Police broke the law by accessing Customs and Immigration data for more than a year when they did not have permission to do so.
The embarrassing situation saw police logging on to CusMod, Customs’ computer system, 15,799 times between December 2015 and January 2017 for border security reasons after an “administrative oversight” led to an authorisation expiry date being ignored.
It follows a December announcement by the Inspector General of Intelligence and Security Cheryl Gwyn that the country’s spies also unlawfully accessed the same database for more than 20 years between 1997 and 2016.
When Gwyn revealed the breach no mention was made of the police problem.
Customs Minister Meka Whaitiri was informed in December after asking for information on other CusMod access arrangements.
That briefing, released to Newsroom under the Official Information Act, shows that until November 2014 police staff shared two generic logins and passwords to access CusMod via terminals at its national headquarters and drug intelligence bureau.
At this point, police access was cut until a new authorisation agreement was put in place.
The reason for access being removed was redacted from the document, but after further questions Customs communications manager Helen Keyes said it followed a review of the Customs and Excise Act that raised doubts about direct access to the database by external agencies.
Once the problem was solved a new arrangement that expired in December 2015 authorised 24 police staff to access the system.
Despite this, use continued on until January 2017 with police accessing the system almost 16,000 times.
Keyes explained the mistake as an “administrative oversight” and said an audit in January found almost all information accessed by police during the thirteen month period would have been legal if the agreement had not expired.
“Of the 15,799 instances of police access to CusMod, only five instances were identified as ones where police accessed information in a manner inconsistent with the authorisation.
“Police were, however, entitled to request this information from Customs and in the circumstances, Customs would have released the information had the request been made directly.”
Following the discovery, Customs decided not to inform the individuals whose information was accessed but the Privacy Commissioner was told.
Under current privacy law, there is no requirement to notify individuals.
Inspector Liam Clinton, of Interpol, said the five times where access had been outside the authorisation scope had been to check whether a person was in New Zealand.
Police had used CusMod for border alerts, criminal matters, and Family Court orders since the 1990s and it was an important tool, he said.
Currently, seven individually-named police staff have access with the report stating: “it was clarified that individual logins are unique to the user only and may not be shared”.
When Customs discovered the SIS direct access issue in 2014 it took until May 2016 to solve the problem after the SIS sought legal advice. This latest oversight raises questions about the department’s ability to handle direct access arrangements to the vast amounts of data it holds.
Several other agencies have some form of access to the Customs database, including the Ministry for Primary Industries, the Ministry of Business, Innovation and Employment, the Inland Revenue Department, and the Ministry of Social Development.
Whaitiri told Newsroom that as far as she was aware there had been no other access issues apart from the police and the SIS.
She had been disappointed to learn about the breach and had briefed Andrew Little, who had responsibility for the security and intelligence services.
“A lot of this stuff fell through the cracks of the previous administrators but the main thing is when you come into these roles you want to address any of those anomalies or breaches and make sure going forward they don’t happen again and I’m advised and confident my Customs’ officials have got that message loud and clear from me.”
When asked why the public had not been informed in December alongside the SIS breach, Whaitiri said there had not been an attempt to hide the information and Customs had believed the matter to have been corrected and "no longer an issue".