"?pso'uissiritp 23 APR 2013 ?aesmereow FMS 74 ACE NZSES 8 Dit1521-G-4939 New Zea] and Serv1ce Te Whaliamaz'umaru Briefing note Date 'iOJUiy 2015 To Minister in Charge of NZSIS From Acting Director of Security cc inspector-General of Inteiligence and For your Information Purpose 1. Attached for your Review of Compliance and the intended next steps-for i925IS'fdllowing-tine Epipi?bval of this report on BOJune. Background 2. in the Rebeccais appointment as Director of Security. she raised the issg__;e processes within NZSIS. in the absence of a centralised function Rebecca then commissioned a review of NZSIS icy practice, to provide assurance that operational activities are undertaken witlgm its powe'Fs ghat adequate assurance and safeguards are in place. 4. Lev? found no instances of non-compliance at However it did identify g'aps'??in the systems and processes for managing compliance, as well as rec mme?tiations for improvement. he final report was presented to the Director of Security on 30 June 2015. Rebecca 'pproved the report and endorsed the recommendations. 6. A copy of the final report has been provided to the inspector-General of Intelligence and Security. Page 1 of 3 23 APR 2018 ace NZSIS 014321454939 iiZSiS is 7. A copy of the final report has also been provided to the external chairs of Audit and Risk Committee. Next steps 8. As the review comments in detail on areas of operational capability and methods, public release of the report (or the majority of its content) would be prejudicial to security and therefore subject to the withholding provisions of?Officiai information Act. Therefore an unclassified version of the report, summarisin with ?findings and recommendations of the review, is being prepared for wider release. this report will be forwarded to your office and to the inspector-Generale.-. n'ieiligence and Security. - 9. The full report may also be of interest to the Prime Minister's Office. but leave-i:- further distribution of the report to your discretion. 10. The full report will be made availabie to NZSiS-aaz; July. ii. Once the full report has been released be will consider publishing the unclassified version ofthe egcteriani wepsite. This will be coordinated with any public or media rele'asg inspeicitor?ge??fal of intelligence and Security, as she will make a compliance review in her Annual Report. 55f" I 12. The review makes 45re?pmn?ndations. plan focussing on what needs to be achieved in be developed, in consultation with senior leadership teain'fi'IAsZ,part ofwe be recruiting a manager to implement this initial plan, and 12 ~18 months. it is intended the initial plan will initiated by 31 August 2015. A copy of the ?clai?d to your of?ce and to the inspector-General of lnteliigence__and it Note of the Review of Compliance Yes/No Consider fu?ther distribution (to the PMO) Yes/No to provide an unclassified version of the report Yeero Note that a copy ofthe implementation plan will be provided to Yesto your office in due course 42- w" ?HA-Etlng Director of Security I luv Page 2 of 3 DECMSSIFEED ace. wasas 2 3 APR 20:3 'Il-?humi? 7?1 mam-6.4939 a NZSES Comments. Page 3 of 3 .. ?m - o' p? yum-? r- . 18 WMUEGRE.IM New Zealand Security Intelligence Te P5 Whakamammaru NZSIS Review of Compliance Terms of Reference November 2014 Objective The obiective of the review iS to provide-the Director of Se u: it; with assurance that Service?s operational activities are undertaken within.=visfs powers adequate assurance and safeguards are in place. risks. recommendations for improvement will be that the Service has a robust, coherent compliance frametivor-k, Giliifh lS For and supports the conduct of its business. Rationale for The Directg? seeks assurance that the Servuce is a compliant organisation in respect of (The 1969) and its operational policies. Robust internal compliance to the effective operation of the Service and the liitjpijgy?i?t??idt Framework (PIF) Review stated that the Service must look ?croi?iptljance in based on explicit consideration of risks, and ensure that it continuously improves compliance frameworks, training and p'r"5"'cessesv ?Eii'ie highlighted the need for appropriate compliance processes to mover bgtl?i vrar,_t_a__ ted activities and Service activities that are not subjeCt to the warrant ?the reviewer") has been seconded to NZSIS as Compliance Advisor and has - to review the systems, processes, procedures and capabilities that underpin the Sept/ices operations. ?v_ljo.._nn 1'9? i Mil i? non-v] Page of 4 gar: "mi-w omva I I._l uni-Ll it The review will be limited to the matters set out above and will not focus on the: a performance of individual Service Staff members (except to the extent that it is necessan; to describe systems, processes and procedures relevant to compliance); or a corporate services functions delivered through Intelligence Community Shared Services compliance is adequately monitored through the annual audit process undertaken by the Audit Office. lnterdependencies The NZIC Strategy, Capability and Resourcing Review (SCRR) is currently-"being undertaken and SCRR outcomes are expected in February 2015. This time?igai?i'ie does not coincide with the anticipated timeframe of the Review of Compliance. Reso?gfc I Service Compliance Function as part of SCRR can therefor d?hiy. be pproxima?t??d. Resources The resources provided for the review are: Legal support through the Services and Protect support through Executive ?ssist?nt (DPAF Advisory Group The reviewer will the period of the review. The report will be delivered to of An Advisory :Fheet the course of the review to consider review progress, anti The Compliance Advisory Group wili comprise: oi?i-?etto?r of associate "'lil'IZSiS Enablement, Gene-tel Counsel, NZSES associate Director, GCSB finai conclusions and recommendations will not be subject to direction from Director or the Advisory Group. A?proach? process and Timetrame gtattrsezarr. v.1. ?3 5.0-5 sync?? .nnon .1: . v- . 