop” — but it isn’t the same kind of item, and treating it as a box to tick is the mistake this lesson exists to prevent.

Why this is a distinct obligation — of relationship and te Tiriti, not only privacy

Ordinary privacy law asks: is this person’s information handled lawfully and securely? That question matters, and it doesn’t cover this one. The te Tiriti frame asks something the privacy principles don’t: who holds authority over this information, and by what right?

For Māori data — information about or belonging to Māori individuals, whānau, hapū and iwi — the principle is that it sits under Māori governance. It is often taonga: something held, with obligations, not simply owned as a commodity to be processed. That’s a question of authority and relationship, not just security. An agent can handle Māori data with perfect technical security and still be wrong, because the question was never only “is it safe?” — it was “whose call was it to use this at all?”

What an agent makes worse

Everything that made agents raise the stakes in Tier 1 lands hard here. An agent acts unwatched and it reaches data on its own. So the specific danger is an agent that, by default and without anyone deciding it, quietly ingests information about Māori — sends it offshore to a public model, holds it, scores on it — because it could, and no one stopped to ask whether it should. That is precisely the kind of decision that shouldn’t be made by a default setting at 2am.

What this means in practice

This is Anchor 3 and Anchor 4 meeting: keeping the work good, and making sure it serves — not overrides — the people it belongs to. For a business that takes sovereignty seriously, this isn’t a compliance overhead grafted on at the end. It’s part of what the business is for.

This lesson states a principle and an obligation; it is general education, not legal advice, and not a substitute for engaging directly with the communities whose data is in question. Māori data sovereignty is a live and developing field — treat the specifics as something to get right with the right people, not to take from a course page.

Think of an agent you’d build that might, even incidentally, touch information about Māori. Who would you need to talk to before it ran — and is that a conversation you’ve started, or one the tool’s convenience is quietly skipping?

Next

The whole tier has circled one point: there’s always a person on the other side of the agent. The last lesson makes that explicit — your duties to the people your agent processes — and hands you the one-pager written for them.

Marking this lesson complete saves your progress on this device — no account, no tracking.

Shared freely, in good faith. If it's been of value, a koha toward development and running costs is warmly welcomed.

Leave a koha →

Useful? Share this lesson with a colleague.