Sharing Māori data

Find out what government agencies can do when sharing Māori data with non-government third parties.

This guidance is in development

This guidance will be updated based on your questions and feedback. If you would like anything added or clarified, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz

Māori data and Te Tiriti o Waitangi

Under the Public Service Act , the public service supports the Crown in its relationships with Māori under Te Tiriti o Waitangi.

Māori Crown relationships — Te Kawa Mataaho Public Service Commission

Public Service Act : section 14 — New Zealand Legislation

To Māori, data is a taonga — things and values that are treasured, both intangible and tangible. Māori data requires special protections when it is collected, used and shared by agencies. The Crown has a responsibility under Te Tiriti to care for and protect all taonga.

When sharing personal information including Māori data, government agencies should consider how data access, sharing and protection practices reflect Māori rights over their information.

The Māori Data Governance Model

The Te Kāhui Raraunga Māori Data Governance Model is a key resource for agencies when updating protection and sharing practices for Māori data.

Māori Data Governance Model — Te Kāhui Raraunga (PDF 3.16MB)

The Model is intended as a foundational reference and a guide for the public service to support Treaty-aligned approaches to Māori data governance.

It outlines:

  • Māori data governance values
  • Māori data security considerations
  • a rich set of best practices to inform ethical advice for the treatment of all data, including Māori data.

Defining Māori data

The Model defines Māori data as follows.

Māori data refers broadly to digital or digitisable data, information or knowledge (including mātauranga that is about, from or connected to Māori). It includes data about population, place, culture and environment”.

Agencies should consider if data access for Māori can be achieved using existing Treaty mechanisms, relationships, or agreements. This may include providing data access to Māori, with a view to full repatriation (returning the data to where it belongs), when data access is requested and there is a clear case for it.

Data access is typically done through the agencies’ Iwi relationships and Treaty Settlement Commitments and Accords with Iwi. For new access to Māori data, new agreements may be required.

The Model includes definitions and a glossary to help explain specific terms used in the Model.

Providers

In this guidance and in the Model, the term providers refers to all suppliers and vendors that supply government agencies with services and systems. Māori data is shared with providers to deliver a public service.

Providers in the Model is the same as non-government third parties in the information sharing standard.

Information sharing standard

Data sharing agreement

In this guidance and in the Model a data sharing agreement is the same as an information sharing agreement in the information sharing standard.

Before entering into an agreement

The Model recommends that agencies take steps before entering information sharing agreements that involve Māori data. These steps are described below.

Update processes for sharing Māori data

Agencies should update their processes around Māori data before entering into any data sharing agreements.

Agencies should consider including accurate and culturally appropriate metadata, including information about the:

  • provenance or origin of the data
  • purpose for its collection
  • context of its collection
  • parties involved.

For guidance on classifying Māori data and metadata, refer to Pou 8: Data classification (page 51), of the Māori Data Governance Model.

Māori Data Governance Model — Te Kāhui Raraunga (PDF 3.16MB)

Engage early

Agencies should engage early with their internal Māori advisory teams to make sure meaningful engagement with Māori is undertaken:

  • early
  • appropriately
  • in line with agreed protocols and practices.

Agencies are encouraged to:

  • include Māori in decision-making processes where data use may impact Māori communities or interests
  • share the agencies’ interpretation and findings from using Māori data.

This is consistent with agencies’ Te Tiriti and partnership obligations.

There should be a clear and demonstrable link between the:

  • access to and use of Māori data
  • moral obligation to the equitable sharing of the benefits with Māori.

When entering into an agreement

Agencies have a responsibility to actively protect Māori data, even after the data is shared. This responsibility is to the communities, groups, and individuals from whom the data is collected.

Individuals, vendors, providers and agencies all share in the accountability and responsibility for the:

  • creation
  • collection
  • analysis
  • management
  • access
  • security
  • dissemination of Māori data.

Agencies and all providers must control risk when sharing Māori data.

Risk assessment guidance

Setting expectations with third parties: Treaty principles

Agencies have a strong influence over how the private sector:

  • interacts with Māori data
  • upholds their Treaty obligations.

Where agencies are setting up work or sharing data with providers, they should place an expectation on those providers to follow the Treaty principles.

This includes considering:

  • data access
  • sharing and protection practices that reflect Māori rights over their information
  • how Māori data interests will be honoured in the sharing agreement
  • responsibilities under Te Tiriti o Waitangi.

To learn more about the Treaty principles, read He Tirohanga o Kawa ki te Tiriti o Waitangi.

This guide:

  • outlines the principles of the Treaty of Waitangi, as expressed by the Courts and the Waitangi Tribunal
  • was produced by Te Puni Kōkiri (Ministry of Māori Development) in
  • describes the Treaty principles from pages 74 to 108.