518' it Page 2 of ?1 haematite" 23 APR 20:3 were a The reviewer will have fuil access to all relevant Service staff, systems and documentation to support the review of compliance. If it is deemed necessary the reviewer will have access to relevant staff and documentation within the wider including the GCSB legal and compliance teams. The review will comprise the following phases: a Phase 1: information gathering (read reievant documentation? accountability documents, NZSIS Act, 1969, operational policies; engage with relevant staff across all areas of the business; engage with key people in the centgallagencies: obtain comparative information on compliance, assurance and oversigh other agencies and/or jurisdictions as required) a Phase 2: Testing of preliminary conclusions and recommenciatiopsi-(epga staff and external staicehoiders) a Phase 3: Draft report (provide draft report to Director of Security? [3d Advisory Group, discuss with Advisory Group) - Phase 4: Finalise report grog with en" report The": indic ative It is anticipated that the review will be conducted over will be delivered by 12June 2015 - this allows sfm'as shutdci?irm timeframe is as follows: a Phase 1 2-51 Nov 2014 - 31 March Phase 2 i a 2:1: April 20i 5 Phase 3 24 April - is May 201 5 Phase 4 15 May ~12June 2015 Any changes to the timefrargievt' he In agreed between the reviewer and the Assocrate Director. 71:41.1- A 5.1m . .. .. DRIFHET Page 3 of 4 ?secriegirim a a 23 an livich ZS i 8 r5? Acronyms New Zeaiand Security and inzeiligence Agency GCSB Government Communications Security Bureau New Zeaiand Community; SCRR Strategy, Capability and Resourong Review DPAF EA to Associate Director and Deputy Director Strategy Performance Improvement Framework Human Intelligence UD- :11.ch .AHI ?a "uni" lit-1 I ?Ii??73:33:34?- Page 4 of 4 i . -L- a341,.? 86(3) New Zealand Security Intelligence SerV1ce Te Whakamarumaru Revi ew co pleted 30 Ju Unclassified summary 30 mber 2015 Contents SU Review?"' Director's 3 3 Recommendations ofthe 4 6 7 Annex One: Compliance Review Methodology Introduction Soon after taking up her appointment in May 2014, the Director of Security initiated a review of the compliance systems and functions in the New Zealand Security Inteiligence Service A reviewer, seconded from another government department, was brought in to conduct a thorough examination of NZSIS's systems and processes, measuring those against what is considered a best practice approach to compliance. The resulting report from that review is claseified SECRETNNZEO (New recommends ways to strengthen systems and processes. The cietailed__inf0' classified report, if made public, would expose vulnerabilities wit-hint" adversaries. The classified report has been provided to the at intelligenc and Security who is required to make an annual ment of'ii'the intelligence agencies' compliance syStems. Recognising that is congmit__ to being trapsp about its work where it can, the reviewer has prepared I Iii'f?d pu Iii-Iii: release. This unclassified report is set out below. I Summary of Review All state sector organisations muSt comply with thee-i wit-and dempiji ti?ate'ic'ompliance to the public. it is well undetStooci at that thg?i nis'?'tion as wl its individual staff members must act at all times in both law-{foilg5nd proper me. The necessarily covert nature of many of the activities and sed by exercising its statutory powers, however, means that its Eaii?ot gepei'aiil'y ?bbjected to public scru tiny. in order to maintain the publiftrust-?gand confidg' is critical to specific oversight arrangements are int-plaice, to is attached as Annex A. The best practice compliance eiivork used The reviewer was given ly__:ZSiS material. Staff contributions were sought through and written feedback and this process was well SLippOi'E?dT The viewer rep'b _ed Qpen and frank discussion from all levels within the organisatio "Eingpi?ehensive obtained by aggregating feedback to get a sense of the dyerall "position. Understanding of compliance varied at different levels within and across t?i'ia" 5 organisation: evidence of {nor was given any reason to believe there was) within NZSIS. There is a collective awareness of the need to act xtent there is a preoccupation with doing so. While there may be nee?g of non-compliance, the need to identify and manage these situations is weli= Iiirnd'ersEEod. Several areas of Strength were identified where the exercising of statutory i'ppwers intelligence warrants, other forms of operational activity) are and subjeCE to robust approvals processes. and SECurity Committee of Parirament, the inspector-General oi inteiligence and Seturtty tiGiS), the Commissioner of Seturlly Warrants. Off ce of the Ombudsman. Office of the Privacy Commissioner and the Auditor- Generai .. . The review found that systems and processes need strengthening to provide a systematic and standardised approach to compliance, highlighting a number of specific examples that would benefit from strengthening and standardisation. The review found that staffare diligent