Health Data Sovereignty Is Not Optional

I've spent my career managing health information systems. For most of that time, data sovereignty was a relatively simple question. Patient data lived on servers we controlled, in locations we knew, governed by policies we wrote. The boundary was clear.

That boundary has dissolved. And it dissolved faster than most health organisations were ready for.

When a GP practice adopts an AI-powered clinical documentation tool, that patient's consultation data is being processed somewhere. Often in Australia. Sometimes in the United States. The vendor's privacy policy might say the data isn't retained, but "not retained" and "not processed" are different things. The model may not store the data, but it processes it, and processing in a foreign jurisdiction means foreign law applies during that processing window.

For most administrative data, this is manageable. Appointment scheduling, billing, practice management. The sensitivity is lower and the regulatory requirements are well understood.

But for clinical data, the conversation is different. Clinical notes contain intimate details of people's lives. Mental health assessments. Reproductive health decisions. Addiction treatment records. Family violence disclosures. This data demands a higher standard of governance than "the vendor says it's encrypted."

The general sovereignty question becomes more pointed when it intersects with Māori data sovereignty. Te Mana Raraunga has articulated clear principles: Māori data should be subject to Māori governance, should benefit Māori communities, and should be protected from extraction that doesn't serve those communities.

In health, this has specific implications.

Population health data that identifies Māori health patterns is Māori data. When a PHO analyses its patient database and identifies disparities in diabetes management for Māori patients, that analysis describes Māori health. The insights derived from it should be governed accordingly, not just compliant with the Privacy Act, but subject to genuine Māori input on how those insights are used.

AI trained on NZ health data carries NZ health patterns. If an AI vendor trains a model on New Zealand clinical data, the model encodes patterns about our population, including patterns about Māori health. If that model is then deployed globally, those patterns have been extracted without community governance. This isn't hypothetical. It's the business model of several health AI companies operating in NZ right now.

Community-level data requires community-level governance. Individual consent doesn't cover community-level insights. A patient can consent to their GP using an AI tool. They can't consent on behalf of their iwi to population-level patterns being extracted from aggregated data. That governance gap needs to be addressed at the organisational and policy level, not left to individual consent forms.

Most health organisations in NZ are behind on this. Not because they don't care, but because the technology moved faster than the governance. Here's what I'd recommend based on what I've seen work.

Before you can govern your data, you need to know where it goes. Most health organisations can't answer basic questions: Which vendors process our clinical data? Where are their servers? What happens to data during processing? Is any of our data used for model training?

This mapping exercise is the foundation. Without it, every governance decision is made in the dark.

Standard data governance focuses on access control, retention, and compliance. That's table stakes. Health data governance needs to include community representation, particularly Māori representation, in decisions about how aggregate data is used, shared, and analysed.

This doesn't mean every data decision requires community consultation. It means the governance framework includes community input as a standing requirement, not an afterthought.

Most health IT vendor contracts are written by the vendor. They include broad data processing rights, limited obligations around data location, and minimal transparency about what happens during processing.

Health organisations need to negotiate harder. Where is data processed? Is it used for model training? Can the organisation audit data handling? What happens to data if the vendor is acquired by a foreign company? These aren't unreasonable questions. They're basic due diligence that most organisations skip.

The most sustainable approach is building internal capability to evaluate, govern, and manage health data with sovereignty in mind. This means training IT staff on data sovereignty principles, building relationships with Māori governance bodies, and creating internal policies that go beyond minimum compliance.

Relying entirely on external vendors or consultants for data governance decisions is a risk. Those decisions are too important and too context-dependent to outsource.

AI makes all of this more urgent. Pre-AI, health data was used for clinical care, administration, and reporting. The data flows were relatively contained. AI introduces new data flows: model training, inference processing, fine-tuning, and retrieval-augmented generation that pulls from clinical databases.

Each of these flows creates new sovereignty questions. And the pace of AI adoption means health organisations are answering these questions in real time, often without established frameworks.

The organisations that will navigate this well are the ones treating data sovereignty as infrastructure, not policy. It needs to be built into procurement processes, vendor evaluation criteria, system architecture decisions, and governance structures. Not bolted on after the AI tool is already deployed.

Health data sovereignty isn't a political position. It's an operational necessity. The data we collect about patients and communities carries obligations, to those patients, to those communities, and to the treaty partnership that underpins public services in Aotearoa. Meeting those obligations requires deliberate, sustained effort. It won't happen by default.