Auditor-general John Ryan.
A data privacy breach in the hastily developed technology systems for NZ's firearms buyback scheme was managed well by NZ Police, according to a report by the Auditor-General.
From the procurement of the SAP system, which was expedited through an "opt out" clause to avoid a tender, through to the end of the buyback, the report generally supported the technology approaches taken by Police.
"It is clear that going through an open-market procurement would have delayed the design and implementation of an information system to support the scheme," the report found.
"SAP already provided other services to the Police, including their finance system, and any system used for the scheme would need to work with the Police’s finance system."
At $9.4 million, IT system costs were the biggest administrative expense in the scheme's roll-out, ahead of professional services and consultant expenses ($7.5 million) and personnel costs ($6.6 million).
Of that $9.4 million, SAP received just over $7 million for its work.
The Police learned from their Australian counterparts that a good information system was critical to successful implementation. So, in the wake of last year's Christchurch terror attack, they engaged SAP to develop and support a system to process applications and compensation payments.
The system also provided a means to track and trace firearms, magazines, and parts from the point they were handed in to final destruction.
"The SAP system was a strength of the scheme," the audit report found.
Police’s documentation for the system identified and reported on risks and controls and there was also a comprehensive testing strategy.
However, on 2 December 2019 a user accessed 436 citizen records, of which 34 were at a detailed account level, including bank account details and firearms licence numbers.
The incident, which along with other aspects of the scheme became highly politicised, occurred after an external provider updated the system in a way the Police had not authorised.
The Police contacted all of the affected individuals and briefed the Privacy Commissioner and the Government chief digital officer.
SAP later apologised unreservedly for the error and to took full responsibility.
The vendor explained that as part of new features intended for the platform, security profiles had to be updated to allow certain users to be able to create citizens records.
A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP.
"Although the Police did not make the unauthorised change to the system, the Police are ultimately responsible for the protection of private information," the audit report said.
"The Police’s response to, and management of, the incident was professional. Other government agencies provided the Police with good support when responding to the incident."
Police suspended public access to the SAP system, which people used to register their intention to hand in prohibited firearms, magazines, or parts, but local collection events were able to continue.
Staff in the Police’s call centre and at local collection events still had access to the system and entered information collected manually.
Police also had adequate ICT controls over the systems, including over user access management, data loss prevention and system output, change management, IT disaster recovery, and network security and vulnerability management.
Penetration testing was also done at the design stage of those systems and throughout development.
The only technology-related matter that could be considered to have been even vaguely criticised in the report was that the Police did not use their SAP system to track dealer stock.
Instead, they used a dealer portal developed for the scheme, in combination with their standard emergency management information system used to task operational responses and provide case management of incidents.
"These systems did not support the same level of traceability of individual items as the SAP system," the report found.
More generally, however, the Auditor-General commented that neither the Police nor any other agency know how many prohibited firearms, magazines, and parts were in the community when the law was changed.
"Without this information, we do not yet know how effective the scheme was. More work should be done to find out what level of compliance with the scheme has been achieved and the extent to which it has made New Zealanders safer."
The Police should also continue to improve their understanding of the firearms environment, build on their strengthened relationships with firearms owners and dealers, and make effective use of relevant information they have gathered to support their regulatory responsibilities, the Auditor-General found.
The Police now estimate that, once fully completed, administering the scheme will have cost up to $35 million, nearly double the $18 million the 2019 Budget provided.
