New Zealand's spy agencies have "open slather" access to Kiwis' personal information through government agencies as well as private companies including banks.
That's the view of Sir Michael Cullen, one of the two people who carried out the recent review of the Security Intelligence Service and Government Communications Security Bureau.
"It's sort of hidden away if you like, in one section of the Privacy Act and I think it's another good reason for trying to bring everything relating to the security agencies and intelligence agencies into a single piece of legislation so anybody who is really interested can go and see everything in one place," he said.
"At the moment there's no restriction on the intelligence agencies from asking for information from any company or organisation and receiving that and that's expressly not a breach of the Privacy Act, but it's also not done under any warrant."
He said the open slather access the agencies had, in particular the SIS, would probably be a surprise to many.
The review - announced last year - looked at the adequacy of the law governing the SIS, and how a change to GCSB legislation, following controversy over mass surveillance and some of its operations, was working.
One of the recommendations in the review was to tighten the rules for accessing personal data.
Privacy Commissioner John Edwards agreed with Sir Michael's assessment, saying no one was keeping track of personal data collection and the rules should be tightened.
Intelligence agencies were free to access individuals' personal information without a warrant, and without having to report it, he said, thanks to a specific exemption for GCSB and the SIS under the Privacy Act.
"At the moment if the Security Intelligence Service asked for banking records the bank would be able to give those over," Mr Edwards said.
"The SIS would not have to report to anyone that they had done that, the bank would not be in breach of the Privacy Act for having done that and nobody would know."
Limiting the agencies' access to the data would be a step in the right direction, he said.
Foreign Affairs spokesman David Shearer, also a member of Parliament's Intelligence and Security committee, said the spy agencies should have to justify why they were collecting personal data.
"If that [data] is necessary, make the case. Make the case why you need to be able to look at that, and if it's only in small instances or at particular times then lets look at the possibility - if that stacks up - to limit that."
The government was considering the review and its recommendations, and was working towards introducing legislation around the middle of the year.
A Labour spokesperson said the party wanted to explore the new data-sharing provisions before giving its support to any draft legislation.