Data Governance Built Without Asking

Research data platforms, health information systems, and government databases are built on Western data governance assumptions — individual consent, open access, de-identification equals anonymity — that fundamentally conflict with indigenous data sovereignty principles. The CARE Principles (Collective Benefit, Authority to Control, Responsibility, Ethics) recognize that indigenous communities have rights over data about their peoples, lands, and resources that are not captured by individual consent frameworks. In practice, this means that genomic databases (like the now-controversial Havasupai blood sample case), biodiversity databases (containing traditional ecological knowledge), health surveillance systems (reporting communicable diseases from indigenous communities), and land registries (digitizing indigenous territorial claims) regularly extract data from indigenous communities without collective consent, strip it of cultural context, and make it available in ways that can harm source communities.

Indigenous peoples constitute 6.2% of the global population across 90+ countries, and data about indigenous communities is increasingly used for policy decisions, resource allocation, and research — often without community consent or benefit. Genomic databases have published indigenous population genetics that communities did not authorize and that can be used against their territorial claims. Open data policies that make government-collected health data publicly available can expose small indigenous communities to statistical re-identification (when a community of 200 has 3 cases of a condition, "de-identified" data identifies them). Environmental databases containing traditional ecological knowledge (TEK) have been accessed by extractive industries to locate resources that indigenous communities intended to protect.

FAIR data principles (Findable, Accessible, Interoperable, Reusable) assume that more access is always better — directly conflicting with indigenous authority to restrict access. The CARE Principles were developed as a complement to FAIR but have no enforcement mechanism and no technical implementation in major data platforms. Institutional Review Boards (IRBs) evaluate research ethics at the individual level and lack frameworks for collective consent. Data use agreements between researchers and indigenous communities exist but are contract-by-contract, non-standardized, and difficult to enforce across platform migrations and secondary data use. National data sovereignty laws (GDPR in Europe, LGPD in Brazil) protect individual privacy but do not recognize collective data rights. Major research platforms (NCBI, Dryad, Zenodo) have no mechanism for attaching indigenous governance restrictions to deposited datasets.

Technical implementations of indigenous data governance — access control systems that enforce collective consent requirements, provenance tracking that follows data through secondary use, and governance metadata that travels with the data. Indigenous-controlled data infrastructure (exemplified by the Maori Data Sovereignty Network and First Nations Information Governance Centre's OCAP principles) where communities host and control access to their own data. Platform-level support for tiered access models where some data is open, some restricted to approved researchers, and some accessible only with community authorization.

A team could prototype a data governance metadata schema that implements CARE Principles — encoding collective consent status, community authority, benefit-sharing requirements, and access restrictions in a machine-readable format that can be attached to datasets in standard repositories. A policy team could compare data governance provisions in 5–10 national indigenous rights frameworks and identify the gap between legal provisions and technical implementation in existing data platforms. Relevant disciplines: information science, indigenous studies, data engineering, law, human-computer interaction.