te Tiriti and Māori data
Agents at Work — CC BY 4.0
The last lesson listed, among the Privacy Commissioner’s expectations, one line that is easy to read past and shouldn’t be: engage Māori about the risks to the taonga of their information. It sits in the guidance next to “do a privacy impact assessment” and “keep a human in the loop” — but it isn’t the same kind of item, and treating it as a box to tick is the mistake this lesson exists to prevent.
Why this is a distinct obligation — of relationship and te Tiriti, not only privacy
Ordinary privacy law asks: is this person’s information handled lawfully and securely? That question matters, and it doesn’t cover this one. The te Tiriti frame asks something the privacy principles don’t: who holds authority over this information, and by what right?
For Māori data — information about or belonging to Māori individuals, whānau, hapū and iwi — the principle is that it sits under Māori governance. It is often taonga: something held, with obligations, not simply owned as a commodity to be processed. That’s a question of authority and relationship, not just security. An agent can handle Māori data with perfect technical security and still be wrong, because the question was never only “is it safe?” — it was “whose call was it to use this at all?”
What an agent makes worse
Everything that made agents raise the stakes in Tier 1 lands hard here. An agent acts unwatched and it reaches data on its own. So the specific danger is an agent that, by default and without anyone deciding it, quietly ingests information about Māori — sends it offshore to a public model, holds it, scores on it — because it could, and no one stopped to ask whether it should. That is precisely the kind of decision that shouldn’t be made by a default setting at 2am.
What this means in practice
- It’s a conversation, not a solo call. If an agent would touch information about or belonging to Māori, that’s a decision to make with the people it belongs to, about what appropriate use looks like — not one to settle quietly on your own because the tool is capable of it. This is the “whose call?” from the data question, with a clear answer.
- Custody is part of the answer. This is where the sovereign option (Tier 3) stops being a preference and becomes a way of honouring the obligation: keeping the data under New-Zealand governance and infrastructure, rather than sending it to a jurisdiction and a company with no relationship to it, is a materially different act.
- Default to not, when unsure. If you can’t answer “whose authority?” you’re not ready to point an agent at that data. That’s not caution for its own sake; it’s the obligation working as intended.
This is Anchor 3 and Anchor 4 meeting: keeping the work good, and making sure it serves — not overrides — the people it belongs to. For a business that takes sovereignty seriously, this isn’t a compliance overhead grafted on at the end. It’s part of what the business is for.
This lesson states a principle and an obligation; it is general education, not legal advice, and not a substitute for engaging directly with the communities whose data is in question. Māori data sovereignty is a live and developing field — treat the specifics as something to get right with the right people, not to take from a course page.
Think of an agent you’d build that might, even incidentally, touch information about Māori. Who would you need to talk to before it ran — and is that a conversation you’ve started, or one the tool’s convenience is quietly skipping?
Next
The whole tier has circled one point: there’s always a person on the other side of the agent. The last lesson makes that explicit — your duties to the people your agent processes — and hands you the one-pager written for them.
Shared freely, in good faith. If it's been of value, a koha toward development and running costs is warmly welcomed.
Leave a koha →