in "their duties and mindful of their obligations. They do their ?oest to conduct themselves in a manner which is both lawful and proper. The review found that there is no intention on behalf of staff to act in ways that are other than fully within its statutory powers. "Ali staff have been frank and constructive to their discussions with mesonaf providing feedback. My inipressrons are that NESIS staff are very i'the 'oie?'i'ithey plogi; protecting New Ze alanar and enhancing its interests. They want to inipravrng on developing for the future and are highly motivated to their ?rnctio competently and in a compliant manner. The organisation's ability to maintain full onitor compliance, however, is described as fragile. best intentigns the systems used to promote and monitor The organisation therefore carries some risk of non-c ?piiange The weaknesses identified were found to be syni'pgtom?atic of experiencing pressuze stemming from a rapidly priorities. There is an inconsistent of obligations across the organisation. Guidance is often others [ijna colleagues, or the legal team) reactively because access 'Ieiliensive, centralised policy and guidance is limited. . The reviewer recommend?da mam establishes compliance as a core business funcrion. is the emphasis we already place on accountability. ownei?gijigp'iand ity. Where sy5tems {tongs es area'sgrong teneecl to monitor adherence to maintain these systems are weak we need to have a centrally high standgr'asa who; to continuo'dsilyiidentiiy and address areas for improvement. Rec cl a ion evi ew: eviewer ngiimbei of recommendations aligned with a besepractice compliance 'fi'a epic: it, follows: Senior Leadership Team to make a commitment to compliance through? st'abiishing a compliance function, located in the Office of the Director. reporting ?0 cheessociaie Director, and separate from the Legal Team- Deveioping a compliance framework, and a correSpancling compiiance programme. to incorporate compliance activities into the internal operational environment, then setting compliance objectives and measurable targets to meet these objectives. ontinuousiy assessing and monitoring compliance obligations y: Supporting com pliant behaviour and preventing non-complian ce through: Reviewing work prevtously undertaken to determine compliance obligations, keeping the record of compliance obiigations in one easrly accessible location, whether a register, database, or Other form of coilection, and a system for regularly maintaining these compliance obligations. Esta a legislative policy function. Operational policies Strengthening the operational policy framework with policy runction, ensuze there IS cenrlalised responSlbillt for identifying operational policy requirements organisation-aideg policy development, endorsement, and maintenance, and oversight for all" guidance stemming from operational policies. a Addressing immediately the operational pollcy,,. the course of, this review. ., Requiring the operational poiicy iunctign I {Iain an and centralised database of all Opei'atiopa' Procedures, other operational guidance documents and other agreements affeCting be cross?referenced where applicable and Storederceijitrally'1 not dissiptiiyzdual's Training Enhancing i?ngping traipm for operational staff, and linking this training to fitness car: as well as career progression and remuneration. a Suppogting the" irr'i?plenlentgt'i'b?' formalised training programme by providing terjp?il Quality assgrange appropPiagal-"training to enable them to carry out their roies effecti'yely The Lega?lteam, and'the Operational policy and compliance areas, should a'lSP closely with" 'aiiling staff to feed into training programmes. level of detail and responsibility is expected of each existing . ssur?hce, advice, and role, and incorporating compliance into the expectations for these roles. if the expectations on these capacity, the numbers in these roies need to be increased, roles I or alternatives created, to cover the gap and residual risks. compliance and detecting non-complian ce y: Developing an internal audit programme and annual audit schedule, covering both basic processes and quality of decision making. Results to be communicated to managers, the Senior Leadership Team, and the [(315, and fed back into ongoing improvement of the compliance programme and framework. .. Strengthening mandatory within ail operational policies. including more clarity around the purpose and for all those involved. a Encooraging and supporting business improvement workflows, and enforcing the use of those in existencer to ensure better racerds and auditability. Responding to non-compliant activity by: a Directing the compliance function to be the central escalation pointgj. __q__i_5.eporting potential and actual compliance issues, maintaining a register, reporting findings to the Semor Leadership Team, and feeding findin cl compliance programme. The compliance function to deveio operational staff. Strengthening extern a! reporting by: Clearly articulating for reporting or "tiainon. compliance and overall performance of the cop?r?pli?njge lGiS, mandatory reporting expectations, and expec-""_ performance agreements. These i) on, with the iGlS. in ?oiicy and comma ica't agreed MeosuringimpmVementby: 0 Measuring performance of the coigi'plignce programm__ against the compliance objecrives and targets. Requiring to be responsible for monitoring this information audits and reporting this to the Senior Leaderiship-Ieam. Continuoust improving - a Requiring the Function information gathered through the monitoring, and back into the compliance programme prioritised by risk, and delivered in line with m??e of so that progress on this can be measured. Re 5 pp :3 'r'?pgrt provides "classified summary of a report that is comprehensive and lam li?i'?agrteined to see the review confirm the dedication and hard work of the NZSiS-?iand th?e'?iindfulness of their obligations to statutory compiiance but I can also that thgr? work ahead of us in order to implement a best-practice compliance .131; Iateful for all the work that went into the review, including specifically the wreck Reviewer. accepted all or? the recommendations of the Report. The is now recruiting a team to support delivery of the full recommendation programme. Annex One: Compliance Review Methodology Assessing and identifying compliance obiigations: The first step to ensuring compliance mus: be establishing the compliance obligations created by the particular operating and legal environment. This should include mechanisms for regularly reviewing and updating obiigations {0 take account of new and amended legislation, deveEOpments in case few. and other developments that have the ability to affect the way an organisation operates. -- Supporting compliant behaviour and preventing non-compliance: Once compilance obligations have been established, staff must he [JfOVldEEi?-?Jlil I te support and toois necessary to comply Wlih these obligations. Support for staff hide: a readily availabie information on compliance obligations that is can applied easily, with clear processes, consistent across the organisation. enact-351.1: a enc0urage accountability, appropriate training, and effective quality assurance mecha?is ns. Monitoring compliance and detecting noncompliance: Despite this fundamentai support. non-compliant activity citizen-ever Je completely p? vented and organisations need systems and processes hrough appropriate audit and review processes and excerni?fl over: identifying?align?compliance shOuld also lead into reviewing the effectiveness anti- pijiateness of existng ccintrois. Responding to non-compliant activity: Where non?compliant activity or issues affecting aretientified there must be clear procedures for escalating and addressiri?" these These procedures must 5.: encourage accountability and self-reporting. External reporting: Where non-compliance has bee?i?i identified addigesiseci this should be reported to an appropriate externai authority apt! statistics mascjzezrg,public. There shouid be clear internal guidelines and [1115 reporting Measuring: co: pliance in a way that allows an organisation to understanditss "ength anti weaknessesf?monitor trends. and identify areas for improvement. Le: oils? ie_ai:ned throug compiranca cycle should be continuousiy fed back into the is1ti'b'n to im J'F'ove blitzes. processes, training. systems and Other controls and supporting New Zealand I Security intelligence Servzce Tr: P5 Whakamarumaru New Zealand Government a . . - smell Briefing note Date 17 August 2015 T0 Minister in Charge of the stis From Rebecca Kitteridge, Director of Securi?; Sl?illect NZSIS: The Year Ahead Your Noting New Zealand Security Intelligene? Ser Purpose 1. This note sets out my the chalienges nd opportunities for the NZSIS over the 2015/16 finangial?-ye?ni ?heinote the organisation has achieved. It also risks continues to carry while we work on strengthening its .syst'?ms and and to build its operational capability. 2. The significant [5"'rog1'ess over the last twelve months. Organisationally 15 in a considerably stronger position. The Foreign Fighters has recruit new staff and purchase new equipment. This "iiv?..5tment is incre'?si'hg'lii enabling us to investigate more high priority counter- $5m per annum provided to the in Budget 201 5 will - as start through the recruitment, vetting and training pipeline (Le. over the__pe3it help us to meet some of our critical funding pressures. including vetting staff retention and implementing the PSR. very confident in the NZSIS's plan to meet the challenges ahead. am aiso __9nfident in the staffwe have, including at the senior level. Nonetheless, it is important . that you are aware that, in the context ofthe threat environment we are facing, the capabilities will continue to be less than the demand on our services. We will need to continue making dif?cuit prioritisation decisions about which targets we investigate (and for how long). and which we do not. These decisions are despite the strong sector support we are continuing to receiVe. Sectoral support has been essentiai .. 4? 1411?}: Win-'1 \I'u 54V YVI 1.3-- tut UhVIu??l Page 1 of 10 DEUKEI ml! F-Uw??w? - - cans?nun.) but DM821 W1 for undertaking high threat Operations but has had some impact on the operations these agencies would otherwise have undertaken. ?9w? a manage the increasing operational tempo associated with the growing number and seriousness of threats (especially, but not only, counterTfe ron?r?); . continue fixing and building core systems and progs?zss?es (including pliange. remuneration, corporate iT, security, and opetgtio?'a angle-lament capability ?as well as meet the considerable (recruitment and rgi?ntid 'c gr'6w_i_ng'staff numbers associated with the additional Foreign{alfigifiiter and B'Gdgletj 5 i?vestment; a ensure that the key programmes to enablefg?e. to meet-the gSii'ernment?s future needs (the SCRR and the 2015?5-Re?iew) are successfuil- Page 2 of?lO Page 7 of?lO 35; Van placed? 23 APR ZUEB Systems and structures The next year w? We have made si gni II also see ongoi fi . ?Tweet. Improvement Framework none of our core functi ng work on enabling systems cant progress overt ons were rated as he last twelve months in the 2014 Performance strong? or includ I well ing on rhi530229management Inanc IT systems and newf JUGS, HR poi? ion, irect strategic systems Some of the key areas of focus DUI ll be: i in 2015/16 icularly (part impede our work and ion processes Isat in legal author dent ies of underiy the chances of human e1 ile I am conf there an increase :Wh Nance ants), Comp therefore 13 a ser ing systems that - vvan tems that should ror (such as manual is now complete a iew improvemen lance rev' internal compl ing staff Our cl IE the process now of recrui a i impl be automated or programme. 0 manage an take several years however a arezn 1' ill ing from the new powers and capac lance rev' ing the compl implement ity-of'the-off we ht aris General of the Nonetheless, lg eased overs' 1 The of the inspector- (65 is undoubtedly posi ive for (lGiS) IS resource me igence Serv? lntell tensive'at a time when . %n to revrews' ion have neve Ing respond JCE. the Serv isat the organ ldemands on lODa the operat . 0E1 (DUES 36 Page80f10 03.5521 '39 ew Zealand Security Intelligence Servxce Te PEI Whaitnmarumaru Date 29 October 201 To i-lon Chris Finiayson, Minister in Charge of liliSiS" Fro Re be cca Kitteridge, Director of Secu cc Cheryl Gwyn, inspector General of and Subject Purpose 1. The purpose of this youof error made within the N255. and ofthe steps i have take'? since Iii-earning aig'i?out it 2. Last week i . :?iialI?Reb'o?Ft of the inspector-General of intelligence and Security. us with the draft so that we could correct any factual inaccuracies. paragraph: war-rash; were issued during the reporting period. did copy of Ehese warrants to my office. inStead, the warrants and were subsequently identified as part of my office?s process. In response to that incident, has now Iiiate arrangements to ensure that i am provided with a copy of any the day of issue or on the next working day, if it is impracticable to ay of issue. We also took that opportunity to ensure that appropriate art?aTigg?'?'eh'ts were in piece for immediate notification of any authorization of .emerg?'iicy warrantless surveiliance under 3.-- ASH-you ltnow, provision for the issue of visual warrants was inciuded in ""t'hg'i'NZSiS Act in December 2014. Visual surveillance warrants may be issued for the defection, investigation or prevention of any actual, potential or suspected terrorist act or of a terrorist act, where certain condition are met. Since this provision was enacted in December 2014, two visuai surveiilance warrants have been issued. Section 4lBi9) ofthe NZSIS Act 1969 provides: Page i of 2 . . - "Director 59 "As soon as practicable after a visual surveillance warrant is issued under subsection (1), the Director (or the person for the time being acting as the Director} must provide a c0py of the visual surveillance warrant to the inspector-General.? 4. In my view, ?as soon as practicable" means ?forthwith,? and i would expect the inspector-General to be advised on the same day. My preliminary understanding in this case is that the Office of the inspector?General learned of the warrants four days after they had been issued, when NZSIS legal staff provided the staff with a copy of the register for inspection. There followed some exchanges between the legal Office of the inspector-General, but neither the Associate Director nor _l inspector-General had not been advised of these warrants on the day they I 5. have asked the Associate Director to look into this matter anal-to a report about what happened, why she and i were not what steps hay? been taken to ensure that proper process will be followed in the futu 6. i wish you to know that I deeply regret that mpiy this irting requirement. Parliament has provided the is very important that we comply with our legal responsil?mitiesl'? ov?isight 01? those powers. While there is no suggestion from the that these warrants were in any way imprOper, she should have had the310pp?ttu?ity to stheni?ilon the day they were issued. i can assure you that that will Ha pp'i'emn the future. 7. Although it doesn?t excuse the situatip?, of context that the small legal team in the Service hasibeer} under signi?c??: rl'?s?sulre because ofthe increased operational tempo. Recruitment-lief additional lawlersi-hast-taken some months because of the security clearance process. __EW?liifage?laiso of setting up a compliance team following the review. i am confident that these additional resources. will st systems and processes in relation to legal compliance. 8. will advise the internal review when i receive the Associate Directors re?o t5" ?lcca Kitteijidge Page 2 of2 moment's 23 are 2033 New Zealand Security Intelligence Servmm Te Pi Whakamarumaru Briefing note Date 25 May 2016 To From Rebecca Kitteridge, Director of Security For your information Purpose in August 2015? I sent you a repoii'i't on the chailenges and opportunities for the New Ziealapcl Security lagte'lligei'i'cg""Sewice (NZSIS) cluring the 2015/16 financial year. and algirtecl y'i'pu to the 'h??trthe organisation was carrying. 