Governance and Social Legitimacy
Principles 8–10: Community consent, regulatory stack alignment, and resilience.
- P08 — Community and Indigenous Data Consent
- P09 — Regulatory Stack Alignment
- P10 — Resilience, Security and Data Governance
P08 — Community and Indigenous Data Consent
SCD-P08 · Principle 8 of 10
Community and Indigenous Data Consent
“CARE complements FAIR. People before data.”
Governance Layer
Definition
For climate data that touches territories, resources, or knowledge of indigenous or local communities — including forests, water, biodiversity, traditional ecological knowledge, and land-use data — the CARE Principles must complement FAIR: Collective Benefit (data use benefits the community, not just the collector), Authority to Control (communities control who accesses data about their territories), Responsibility (data users are accountable to the community), and Ethics (data collection, use, and sharing align with community values and rights). Free, Prior, and Informed Consent (FPIC) is required before data collection begins.
Rationale
In LATAM, most primary tropical forest is on indigenous or community land (Amazon, Andean communities, Mesoamerican forests, Pacific lowlands). Sovereign climate data built without community consent is: legally contested under ILO Convention 169 and national laws; technically incomplete (traditional ecological knowledge fills critical monitoring gaps); and ethically compromised. Post-COP15, the TNFD v1.0 framework — adopted by 320+ financial institutions — makes community rights a mandatory disclosure dimension. The Global Indigenous Data Alliance's CARE Principles (2019) are the operational framework; CODATA IDW 2025 reviewed their maturity model in practice.
Implementation Steps
- Map all data collection activities against community land rights before beginning.
- Obtain documented FPIC from affected communities before any data collection on their land.
- Establish a data governance agreement that specifies community rights to access, correct, and withdraw consent for their data.
- Ensure community members can access and challenge data about their territories.
- Report on CARE compliance in the same place as FAIR compliance.
Compliance Checklist
| Criterion | What it means | |
|---|---|---|
| ☐ | Community land map completed | Data activities mapped against indigenous and community land rights. |
| ☐ | FPIC documented | Free, Prior, and Informed Consent obtained and documented before data collection. |
| ☐ | Data governance agreement signed | Agreement specifies community rights and responsibilities of the collector. |
| ☐ | Community access enabled | Communities can view, challenge, and request correction of data about their land. |
Regulatory References
- ILO Convention 169 — Indigenous and Tribal Peoples (ratified by Colombia, Peru, Bolivia, Mexico)
- TNFD Framework v1.0 (2023) — Core Disclosure B (Stakeholder engagement)
- Global Indigenous Data Alliance — CARE Principles for Indigenous Data Governance (2019)
- CBD Kunming-Montreal Framework (COP15, 2022) — Target 22 (Indigenous rights)
Recommended Tools and Platforms
RAISG Indigenous Territories Map FAO FPIC Guidelines CARE Data Maturity Model
Keywords
CARE principles indigenous data sovereignty FPIC community consent TNFD ILO 169 LATAM
P09 — Regulatory Stack Alignment
SCD-P09 · Principle 9 of 10
Regulatory Stack Alignment
“Build once, report everywhere.”
Governance Layer
Definition
Sovereign climate data must be structured from inception to satisfy multiple simultaneous regulatory requirements without re-engineering. The 2026 regulatory stack includes: EU Green Claims Directive (enforcement September 2026), CBAM embedded carbon verification (fully operational January 2026), ISSB S2 mandatory disclosure (Brazil CVM, Mexico CNBV, Chile CMF — all from 2026), CSRD third-country scope (2029), Article 6 Paris Agreement carbon market rules (finalised COP29, 2025), and domestic NDC reporting requirements across LATAM.
Rationale
Organisations that build data infrastructure aligned to only one regulatory standard face costly rebuilds as additional mandates come into force. The 2026 stack creates immediate, simultaneous exposure across multiple jurisdictions for most LATAM organisations with international operations or finance. CBAM alone creates direct financial penalties — not just reputational risk — for LATAM exporters of steel, cement, aluminium, fertilizers, and hydrogen who cannot verify embedded carbon. Article 6 rules (COP29, Belém 2025) mean sovereign data is now a prerequisite for participating in international carbon markets.
Implementation Steps
- Audit your regulatory exposure: which of the 2026 stack applies to your organisation?
- Map each regulatory requirement to specific data fields (see Regulatory Mapping Table below).
- Design data collection to capture all required fields from the start — not retrofit.
- Use ISSB S2 as the baseline (it has the broadest adoption) and layer CBAM and GCD requirements on top.
- Review the stack annually: add new requirements as they come into force.
