Our spies have been rapped for loose controls around the largest collection of sensitive information held by any government department which includes details of people's alcohol and drug use -- and their sexual behaviour.
The systems were so loose the Inspector General of Intelligence and Security said there was a risk foreign spies would try and access the information and use it to compromise Kiwis with high-level security clearances.
Urgent changes are underway to the system after an inquiry found a large number of people in the Security Intelligence Service had access to its collection of highly personal information on thousands of people.
The information is collected by the SIS as part of its inquiries into people needing security clearances for government work, including in the intelligence community.
To make the judgment around someone's security clearance -- up to "top secret special" -- it results in a collection of details about people's sex lives, drug use and possible alcohol abuse, along with information about their mental health or personal finances.
A report from Inspector General of Intelligence and Security Cheryl Gwyn released this afternoon was highly critical of the checks around access to the information, with a string of recommendations ordered.
It's yet another report into the security services which has shown slipshod systems -- and comes five years after a review of the vetting process ordered by Prime Minister John Key which found it was "adequate in terms of the standards of thoroughness and reliability laid down in the relevant instructions and guidelines".
The intelligence agencies have suffered in a new era of oversight and transparency with a series of reports released publicly with questions around their ability to follow their own process, and even the law.
It comes as both the SIS and its sister agency, the electronic eavesdropping Government Communications Security Bureau, are in line for law changes with intelligence agency watchers say will expand their powers.
An SIS spokesman said: "The Inspector-General has not found any indications of a breach, or improper use or disclosure of personal vetting information."
But Ms Gwyn's report raises questions as to whether it would be possible to know if it had been misused.
Her inquiry started a year ago with today's early release sparked by "significant concerns around the physical storage, use and access controls" of information collected during security vetting. A further report will follow.
She said: "The consolidated records collected during the vetting process likely comprise the most sensitive repository of such personal information held by the New Zealand government."
The disclosure of the information would have "serious implications" for the individuals about whom it had been collected, she said.
Ms Gwyn said inadequate controls around the information meant there was an "obvious risk an adversary" could attempt to access it and use it to compromise people with security clearances.
She said security staff working on vetting had emphasised to her their high levels of "personal integrity and discretion".
However, she found the systems were simply not strong enough to protect the sensitive information which had been collected. In fact, she made recommendations on changing access to information "so as to comply with the information security principles".
She said 60 staff had access to the largest compilation of vetting records for those people working in the wider government needing security clearances. In addition, there were 15 staff who were able to access the records of those who were being vetted for work in the intelligence community.
Ms Gwyn said there was broad access across electronic systems to the thousands of people working in the wider government.
The physical files in security vetting of intelligence staff able to be accessed by those 15 vetting staff with no way of knowing which file had been looked at. While entry into the file room was logged, nothing was done to show an individual file had been accessed.
Ms Gwyn said she had "become aware of some instances in which security clearance vetting information appears to have been used for other purposes". The other reasons included counter-intelligence work, which she said was broadly acceptable, and also general intelligence work.
Ms Gwyn said it was "unjustifiable" for spies to use the information collected during vetting for general intelligence work when those surrendering the details were "practically obliged" to do so.
And while there was a procedure for handling the use of vetting information in intelligence work, "it appears to be rarely if ever used", she said.
Ms Gwyn also had concerns about the use of the information for spy work because vetting officers often used their own words to tell interview subjects how it would be used, creating the risk of being inconsistent or "misleading".
The security concerns impact on thousands of people with information released to the Herald through the Official Information Act showing the vetting section was handling inquiries into 1600 people in July last year, with 420 of those in the most sensitive "top secret" or "top secret special" category. The number had dropped significantly since 2012 when a huge backlog saw it working on clearances for 3650 people, including more than 1000 people seeking the highest security clearances.