2. The purpose ofthis a. setout the 'lElcleSJUC-g[119165 report; in. adviSe and challenges as we head into the 39-35657 5?95? all?! our plan for tackling those Opportunities and ChallengeSEand outline the risks Isflig?tyt'e continue to carry, and how we are managing those risks streng systems and build our overall capability. K73 c: co ry Since the NZSIS has made consiclerabie progress, borh operationaliy and in its organisational infrastructure. There is still a long way to go to teat-l {he level or' systems proficiency and capability that i want to see in the 'rgani's'ation, butwe have made huge strides along the road over the last year. NZSIS continues to carry a significant ievei of risk, including an increasingly compiex escalating threat environment, weak systems and processes in some areas, on resources across the organisation, chalienges to our capability to collect information, and the impact or? ongoing change on our staff. A I "9 . w. int-?rm, r-.n 1 WLJH aural?HNU I: L10 In a. operator-is Pagei of?l?i 3v?. ?3.6 a A. 'Ne ?zzrv, DECLASSEFHEB 23 MR 2018 Background hat thegyea'r-iahead was set to be t' 3. in my August 015 brie?ng note, i advised you exceptionally busy in terms of SIS would he required to devote significant - them Its. COI GS I). fixng key systems and the "i 1p WI 'h'p?liance function, I?eiationsh i ?0 Q) r? .3 J. 00'. ty (JGISJ and staff engagen?:ent; and . lnSpettor-General Of lnt'eliigence-and IVE 1; l8 gto? 0 ml in on BSD uture I i he a. for :{om'nent i the NZSIS coufd- become the ms! 'atlnge'ew 5 Opel i 5 2 1m pac age20f11 I pecmsanen 2 3 I ur? churn. Eta-115.4! s, ?I'hh?hl?it?w l-(ey systems and structures 14. in August 2015, I identified weaitnesses structures within the NZSIS that were a source of have focussed on addressing these issues. in hays-made big improving the leSiS's compliance function, our relationship?wiitl?i iGlS ancijistaf "engagement. Compliance '15. in June 2015, the NZSiSitetiri'npie'teglran of compliance. As you know, this review identified a lac? guida?fge, pig?cedure and oversight mechanisms. Because of its intigiiswe staifitory 3nd?*?Eibsence of public scrutiny, the NZSIS needs to have a stfb?i?'?g to ensure that the Government, the lGiS and the wider-tijhigiligunj?ii??r assure; is acting fuily within the extent of its bowers. 16. We have "ripvrd?velopgd and established a dedicated compliance function within the will and manage a compliance improvement programme The?E?i?oGrain?le is extensive and completion will take several years, but 'WSi'k underw?? "Some key developments include: year we have developed, in conjunction with the GCSB, a compliance fi'ag?evrgim for operational activity and a policy framework. These documents deli-he responsibilities for identifying compliance obligations, auditing, reporting :ompliance incidents, and for the development and review of policy. Additionally, a stocktalte of operational policy and procedures is almost complete and a review of HUMINT policy and development of standard operating procedures (SOPs) for the HUMINT Branch commenced in May 20?16. The development ofthese SOPs is expected to take two months and will he used as a model for the development of SOPs for other areas of the PageBOf?li E?Eota?sair?w' - 23 APR 2023 . as were me ?rs-Mow; ?m a: c. Overall we expect to address 26 of the 45 recommendations made in the 2015 review of compliance by the end ofJune 2016. implementation of the remaining recommendations will be completed by June 2017 (noting that some of the specific policies and procedures that support the new compliance regime will need to wait until we have certainty on the new legislative regime). 17.I am hopeful the 2016 [6:5 Annual Report wili note that there has been measurable improvement in the NZSIS's compliance procedures and systems. Because of the extent of the programme and the changes in our legislative framework, however expect the wiil certify the procedures and systems as fully compli 'n't until her Annual Report in 2017. -- interviews, and so on. Relationship with the 16/5 Given the on our resources 13 with carrying out other Page 4 of 11 23 are 2013 Murray-itemize ., a in." 51. We are also addressing scrutiny of the arrangements that the NZSIS has with Immigration New Zealand and the New Zealand Customs Service to access their information databases. The iGiS has recently provided us with a draft report calling into question the lawfulness of these arrangements. We are currently working with these agencies, the Ministry ofjustice and Crown Law to address this issue. if we lose access to these datasets, it would severely undermine our capability to investigate security threats to New Zealand. Concluding comments 54. We have made in l3tillding'tiheicapability of the NZSIS to meet the chailenges of an demand on our resources. While many of these praglamines-a re oijig?in ?andwwill require ongoing effort to complete, I believe they will. the {xii-Sis eing well placed to carry out its functions - 55. Given t'h environmen security intelligence agencies work within, the will always be exposed to some risk. Accordingly, we expect to continue to be totirisl: in including: a. legislation. policies. agreements and oversight arrangements; - reiguired to address the challenges we face, we have an active programme of work to ov'ei'con'ne these limitations. This work includes addressing the ?five big rocks? and completing the various initiatives aimed at enhancing the operational capabilities of the NZSIS. i773 new XE iti?i'?E Ek.? -- 4 .o -..-. lul Ida?urtlus Page 10 oi?i?i oeotasszneo? 