Test Manager · Governance & Ethics

Māori Data Sovereignty & Te Tiriti Testing

Māori have the right to own and control data about themselves, their resources, and their communities. Testing for data sovereignty means verifying that systems respect consent, transparent use, community benefit, and cultural protocols.

Test Manager Governance & Regulatory Compliance ~16 min read + exercises

1 The Hook

A health technology company built a mobile app to help Māori whānau manage chronic disease. They partnered with a Māori health provider, collected rich health data from 5,000 Māori patients, and built predictive models. The system worked well — it identified high-risk patients early.

Six months after launch, a researcher at a major university asked to access the dataset for a published study. The company provided the data — pseudonymised but rich with demographic and health details. The research paper was published, and a news article highlighted it. The participants had never been asked. The iwi (tribe) that provided the health provider partnership learned about it through the paper, not through consultation. The company had not breached the Privacy Act (the data was de-identified) — but they had breached the principle of Māori data sovereignty.

Data sovereignty is not just about privacy. It is about ownership, control, and consent to use. Māori deserve to know what is done with their data, to benefit from it, and to be involved in decisions about it. Testing for data sovereignty is part of governance testing.

2 The Rule

Māori data sovereignty means Māori have the right to own, control, and benefit from data about themselves and their communities. For any system handling Māori data, test managers must verify: (1) informed consent from iwi/hapū, (2) transparent data use and sharing, (3) community benefit from the system, (4) cultural appropriateness, and (5) Māori involvement in governance decisions. This is not optional—it is a Te Tiriti obligation.

3 The Analogy

Analogy

Data ownership is like whakapapa (genealogy). You cannot share someone's whakapapa publicly without their whānau's permission.

Whakapapa is sacred. It connects people to land, to identity, to mana. Similarly, data about Māori — health, social, economic, cultural — is not just information. It is a taonga (treasure). It connects to identity and mana. Sharing it without permission is a breach of trust, regardless of whether names are removed. Sovereignty means Māori control whether, when, and how that data is used.

4 Te Tiriti o Waitangi Context

Why data sovereignty is a Treaty obligation.

Article Two of Te Tiriti

Te Tiriti guarantees Māori the right to ownership of their lands, villages, and all possessions. In the modern context, this extends to data — a form of possession and a taonga. Data about Māori communities represents their knowledge, their health, their economies. Control over that data is a Tiriti right.

Partnership and participation

Te Tiriti requires genuine partnership between the Crown and Māori. In practice, this means organisations working with Māori data must involve Māori in decision-making — not as an afterthought, but from design through to operation. Systems should be tested not just for functionality, but for whether they embed partnership and transparency.

Implications for testing

A test manager overseeing a system that processes Māori health data must verify that the system is designed and operated with Māori oversight built in. This includes testing data access controls (who can see the data?), consent mechanisms (did Māori communities agree?), and governance processes (are Māori involved in decisions about the data?).

5 Māori Data Sovereignty Principles

Tino Rangatiratanga (Self-Determination)

Māori have the right to determine how data about them and their communities is used. This means control over what data is collected, who accesses it, and how it is analysed. Testing: Verify that the system gives Māori (individuals and communities) explicit control over data access. Can a Māori patient revoke consent for their health data to be shared with researchers? Can an iwi withdraw data they provided?

Whakatupuranga (Data as Asset)

Data generated by or about Māori communities is an asset that should benefit those communities. If a system built on Māori health data generates valuable insights, Māori should benefit — through employment, through improved services, through revenue sharing, or through research benefits. Testing: Verify that the system's governance includes mechanisms for community benefit — e.g., Māori are employed to manage the data, or the organisation commits to using the system's outputs to improve services for Māori communities.

Manaakitanga (Respect and Reciprocity)

Data stewardship requires respect. Organisations using Māori data have a duty to treat it with respect, to acknowledge its source, and to give back to the community. Testing: Verify that the system transparently credits the communities that provided data. Is there a clear statement of how the data came from which iwi or Māori organisations? Are there feedback mechanisms where communities can see how their data is being used?

Kaitiakitanga (Guardianship)

Guardianship means protecting the taonga (treasure) for future generations. Data is guarded by those who use it. Testing: Verify that the system has strong security, appropriate retention policies, and plans for data repatriation or deletion when no longer needed. Māori data should not be held indefinitely.

6 CARE Principles for Indigenous Data Governance

International standard for indigenous data stewardship, increasingly adopted in Aotearoa.

Collective Benefit

C: Data ecosystems must be designed and function in ways that enable Māori to derive benefit from the data. Governance question: How does the system ensure that Māori communities benefit from the insights or applications built on their data?

Authority to Control

A: Māori must have the authority to control the collection, ownership, and use of Māori data. Governance question: Does the system give iwi/hapū veto power over how the data is used? Can they withdraw data or change access permissions?

