Police were wrong to hand a gun-registry contract to German-based multi-national SAP, says an advocate for the local IT industry.
• Police confirm privacy breach on gun buy-back site
• Council's $1b in IT costs 'wasted'
NZRise co-chair Victoria MacLennan says "star-struck" police went with SAP without giving local contenders - or any other contenders - a chance to bid for the contract, which was instead tacked on to SAP's existing work.
But police says they were simply put under too much time pressure, among other factors.
"Data privacy is a tricky but crucial element of all software. When you use huge offshore vendors, it can be hard to keep control of the service they are providing," MacLennan told the Herald.
"New Zealand software companies that are passionate about the protection of our citizens were disappointed when NZ Police chose not to let them go for the gig, but instead just spoke to SAP, a German company."
Earlier, SAP was one of the primary vendors involved in a cost-blowout on a huge Auckland Council IT systems upgrade, and a similar debacle at KiwiBank.
MacLennan added, "We've seen this a lot, large Government organisations get star-struck by multinationals even when it's at a higher cost than going with a company from Aotearoa.
"And they often do this without considering the great mahi of companies based here - and the broader opportunities supporting them provides."
A police spokeswoman responded, "The project was not put out to tender because of the time constraints and because there was the need to interface with NZ Polices finance system - built by SAP - to make payments. The process followed is permitted under the circumstances within the government procurement rules."
Digital Revolution director Phil Van Loghem said his company approached police, telling them it could drastically undercut SAP, but "we were shut down promptly."
He calls the police's time-pressure excuse "a cop-out, no pun intended".
He was sympathetic to the need to integrate with other SAP systems.
But overall, he saw it as "Another example of our bureaucratic process being held to ransom by these huge international software companies with little responsibility."
Yesterday, police confirmed a data breach with the online gun buy-back registry. It meant any dealer who logged in could see the names, addresses, dates of birth, types of firearms, cellphones and bank account numbers of 37,125 gun owners who registered around 280,000 newly-prohibited firearms. The breach lasted for several hours last week.
An update to the database - not authorised by police - had given dealers a higher level of access last week thanks to "human error", police said.
In a statement, SAP carried the can.
"A new security profile was incorrectly provisioned to a group of 66 dealer users due to human error by SAP," a spokesman for the multinational said.
"We unreservedly apologise to New Zealand Police and the citizens of New Zealand for this error.
"A full internal investigation is already under way within SAP."
Police and SAP have briefed the Privacy Commissioner.
Tech commentator Ian Apperley told the Herald that whatever bungle was made, the key thing is what happens from this point.
"It's critically important that the process that led to the leak is made fully transparent so that others can learn from it. Whether it was a failure of governance, a failure of a system, or both, getting those learnings out as soon as possible is key," he said.
"We know that the project team and governance surrounding it would have been under extreme pressure to get the system completed," he added.
"Often, that leads people to missing key risks - or accepting them.
"It can also mean a less-than-optimal testing regime.
"Total transparency is now required in order to reduce the risk of future systems, systems being built now, and systems that may already exist."