OFFICE OF THE INSPECTOR-GENERAL OF INTELLIGENCE AND SECURITY
MEDIA RELEASE – 1pm, 03 May 2017
Report on Security Intelligence Service handling of information collected for security clearance vetting
The Inspector-General of Intelligence and Security, Cheryl Gwyn, has released the second part of her report into how the
New Zealand Security Intelligence Service holds and uses information collected for assessing security clearances.
Ms Gwyn has found the electronic record-keeping systems used by the NZSIS now comply with mandatory Government
standards. The report also finds all four systems used for security clearance information were non-compliant for several
years, until a corrective programme began in mid-2015.
“I want to acknowledge the work done by the NZSIS in bringing its systems into compliance over the past 18 months,” Ms
Gwyn said. “The protections for these systems have also been significantly enhanced by wider security efforts by both
the NZSIS and the Government Communications Security Bureau over this time.
“I have found, however, that while the NZSIS took some steps to protect these systems when they were first introduced,
the urgent compliance programme begun in mid-2015 was needed to give assurance that the systems are secure.”
In line with recommendations in the report, the NZSIS has taken steps to investigate the possibility of security
vulnerabilities during the period in which the systems were non-compliant. Some of this work has been assisted by the
GCSB. “These investigations have given, and will continue to give, further assurance,” Ms Gwyn said.
The review was undertaken as part of the Inspector-General’s statutory responsibility to ensure compliance in NZSIS
systems. It began in January 2015 and part one of the report was issued last April. The part two report released today
was deferred so that it could take account of the NZSIS compliance and investigative work.
It was also delayed, along with other reports, by significant, and continuing disruption to the Inspector-General’s
office following the Kaikoura earthquake in November.
The information stored on the NZSIS systems at issue is collected from people undergoing assessment – “vetting” – for
government security clearances.
“The security clearance process is unavoidably intrusive,” Ms Gwyn said. “It can require disclosure of relationship,
medical and other detailed personal information. Holding that information on systems that comply with Government
information security standards is a critical protection for the people concerned. It is also important for national
security that sensitive information about people in the intelligence and defence sectors is kept safe from external
access and exploitation.” 2
The Director of the NZSIS has accepted all of the recommendations made in the report. These include steps to avoid any
repetition of bringing new systems into operation without ensuring their compliance, and development of better internal
controls on data access.