Responsibility

R: Organisations have a responsibility to Māori for the data they hold and to use it in culturally respectful ways. Governance question: Does the organisation commit to cultural protocols around data use? For example, is health data handled according to Māori healing concepts, not just clinical frameworks?

Ethics

E: Data practices must be ethical and accountable. Governance question: Is there ethical review by Māori advisors before the data system is launched? Are there mechanisms for accountability if data is misused?

Pro tip: CARE Principles are increasingly required by Māori research institutions and iwi partnerships. If your organisation is building a system with Māori data, ask if CARE alignment has been considered. If not, propose it as a testing and governance requirement.

7 Testing Considerations for Data Sovereignty

Consent verification

Test that individual consent for data collection is explicit and informed. Tick-box consent is not enough — can users understand what data is being collected and why?
Test community-level consent. Has the iwi or hapū that the data represents been consulted? Is there evidence of a partnership agreement?
Test revocation. Can a user withdraw their data? What happens to derived insights if they do?

Data access and sharing

Test that data is only shared with parties that the user (or community) has consented to. If a health app shares anonymised data with a university, that sharing should be visible to the user.
Test access controls. Can administrators export all Māori health data? Or are there audit logs and restrictions on bulk access?
Test data retention. Is there a time limit on how long data is kept? Is there a mechanism to delete or return data to the community after a defined period?

Cultural appropriateness

Test that the system respects tikanga (cultural protocols). For example, if the system handles health data, does it acknowledge Māori healing concepts or only Western medical frameworks?
Test terminology. Are Māori languages used appropriately? Is there a te reo Māori interface option?
Test imagery and representation. If the app includes case studies or testimonials, are they respectful and representative?

Community benefit and transparency

Test transparency mechanisms. Does the system show users and communities how their data is being used? Are reports available?
Test benefit mechanisms. If the system generates revenue or produces research, is there a pathway for community benefit? Are Māori hired to work on the project?
Test accountability. Is there a contact point or mechanism to report concerns about how data is being used?

8 Data Governance Framework

Partnership agreements

Test that the system is backed by a formal partnership agreement between the organisation and the iwi/Māori community providing the data. This agreement should be visible to testers and should define: what data is collected, who can access it, how long it is retained, what benefits the community receives, and how Māori are involved in governance.

Māori governance board or advisory group

Test that the system has Māori representation in governance and decision-making. This might be a formal board or an advisory group. As a test manager, you should verify that Māori advisors are involved in testing decisions — e.g., reviewing test plans for cultural appropriateness before testing begins.

Data stewardship policy

Test that the system has a published policy on how Māori data is handled. The policy should cover: collection (informed consent), use (only as consented), sharing (transparent), retention (time-limited), security, and repatriation (return to community when no longer needed).

Audit and accountability mechanisms

Test that there are mechanisms to audit how data is used. For example: audit logs showing who accessed the data and when, annual reports to the community, and a process for addressing breaches or misuse.

9 Real NZ Scenarios

Scenario 1: Māori Health Data Platform (Government)

A government health system builds a platform to improve Māori health outcomes. It collects data from Māori health providers, whānau, and government health services. Test plan:

Verify that iwi and Māori health providers have signed data-sharing agreements
Test that users can see (and understand) what data is collected about them
Test that users can withdraw consent for specific uses (e.g., "I allow health research but not marketing")
Verify that Māori health providers have access to insights generated from their data
Test that the governance board includes Māori representatives and that they have real decision-making power

Scenario 2: Social Media Platform with Māori Users

A social platform becomes popular among Māori communities. Māori post content in te reo, share photos, and build networks. The platform wants to use Māori user data for research on social connection. Test plan:

Test consent mechanisms. Does the platform clearly ask for permission to use Māori-generated content for research?
Test cultural protocol respect. If the platform recommends "related content," does it accidentally group sacred or tapu content inappropriately?
Verify that Māori are not stereotyped or targeted with inappropriate ads based on cultural markers
Test transparency. Can Māori users see what research the platform is conducting on their data?

Scenario 3: Hapū-Based Resource Management System

A hapū (sub-tribe) manages their rohe (territory) using a digital system. They record mātauranga Māori (Māori knowledge) about plants, fishing seasons, and land management. Test plan:

Verify that data access is restricted to hapū members and that outsiders cannot export or screenshot the knowledge
Test that the system supports te reo Māori as the primary language
Verify that the system includes audit logs of who accesses what data and can identify misuse
Test repatriation mechanisms — if the system is decommissioned, can the data be returned to the hapū in an accessible format?