He Tirohanga o Kawa ki te Tiriti o WaitangiTe Puni Kōkiri

The New Zealand Cabinet Office published a circular for government on Te Tiriti o Waitangi. It set out guidelines agreed by Cabinet, for policy makers to consider the Treaty of Waitangi in policy development and implementation.

This circular was published in October .

The Cabinet Office is part of the Department of Prime Minister and Cabinet (DPMC).

CO (19) 5: Te Tiriti o Waitangi / Treaty of Waitangi Guidance — DPMC

Roles and responsibilities of the Cabinet Office

Responsibilities for agreements

Data sharing arrangements should uphold agency and third-party provider’ responsibilities that make sure the safety, privacy and security of Māori data.

Collection purpose and notice

Before any sharing agreement is made or information is shared, agencies should consider if sharing Māori data meets the original purpose that it was collected for. This includes how the data might be used to develop and train machines or algorithms for services, such as artificial intelligence.

Transparent data collection practices should provide individuals with clear information about how their data will be:

  • used
  • shared
  • stored
  • disposed of
  • repatriated.

When agencies prepare to collect and use data from or about Māori, they should include the process to get free, prior, and informed consent in that collection process.

Agencies may need more controls in place to strengthen and balance consent. For example, if:

  • less-well defined types of consent already existed when the data was collected
  • consent was not clearly defined or well-established.

The due diligence guidance for the information sharing standard has more information about consent and transparency.

Due diligence guidance

Storage

Agencies should consider third-party requirements for the physical and virtual storage of Māori data once it has been shared.

To enhance data control for current and future generations, Māori data should, where possible, be stored in Aotearoa New Zealand by a majority-owned Aotearoa New Zealand company or agency.

Data is subject to the laws of the country where cloud service providers store, process, or transmit data. The Model refers to jurisdictional risk because cloud providers may have servers holding Māori data in countries with laws that give those governments the right to access those servers and the data they hold.

These risks make it difficult to maintain control and authority of Māori data. Agencies should consider the risks of this.

For guidance on jurisdictional risk and cloud storage, refer to Pou 4: Data protection (page 36), of the Māori Data Governance Model.

Māori Data Governance Model — Te Kāhui Raraunga (PDF 3.16MB)

Cloud jurisdictional risk guidance

The environment

Agencies should consider how the sharing of information contributes to uplifting and strengthened relationships between the Crown, Māori and the environment.

As tangata whenua (people of the land or Indigenous People), Māori have an interest in data practices and systems that are ethical, environmentally sustainable and tika (appropriate) for all data in Aotearoa, not just Māori data.

This means including the importance of environmental sustainability and environmental regeneration in the decision-making process, to protect New Zealand and Iwi Māori interests when sharing information.

Agreements can include clauses recognising the spiritual relationship of iwi Māori with their ancestral lands, water, sites of significance, wāhi tapu (sacred places), and other environmental taonga.

Security and risk

Agencies must implement appropriate security measures to protect all data, including Māori data. These measures include preventing unauthorised access and data breaches, and making sure the confidentiality and integrity of the information is always maintained.

The government’s security expectations on agencies, to manage information security (as well as personnel and physical security) is described on the Protective Security Requirements’ website.

Information security (INFOSEC) — Protective Security Requirements

Risk assessments and monitoring mechanisms should be used to make sure that Māori data remains:

  • accurate
  • relevant
  • accessible
  • timely
  • consistent.

Agencies should take all reasonable steps to make sure that data sharing does not prejudice Māori individuals or collectives (whānau, hapū, iwi, rōpū or Māori organisations).

Sharing and data aggregation

Data sharing goes both ways — between the agency holding the data and the provider, when it shares data back to the agency.

Māori data should not be shared when it has been:

  • aggregated (combined) in ways that misrepresent or miss key aspects of Māori identities
  • decontextualised (taken out of context) by focusing on Māori individuals and families outside of their social and/or cultural context.

Sharing should be free of practices that are:

  • deceptive
  • manipulative
  • cohesive
  • discriminatory
  • likely to cause harm, intentionally or not.

More guidance

The GCDO has produced guidance on using information about Māori, Pacific Peoples, and ethnic communities with generative artificial intelligence (GenAI).

Māori, Pacific Peoples, ethnic communities and GenAI

Stats NZ has produced the Ngā Tikanga Paihere guidelines to help agencies establish goals, boundaries, and principles that guide and inform good data practice. These guidelines help agencies to:

  • guide safe, responsible and culturally appropriate decisions about the use of data
  • carefully consider decisions about their data use
  • make sure data practices occur in good faith.

Ngā Tikanga Paihere — data.govt.nz

Contact us

For further information, to ask questions or give feedback, email the Government Chief Digital Office (GCDO).

Email: gcdo@dia.govt.nz

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated