Introducing data sovereignty in practice 

Data sovereignty refers to the right of a group or nation to control how data relating to them is collected, stored, accessed, and used. In the Australian context, this is especially critical for Aboriginal and Torres Strait Islander Peoples, whose rights to govern their data are grounded in principles of self-determination, cultural continuity, and informed consent. 

For social impact organisations, upholding data sovereignty is not just about compliance, it is about respect, responsibility, and building trust. It means designing data systems that are not only secure and efficient, but also culturally safe and grounded in relationship. 

Why it matters for social impact organisations 

Social sector organisations often work with data that is deeply connected to people’s identities, stories, and communities. Mishandling that data, whether through inappropriate storage, lack of consent, or cultural insensitivity, can undermine trust, retraumatise individuals, and damage relationships with the very communities an organisation exists to serve. 

Embedding data sovereignty into data practices creates safer systems, builds stronger partnerships, and results in more meaningful insights. It is particularly important when working alongside Aboriginal and Torres Strait Islander communities, where collective rights, cultural protocols, and data ownership must be central to how data is managed and used. 

Key principles of Indigenous data sovereignty 

The Maiam Nayri Wingara Indigenous data sovereignty collective provides a locally grounded foundation for organisations seeking to understand their responsibilities. Key principles include the rights of Indigenous peoples to own, control, access, and manage data that relates to them. These rights extend across all stages of the data lifecycle—from how data is collected to how it is interpreted and shared. 

These principles are closely aligned with the global CARE principles, which emphasise collective benefit, authority to control, responsibility, and ethics. They complement, but do not replace, the more technical FAIR data principles. Most importantly, these frameworks are underpinned by the right to free, prior and informed consent (FPIC), as affirmed in the United Nations Declaration on the Rights of Indigenous Peoples (UNDRIP). FPIC requires that Indigenous Peoples are not only informed but meaningfully involved in decisions that affect their data—before any data is collected or used. 

What it looks like in practice 

• Data storage should always be considered from a sovereignty perspective. For general Australian data, storing within national borders is an important baseline. For Aboriginal and Torres Strait Islander data, organisations should consider whether state-based or even on-country storage is more appropriate. Cloud platforms should be carefully vetted to ensure backups, metadata, or failover services do not reside overseas without consent. 

• Consent and governance must go well beyond a tick-box exercise. FPIC should be embedded from the earliest stages of planning. This involves engaging communities before data is gathered, ensuring they are informed of how data will be used, and allowing them the genuine opportunity to give or withhold consent. Consent should be relational and ongoing, revisited as contexts shift or new uses emerge. Establishing governance structures that include community voices—such as advisory groups, cultural data stewards, or shared decision-making mechanisms—can make these commitments real and durable. 

• Respect for cultural protocols is also vital. Some data may be gendered, sacred, or context-specific, and should not be shared or published without explicit permission. Even seemingly de-identified or aggregated data can cause harm if it is used in ways that erase meaning or strip data of its cultural or geographic context. Organisations should explore how metadata can carry community-specific instructions or restrictions along with the data, rather than treating it as neutral. 

• Partner and vendor accountability plays a significant role. Many organisations outsource components of their data infrastructure, which makes it essential to ask specific questions about where data lives, who can access it, and how it is governed. If your work involves First Nations communities, partners should be Indigenous-led or willing to engage in genuine shared control in decision making processes. This requires time, trust, and a willingness to adapt standard processes to reflect community needs. 

How woven supports data sovereignty 

We can help organisations implement data systems that respect and reflect data sovereignty principles from the ground up. Our technical designs are tailored to Australian data residency requirements, and we work with clients to understand the cultural, legal, and ethical dimensions of their data environments. Where First Nations data is involved, we actively support FPIC-aligned processes and governance models that centre community voices. 

Data sovereignty is not a technical feature, it is a foundational principle of ethical, rights-based service delivery. For social impact organisations in Australia, it provides an opportunity to reframe data not just as an asset, but as a shared responsibility. Embedding sovereignty in data systems strengthens outcomes, deepens trust, and honours the communities whose lives and stories we seek to support. 

Woven is ready to walk alongside you, helping to shape systems that are modern, secure, and grounded in respect. If you're ready to explore what data sovereignty looks like in your organisation, we’re here to help.