10 Common Mistakes

Mistake 1: Confusing de-identification with consent

Why it happens: "The data is anonymised, so we can use it however we want." De-identification does not equal consent. Even anonymised data about a Māori community represents that community's knowledge and deserves control over use.
The fix: Assume that any data collected from a Māori community requires explicit community consent for its use, regardless of whether it is de-identified. Build consent mechanisms into the system design from the start.

Mistake 2: Not involving Māori in testing decisions

Why it happens: A team tests the system for functionality without asking Māori advisors whether the system respects cultural protocols.
The fix: Include Māori representatives in test planning. Ask them: Is this culturally appropriate? Does it respect tikanga? Could this data be misused in ways we have not considered? These are governance questions, not afterthoughts.

Mistake 3: Treating data sovereignty as a one-time checkbox

Why it happens: The system launches with a consent form and a partnership agreement, and the team considers the sovereignty requirement "done."
The fix: Data governance is ongoing. Test mechanisms for transparency, accountability, and community benefit continuously. Annually review whether the partnership agreement is being honoured and whether Māori communities are benefiting.

Mistake 4: No explicit community withdrawal mechanism

Why it happens: Individual users can delete their account, but there is no process for a community (iwi/hapū) to withdraw their collective data from the system.
The fix: Build a formal process for community data withdrawal. If an iwi decides they no longer want their health data in a government system, there should be a mechanism to remove it (or document why it cannot be removed). This should be tested before launch.

Mistake 5: Assuming all Māori have the same interests

Why it happens: Treating "Māori" as a monolith. A system designed with consultation from one iwi may not be appropriate for another iwi with different cultural practices.
The fix: Engage broadly with different iwi and Māori communities. Test the system in multiple cultural contexts before launch. Be explicit about which communities the system is designed for and which may need customisation.

11 Self-Check

Click each question to reveal the answer.

Q1: What is the difference between privacy and data sovereignty?

Privacy is about controlling access to personal information (Who can see my data?). Data sovereignty is about ownership and control of data (Who owns it? Who decides how it is used?). A dataset can be private but not sovereign — if personal data is de-identified but used without community consent, it violates sovereignty even if privacy rules are met.

Q2: What are the CARE Principles and why do they matter?

CARE Principles: Collective Benefit (data must benefit indigenous communities), Authority to Control (indigenous peoples control the data), Responsibility (organisations are responsible for ethical use), and Ethics (practices must be ethical). They matter because they provide a global standard for indigenous data governance that is increasingly adopted in Aotearoa and internationally.

Q3: How should you test consent for Māori data?

Test both individual and community-level consent. Individual: verify users can understand what data is collected and can revoke consent. Community: verify that iwi/hapū partnerships are documented and that the community has authority to withdraw their data collectively. Tick-box consent is not enough — consent must be informed and specific about use.

Q4: What does "data as asset" mean in the context of Māori data sovereignty?

Data generated by or about Māori communities represents knowledge and value that should benefit those communities. If a system uses Māori health data to train models that benefit the organisation, the Māori community should also benefit — through employment, improved services, revenue sharing, or research benefits. Test governance mechanisms to ensure benefit flows back to the community, not just to the organisation.

Q5: What should be included in a data stewardship policy for Māori data?

A data stewardship policy should cover: (1) collection (informed consent), (2) use (only as consented), (3) sharing (transparent, with community notification), (4) retention (time-limited), (5) security (protected from misuse), (6) repatriation (return to community when no longer needed), and (7) accountability (mechanism for addressing breaches or misuse).

12 Interview Prep

Real questions from NZ test manager interviews, especially in government and health.

"Have you tested systems that handle sensitive community data? How did you approach it?"

Yes, I worked on a health platform collecting data from a Māori health provider. Before testing, I reviewed the partnership agreement and the data governance policy. I tested consent mechanisms — individual consent forms and community-level data access agreements. I also verified audit logs to ensure only authorised people could access patient data. And I checked that the community had visibility into how the data was being used through regular reports.

"What is Māori data sovereignty, and why should a test manager care about it?"

Māori data sovereignty means Māori have the right to own, control, and benefit from data about themselves and their communities. As a test manager, I care because testing is not just about functionality — it is about governance and ethics. If a system violates data sovereignty, it violates Te Tiriti and causes real harm to communities. My job is to verify that the system respects consent, transparency, and community benefit, not just that it works correctly.

"What would you do if the development team wanted to launch a system without a formal partnership agreement with the Māori community providing data?"

I would not approve launch. I would escalate to the product manager and explain that without a partnership agreement defining consent, data use, and community benefit, the system risks violating Te Tiriti and causing reputational harm. I would recommend delaying launch to establish the partnership properly. Testing cannot fix a governance problem — governance comes first, then testing validates that the system honours the governance agreement.

← Back to Test Manager Learning Next: Governance & Audits →