Weaknesses in the NZSIS systems have been exposed in a new report which recommends operational spies need better and constant training to avoid breaking the law while protecting New Zealand.
Operational spies will now have to successfully carry out greater levels of training to continue being allowed to do the job they are doing, according to the report which reviewed the SIS compliance with its legal obligations.
The report pays tribute to the spies dedication to their duty but says legal compliance systems are "fragile". It found "weaknesses" which it believed reflected "an organisation experiencing pressure stemming from a rapidly changing environment resulting in competing priorities".
The review of SIS compliance was started after director Rebecca Kitteridge took up the role of director in May 2014, fresh from conducting a blistering review of the sister GCSB organisation. It was carried out by a reviewer from another government department with a high-level security clearance who was able to study the SIS documents and systems.
The two reviews are among a cluster of critical reports into the New Zealand Intelligence Community which came under scrutiny in 2012 when the GCSB was found to have illegally spied on Kim Dotcom and fellow Megaupload accused, Bram van der Kolk.
The reviewer's findings, which have just been released, have led to the SIS creating a "compliance team" to monitor staff compliance. It is currently seeking a manager to run the new team.
The reviewer found: "There is a collective awareness of the need to act lawfully and to some extent there is a preoccupation with doing so."
The report found SIS staff "diligent in their duties and mindful of their obligations" and that they did "their best to conduct themselves in a manner which is both lawful and proper".
But it also found legal compliance wasn't a core function of the SIS and needed to be so.
"Despite the best intentions of staff, the systems used to promote and monitor compliance are weak and mainly reactive."
The report found there were areas of strength around the agency's legal obligations but there was a clear understanding of the need to identify errors in places where it was not so strong.
It also found there was a need for "enhancing initial and ongoing training for all operational staff and linking this training to fitness to continue carrying out a role, as well as career progression and remuneration". A full-time training manager has already been appointed.
Concerns about compliance also emerged in the annual report of the Inspector General of Intelligence and Security Cheryl Gwyn. Her report, released yesterday, stated there was "no general, objective safeguard against breaches of legislation or policy and no general assurance that breaches would be identified and addressed".
It means the NZSIS is in a similar exposed position to that which the GCSB found itself when it was discovered to have been illegally spying on Dotcom and van der Kolk, who should have been protected by their New Zealand residency status. The lack of systems identified in Kitteridge's 2013 report revealed a security agency which had a patchy and often inaccurate view of its legal obligations.
The bureau is currently embroiled in a civil court action in which millions of dollars in damages are sought.
The IGIS report identified flaws in the way the SIS reported its use of visual surveillance warrants - the first time it had sought the warrants under new law. The report said the SIS were obliged to tell her it had sought the warrants. "Instead, the warrants and their supporting documentation were subsequently identified as part of my office's regular warrant review process."
She said there had been changes to make sure she got copies of paper work on the same or next day to monitor "the inherently more intrusive and therefore more stringent context of visual surveillance".
She said staff at the SIS worked hard to "act in a lawful and proper manner". In some parts of the organisation, systems were in place to strictly monitor the way it worked.