A report into the Security and Intelligence Service (SIS) has found "significant shortcomings" when it comes to data protection.
The first part of the Inspector-General of Intelligence and Security's review into how the spy agency holds and uses information collected for assessing security clearances has just been released.
In it, Cheryl Gwyn says while there are strengths to their processes, there were also major problems around the access and use of vetting information.
"I recognise the serious commitment to privacy that is made by the NZSIS staff who undertake this difficult and sensitive work. What is also needed, and what is required in any Government agency that deals with personal information, are systemic safeguards to back up and verify that commitment," Ms Gwyn said.
"For instance, I found electronic records for the largest category of clearance holders and candidates were accessible at any time to 60 or so staff who carry out security clearances."
Under standard data protection requirements, staff should only have access to files they're working on and only while the files are active.
Ms Gwyn has recommended the SIS has stronger systems to track access to files, record and check the reasons for accessing them and making clear the conditions information can be collected and used.
As part of its job, the SIS is required to undertake inquiries into whether people should be granted New Zealand Government security clearance which is required to access classified information as part of their work.
Security clearances require the SIS to look into a person's personal and professional life which amounts to a "large volume" of highly personal and sensitive information.
"In both sensitivity and scale, the SIS’s records are one of the most substantial compilations of personal data about New Zealanders that the Government holds," Ms Gwyn says.
It completes around 5000 of these inquiries.
The Green Party says the report shows the SIS working "outside their own policies" which is unacceptable.
"The SIS holds private information on New Zealanders, including things like relationship history, financial records, medical problems and details of people's families. The fact that they have not been adequately protecting this information is very concerning," co-leader Metiria Turei says.
"Many New Zealanders should be worried about how the SIS has been using their private information and how many people may have seen it."
The Director of the SIS has accepted the report's findings and recommendations, and work has already begun on making changes.
The second part of the findings which deals with the ICT systems will come out in a few months.