23 ?ti?R 2818 4's I 3? Ln .?mm 35-32 as: '3 u??n c?l 3: n4" New Zeaiand Security Intelligence Serwce Te P51 Whaitamarumaru a: are: {are as: - Briefing note Date 12 September 2016 To Hon. Christopher Finiayson, Minister in Charge of From Rebecca Kitteridge, Director of Security I I For your information Access to Customs Database Purpose 1. This note advises you that i have into implementation of senior: 280M Customs anet-exttie-gait?; which provides that for counter-terrorism purposes the NZSIS may have to the Customs database known as "CusMod," once certain te'Ehniic-aii been satis?ed. Background .2. You recall 2112014 inteliigence and Sec?fitygquf?is'tioned of .c to! a Sgt-2w I I 11331: thewav?o?id?nce of doubt a provision was inciutiecigin the act: ge of Foreign Terrorist Fighter legislative reforms that was passed in late 3014f""Rautborising direct access to CusMod for counter-terrorism investigation is section 280M of the Customs and Excise Act and the Inspector-General of {Otis-standing. rum Sectiop sets out a number of technical preconditions, which are required to be m??t befotga-i- occur for counter~terrorism purposes. Among other things these preconditibgsinc-lode Customs and entering into a written agreement detailing how .. Direct access for any other purposes (eg. counter?eSpionage} was required to cease the enactment of section 280M. Page 1 of 4 an of-iSecurity JILHJN. .H, h; ?i mussfiren a: was a internal Review 5. Our discussions with Crown Law and the about access to CusMod (and the connected issue or' access to Immigration NZ's Advance Passenger Processing database) have been ongoing. In the course of the work on these issues, 1 have been advised that may not have compiied with some of the technicai requirements of the written agreement that we reached with Customs under section 280M (for example, the requirement that there be individuai iog-in requirements). 6. When I became aware of this issue, I took immediate steps to ensure with the Agreement. 1 am now confident that is compliant with ali ?nj Agreen?ient and section 230M. 7. i have initiated an independent fact?finding investigation to determine how section 280M was implemented, whether errors occurred, and if so Den-5530119 Blidni-i?liat lessons can be iearned. The investigation will be conducted byes": ?legendent andig,ngteifij?i resource provided by NZDF, and the report is expected be 2016. _u a 8. After receipt of the report. i will take, including whether it is necessaiy to commence a into the acts or omissions of any staff, 1 will let will 5130 the findings to the Office of the anti the Office 1e Privacy an? 5:51:36", as appropriate- 9. I should add that the Service ?3 the legisiation that is currently Our better resourced! we now have a compiiance team, and dedicated '15roje?c't'itearn that is fully resourced and focused on ensuring the new Acr. The review is, though, an opportunity to test processes and to in'iprove them based on any lessons Rel; Iii-titeritige Noted Hon Christopher Finlayson Minister of the 9. m6- A t't information specified in section 282(1): information (as de?ned in section 282D): smegma 23 in? MB a ZSES a 280M information for counter-terrorism investigation purposes (1) The purpose of this section is to facilitate access by the New Zealand Security Intelligence Service and the New Zealand Police, for counter?terrorism investigation purposes, to information stored in a database. (2) The chief executive may allow the following persons to access a database to search for information, including personal information: for counter-terrorism investigation purposes: the Director of Security: 1 or more suitable employees or officers of the New Zealand Security Intelligence Service designated by the Director of Security: the Commissioner of Police: i or more suitable Police empioyees designated by the Commissioner". (3) Before aliowing access to a database in accordance with the chief executive must enter into a written agreement with the Director of Siegurity or the Commissioner of Police (as the case may be). (4) Before entering into a written agreement under subsection; must consuit with the Privacy Commissioner. (5) The Director of Security and the Commissioner of Poli steps to ensure that?- a record is kept of?? 3e . n1 i) every occasion on which persons access a database; grid ii) the reason for accessing the database; and the identity of the person who accessed: e: tabase; and b) every person who accesses a 5) seafChes 011'? for information for 'rism investigatio i purposes; and - (ii) complies with the terms of agreement-ijfef?irggi "to in subsection (3). if (6) in this section,?- access a database access cou nte r~terroris inv?stig attiaif?ipurposg?sgrn e'ai'h'??the etection, investigation, and prevention of art at; su" pasted-? terrorist act; or facilitationpf?a tefriirist' act database mef?netaW?i?information r?icgr'ding system used by the Customs to store informatid'? Directpinf Seg?fity ineang?ttge Director of Security holding office under the Iti'teili Service Act 1969 gin?