Regulatory Mapping Table — 2026 Stack
| Regulation | Jurisdiction | In Force | Key Data Requirement | Penalty |
|---|---|---|---|---|
| EU Green Claims Directive 2024/825 | EU (affects global exporters) | Sept 2026 | Substantiation of all environmental claims with verifiable evidence | Up to 4% annual turnover |
| CBAM (EU 2023/956) | EU imports — global exporters | Jan 2026 (full) | Embedded GHG per tonne for 6 product categories | Default tariff + penalties |
| ISSB IFRS S2 | Brazil (CVM), Mexico (CNBV), Chile (CMF) | FY2025 data, reported 2026 | Climate risks, Scope 1/2/3 emissions, scenario analysis | Securities regulator sanctions |
| EU CSRD | EU + large non-EU subsidiaries | 2029 (third-country) | Full ESG disclosure per ESRS standards with XBRL tagging | EU market access risk |
| Paris Agreement Art. 6 | LATAM sovereign govts | COP29 rules, 2025 | Sovereign-grade MRV for internationally transferred mitigation outcomes (ITMOs) | Exclusion from international carbon markets |
Compliance Checklist
| Criterion | What it means | |
|---|---|---|
| ☐ | Regulatory exposure audit completed | Applicable regulations from the 2026 stack identified. |
| ☐ | Regulatory-to-data field mapping | Each regulation's key data requirements mapped to existing or planned fields. |
| ☐ | ISSB S2 baseline in place | Data architecture covers all ISSB S2 mandatory disclosures. |
| ☐ | CBAM readiness assessed | Embedded carbon calculation capability assessed for all relevant export products. |
Regulatory References
- EU Directive 2024/825 (EmpCo/Green Claims) — enforcement September 27, 2026
- CBAM Regulation EU 2023/956 — definitive regime January 1, 2026
- ISSB IFRS S2 — S&P Global LATAM Adoption Map, June 2025
- Paris Agreement Article 6 — COP29 Rulebook (Belém, November 2025)
Recommended Tools and Platforms
ISSB IFRS S2 disclosure checklist CBAM Registry EU CSRD ESRS standards LATAM NDC tracker (CEPAL)
Keywords
CBAM ISSB S2 EU Green Claims CSRD Article 6 COP29 regulatory compliance LATAM 2026
P10 — Resilience, Security and Data Governance
SCD-P10 · Principle 10 of 10
Resilience, Security and Data Governance
“Sovereign data that can be lost is not sovereign.”
Governance Layer
Definition
Sovereign climate data requires an explicit governance framework specifying: (a) who has authority to read, write, modify, and delete data; (b) how data disputes are resolved; (c) backup and disaster recovery procedures; (d) security controls against unauthorised access or manipulation; (e) data retention and archiving policy; and (f) rules for data sharing with third parties. Governance must be documented and reviewed annually.
Rationale
Data sovereignty without governance is operational fiction. The Climate Data Steering Committee's Common Carbon Credit Data Model (2024) and the dMRV Working Group's Phase 2 Roadmap (2025) both identify data governance as the most under-addressed dimension of climate data infrastructure globally. For LATAM organisations, the additional risk is structural: most climate data is held in a single vendor system with no backup, no access log, and no recovery plan — meaning one vendor outage or relationship breakdown causes irreversible data loss.
Implementation Steps
- Write a Data Governance Policy covering: access control (who can do what), dispute resolution, retention schedule, backup frequency, and sharing rules.
- Implement role-based access: at minimum, separate read and write permissions.
- Run automated backups to a system you control at least weekly; test recovery quarterly.
- Maintain an access log: every read and write to sensitive climate data is recorded.
- For shared data: use a Data Sharing Agreement (DSA) that specifies permitted uses, attribution requirements, and data return/destruction obligations.
Compliance Checklist
| Criterion | What it means | |
|---|---|---|
| ☐ | Data Governance Policy written | Document covers access control, disputes, retention, backup, and sharing. |
| ☐ | Role-based access implemented | At minimum: separate read vs. write access for climate data systems. |
| ☐ | Automated backups running | Weekly backup to a system you own, with quarterly recovery tests. |
| ☐ | Access log active | All reads and writes to sensitive climate data are recorded with timestamp. |
Regulatory References
- Climate Data Steering Committee — Common Carbon Credit Data Model (2024)
- dMRV Working Group Phase 2 Roadmap (Planet2050 × BioCarbon, 2025)
- GDPR Art. 5 (Data integrity and confidentiality) — applicable to EU-adjacent organisations
- ISO/IEC 27001 (Information Security Management) — international baseline
Recommended Tools and Platforms
Infisical (secrets management) Backblaze B2 / Rclone (backup) Keycloak (access control) Audit log frameworks
Keywords
data governance security resilience backup access control data sharing agreement ISO 27001