All of the systems the Security Intelligence Service (SIS) used to hold information of those it was vetting for government security clearance were non-compliant for years, a new report says.
Inspector-General of Intelligence and Security Cheryl Gwyn released the second part of her review into the SIS on Wednesday.
It shows while the electronic record-keeping systems now meet mandatory government standards, it had been deficient until an "urgent compliance programme" started in mid-2015.
"The security clearance process is unavoidably intrusive," Ms Gwyn said.
"It can require disclosure of relationship, medical and other detailed personal information. Holding that information on systems that comply with Government information security standards is a critical protection for the people concerned," she says.
"It is also important for national security that sensitive information about people in the intelligence and defence sectors is kept safe from external access and exploitation."
Ms Gwyn acknowledged work had been done over the past 18 months to make the systems more secure.
But while some steps were taken to secure the systems when they were first introduced, the compliance programme was needed to make sure it met the required standards.
The SIS director has accepted the report's recommendations, which include avoiding the same thing happening again with new systems and better internal controls of data access.
The report's release was delayed by "significant and continuing disruption" to the Inspector-General's office following the Kaikoura earthquake in November.
The routine review, which is required in law, started in January 2015, with the first part released in April last year.