- )?ftytin-formati?n held ?By-the Customs that relates to goods, passengers, Gift-Wu 0r Graft-az??' movements: (ii) any othQ?b?ng?""felated information held by the Customs; and not limited to,? arriva_i__ information: (ii) i?fgfiimtidh the Customs is entitled to view under any of sections information collected or generated by the Customs in the course Page 3 of 4 necessaries 23 are 2013 was mg, detecting, or investigating border-related offences: of pr but (0) except as provided in paragraph and to (iv)l does not include information which the Customs is not entitled to View under sections 386 to 38K terrorist act has the same meaning as in sect?on 5(1) of the Terrorism Suppression Act 2002. (7) This section is repeated on 1 Apri! 201?. . he'd Page 4 of 4 rm?. W. {-46.7313 .g-?gql . ,{wm?g ""?fmiot?cur DUVLlul?s?h lur CICUHEI 1.1105! rear-'er. rm? New Zea] and Security Intelligence Sermce 'I?e Pit Wha ka marumaru Briefing note Date 25 October 2016 To Hon. Christopher Finlayson, Minister in Charger?f From Rebecca Kittericlge, Director ofSecurity For your information Annual Report Purpose 1. This bl'iE?l'ig is to update of intelligence and Security (lGlS) to {annual Report which criticises the NZSIS for the length of time engage-with and-"resolve, the access to information contained in th Cust?ims saute: computer dataset and Immigration New Zealandi??clti?nce Basse?geLE-ibcessing clataset Further, the purpose of this brief is in relation to the iGiS?s comments on this matter1615 has provided her Annual Report to the Prime Minister?s g'before ngse of Representatives on 3 November 2016. I also tincleistand"fitlgei'hnnuai R?'po' a statement to the effect of: race was hoggeuer'bn area which caused me significant concern. in eariy 2015 r? raised a serious question aijqfiir when;eii?cerzain aca'w?n/ was lawful and, if not, now that was to be remedied. i raised waif he Director in june 2075 and provided the Director with detaiied provisionai ?ndings a? my iriei'i'r of the iegaiity of the activity in August 2035. The Service provided its first substantive resisanse in March-Aprii 20 i 6. I app 'i'cigte that the underhring is compiex and that further substantial work is underway fine au'tsronding aspects of the questions that i raised. Howevei; and regardless of the uirimare anciusions an the ialsi?uiness of the activity in question, the time taken to engage with and resaive N's" signi?cant issue is in itseif a matter of concern to me. in order to ensure that it operates =iaz-srfui?s the NZSIS must be abie to deai Wiih such questions in a more (inter)! way. report more fully on this issue as soon as i is passibie to do so. I I Page 1 of 3 ?P?m Mug.- 5. n} a n-u-utrn gar-s? As- - a as.? tiff hilt?: HmAan n37.5th ?ltl? )(Wn . L. Summary of position 3. (copies emaciated). result of the eatensive consultation the has undertaken with other government departments 39 The position in respect of the lGlS's comments is as follows: c. The has undertaken a substantial amount of work to resolve this is NZSIS sought advice from an external barrister and Crown wloelv with other aeenc'es a stalgehoIdersn?sglzilli j's'u e. The 1 The accepts the jurisprudence may be in the process of shifting and it as undertaken substantial work internally to ensure leg e. The fact that the law is so difficult to applvin an operationally. example of the legislation not lJein My briefings pclatecl vou mall} developments relating to this issue The time taken to engage and resolve the issues raised by the %n 2015 is, in part, a . . .e guru?rueu Page 2 of 3 1mm 8. The iGlS?s Annual Report does not mention, for good reason, the resource constraints was suleeCt to when first dealing with this issue. i note that since this issue first arose the N2515 has established a compliance team and the NZSIS legal team has increased in size. i would therefore anticipate, in future, the would have additional resources to deal with matters of this level of complexity and significance. -- Recommendations is reconlmended that zou: 1 Note The Annual Report is likely to include comments critical of the timeliness in dealing with access to APP and datasets. 2 Note The View of this issue containe note. ca Rebecca Kitteridge Director of Security I'C'h'ristopher Finlayson in Charge of Dam X5- ?vp (fag/v 1:576 c3351?. A. p? 3.134.; HI. i L'a' 6 mfg-I'd- h? I I ante"; xiPage 3 of 3 23 APR 20:3 I Lu. Isthmus. worth". min. )4 . u: :6 1 't?sit't tit NewZealand Securityt Intelligence Servsce Te Pit Whaitamarumaru Briefing note Date 1 November 2016 I To Hon' ChriStOPhEr Finiayson, Minister in Chatge From Rebecca Kittericige, Director of Security For Your Information Annual Report ?Further information Purpose i. As you know, a segment Report?ogf? Inspector-General of intelligence and Security (#615) criticises lengtnof It took to engage with, and resolve, access to information New "Customs Service?s computer dataset and immigratil H?Iettgg'iZeaIanqzs Processing dataset The EGIS's Annual Rep; itacle public on?i-Nositember. 2. This brie{irig-providesiyouwith: a. in: of" the reievanc events, including a chronological s?irn__t__n?arfof key events Annex and talkingpoints ti r?quired. reotiilt nitether certain NZSIS active}: W05 fateful and Hoot, how that was to be remedied. i ?40' the issue with the Director in june 2015 and provided the Director with derariec! provisional in'ciftigs on my weer of the {egotity of the in August 206. The Service provitieo its first Substantive response to March-rip?? 2016. i appreciate that the underl?ng issue is contpiex and thatfurtiter substarttrai wort: i5 suit traders-ray of the outstanding aspects of the questions that i raised. However, ono? regardiess ofthe uitrmore conclusions on the iong?oiness of the activity to question, the time taken to engage with and resoive this Significant is in a matter of concern to me. in order to ensure that it operates iaerfuibc the must be abie to deoi such questions in a more ameiy tsroy. term report more fuiiy on this :55 ea 05 soon as it 15 possibie to do so. LIE. 4'1. . . .. i isAt?I?Ql?n'i' Il-f"! Page 1 of 5 assassin 23 are 21118 . 9.. J. l. i- {gs-a. w. an - hen?Ind!