Up until a few years ago, the Security Intelligence Service's electronic record-keeping systems for security clearances were not secure enough, Inspector General of Intelligence and Security Cheryl Gwyn has found.
Ms Gwyn has released her second report into how the SIS collects and holds that information.
Procedures were changed after the first report found some information had been accessed for purposes other than vetting.
The second report took a broader view of the systems themselves.
Ms Gwyn said until an urgent update was made to the four systems holding the highly sensitive information in 2015, those systems did not meet mandatory government standards.
"Until that certification and accreditation programme... the NZSIS instituted and operated all four systems without certification or accreditation, in breach of those security standards."
She said that made the system vulnerable.
"Overall, there was no systematic and comprehensive identification, management and mitigation of risk, or external verification of that assessment."
The minister responsible for the intelligence agencies, Chris Finlayson, said it was good to see the Inspector General had not pulled her punches.
"There's a historical element to it and I can assure you that these matters have been addressed now but she had said that it was unsatisfactory and quite frankly I agree with her."
Ms Gywn made a series of recommendations including that the SIS continue to test the systems to identify any vulnerabilities and that it should strengthen ICT safeguards to make sure the personal information it was holding was secure.