P10 — Resilience, Security and Data Governance
SCD-P10 · Principle 10 of 10
Resilience, Security and Data Governance
“Sovereign data that can be lost is not sovereign.”
Governance Layer
Definition
Sovereign climate data requires an explicit governance framework specifying: (a) who has authority to read, write, modify, and delete data; (b) how data disputes are resolved; (c) backup and disaster recovery procedures; (d) security controls against unauthorised access or manipulation; (e) data retention and archiving policy; and (f) rules for data sharing with third parties. Governance must be documented and reviewed annually.
Rationale
Data sovereignty without governance is operational fiction. The Climate Data Steering Committee's Common Carbon Credit Data Model (2024) and the dMRV Working Group's Phase 2 Roadmap (2025) both identify data governance as the most under-addressed dimension of climate data infrastructure globally. For LATAM organisations, the additional risk is structural: most climate data is held in a single vendor system with no backup, no access log, and no recovery plan — meaning one vendor outage or relationship breakdown causes irreversible data loss.
Implementation Steps
- Write a Data Governance Policy covering: access control (who can do what), dispute resolution, retention schedule, backup frequency, and sharing rules.
- Implement role-based access: at minimum, separate read and write permissions.
- Run automated backups to a system you control at least weekly; test recovery quarterly.
- Maintain an access log: every read and write to sensitive climate data is recorded.
- For shared data: use a Data Sharing Agreement (DSA) that specifies permitted uses, attribution requirements, and data return/destruction obligations.
Compliance Checklist
| Criterion | What it means | |
|---|---|---|
| ☐ | Data Governance Policy written | Document covers access control, disputes, retention, backup, and sharing. |
| ☐ | Role-based access implemented | At minimum: separate read vs. write access for climate data systems. |
| ☐ | Automated backups running | Weekly backup to a system you own, with quarterly recovery tests. |
| ☐ | Access log active | All reads and writes to sensitive climate data are recorded with timestamp. |
Regulatory References
- Climate Data Steering Committee — Common Carbon Credit Data Model (2024)
- dMRV Working Group Phase 2 Roadmap (Planet2050 × BioCarbon, 2025)
- GDPR Art. 5 (Data integrity and confidentiality) — applicable to EU-adjacent organisations
- ISO/IEC 27001 (Information Security Management) — international baseline
Recommended Tools and Platforms
Infisical (secrets management) Backblaze B2 / Rclone (backup) Keycloak (access control) Audit log frameworks
Keywords
data governance security resilience backup access control data sharing agreement ISO 27001
No hay comentarios para mostrar
No hay comentarios para mostrar