ActiveMay 2026

Data Sovereignty Statement

How CAFE recognises distinct Indigenous data sovereignty frameworks, how we handle identity disclosures, and how we keep the certification platform under Canadian stewardship.

The Canadian Association for Financial Empowerment (CAFE) is incorporated by special Act of the Ontario Legislature. We set, promote, and regulate standards for financial counselling in Canada. We are not a rights holder for Indigenous data and we do not speak for First Nations, Métis, or Inuit Peoples.

Three distinct frameworks

We recognise three distinct Indigenous data sovereignty frameworks, and we treat them as distinct throughout our operations.

First Nations

The First Nations Principles of OCAP (Ownership, Control, Access, and Possession) are stewarded by the First Nations Information Governance Centre (FNIGC). OCAP® is a registered trademark of FNIGC and applies to First Nations collective data.

CAFE designs in alignment with the spirit of OCAP. We do not assert OCAP certification; FNIGC alone administers that process.

fnigc.ca

Métis

Métis data sovereignty is articulated separately by Métis governments and is not unified under a single framework. We recognise in particular the Consolidated Métis Nation Data Strategy published by the Métis National Council on 15 October 2025, the Saskatchewan Métis Health Research and Data Governance Principles published by Métis Nation Saskatchewan in 2025, and the Principles of Ethical Métis Research published by the National Aboriginal Health Organization Métis Centre.

The MNC Strategy was not endorsed by Métis Nation Saskatchewan or Métis Nation British Columbia during drafting. Other Métis governments hold their own positions on data governance. CAFE follows the lead of the specific Métis government relevant to any given matter.

Inuit

Inuit data sovereignty is articulated by Inuit Tapiriit Kanatami (ITK) through the National Inuit Strategy on Research (NISR), published on 22 March 2018, which sets out five priority areas including Inuit governance in research and Inuit access, ownership, and control over data and information.

Regional Inuit governments, including Nunavut Tunngavik Inc., Makivvik, Nunatsiavut Government, and Inuvialuit Regional Corporation, implement NISR within their respective jurisdictions. CAFE follows the lead of the relevant Inuit body for any matter that touches Inuit data.

itk.ca

The deciding voice

For any CFC designee, programme, or record that touches Indigenous data, the deciding voice is the keyholder designated by the relevant First Nation, Métis government, or Inuit body. CAFE coordinates with that keyholder. We do not make decisions on their behalf.

Our hosting model

The CAFE Certification Command Centre is hosted on the Serving Ethics server, a Canadian-located server stewarded by William Moores. We use no third-party cloud, no US-domiciled sub-processor for designee data, and no US-citizen administrative access to designee or Indigenous data.

We name this directly because the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and the USA PATRIOT Act compel US-domiciled vendors to disclose data in their custody regardless of where the data is physically stored, sometimes under a gag clause that prevents the affected party from being told. The Office of the Privacy Commissioner of Canada has confirmed that Canadian data residency alone cannot guarantee protection from foreign legal processes. We agree, and we have built accordingly.

For the full sub-processor disclosure, see the Security Policy.

How CAFE handles Indigenous identity disclosures

A designee’s Indigenous identity is theirs. When a designee discloses Indigenous identity, Nation, or community to CAFE, that disclosure happens directly and orally between the designee and CAFE staff. We do not transcribe, paraphrase, or store the substance of that conversation anywhere in the platform. The platform records only the operational compliance markers that the designee themselves chooses to enable in their profile. The disclosure itself stays with the designee.

Layered, voluntary opt-in

Every Indigenous-related data point in the platform is optional and gated by its own consent toggle controlled by the designee. Eligibility for certification does not depend on providing any of this information. The designee chooses, separately, whether to:

  • 1Record an Indigenous identity bucket (First Nations, Métis, Inuit, “Prefer not to say”, or “Not Applicable”)
  • 2Record a specific Nation or community name
  • 3Consent to CAFE contacting their Nation or community about their certification
  • 4Display their Indigenous identity in the public CFC directory
  • 5Display their Nation or community in the public CFC directory
  • 6Receive a privacy-enhanced certificate that carries no Indigenous identity markers

Selecting “Not Applicable” or “Prefer not to say” cascades through every dependent flag and clears it. Consent can be withdrawn at any time. The platform retains a record of the consent itself for seven years, as required by PIPEDA. The underlying disclosure the designee shared orally is not stored at any point.

The certificate as the designee’s record

Once a designee earns the CFC designation, the certificate PDF is theirs to generate and hold. Certificate export is restricted to the authenticated designee and operates only within their own session. Only the designee can generate their own certificate document. The resulting PDF carries the designee’s credentials within the document itself, so the certificate remains a valid and verifiable record independent of connectivity to the platform.

This is a deliberate, human-first design choice and an integral function of the certificate export. Every designee has the right to hold their certification in hand, on their own device, regardless of location, jurisdiction, or platform availability. The certificate is theirs to carry, offline and independent of CAFE, by design.

Each designee may choose, via their profile, a privacy-enhanced certificate that contains no Indigenous identity markers; that certificate carries identical standing to a standard certificate and only changes what appears on the document the designee holds. Once downloaded, the PDF is the designee’s record. CAFE does not retroactively alter it, redistribute it, or republish it.

Why this design

First Nations OCAP, Métis articulations, and Inuit NISR all centre the principle that Indigenous information is held by the rights-holder. CAFE applies that same principle at the individual level: the disclosure stays in the designee’s voice, on the designee’s certificate, under the designee’s control. The compliance markers we retain are the audit trail of what the designee chose to enable.

Client-level data

CAFE holds no records of who a designee serves. The framework distinction matters here as well: collective Indigenous data resides with the Nation or community.

A living charter

CAFE strives to honour the rights of all people and continuously expands our knowledge. This document is evergreen and will be modified to ensure accuracy and fairness as our ethics charter for all.

Engagement

If a Nation, Métis government, or Inuit body wishes to review, contest, or co-design any CAFE practice that touches its citizens’ data, we welcome that conversation. We will respond within fourteen days and we will follow the rights holder’s lead.

@compliance@cafe-acaf.org

OCAP® is a registered trademark of the First Nations Information Governance Centre (FNIGC). Learn more about OCAP® or visit fnigc.ca.