The Government's beleaguered intelligence agency may have unlawfully spied on 85 people, a top secret review reveals.

The report, ordered after the Kim Dotcom fiasco, contains a raft of criticisms of the Government Communications Security Bureau (GCSB).

The revelations are contained in the report, prepared by Cabinet Secretary Rebecca Kitteridge, and seen by Fairfax Media.

It was handed to Prime Minister John Key last month but has yet to be made public.

The explosive revelations confirm that the illegal spying was far broader than the Dotcom case - and involves up to 85 people and cases dating back nearly a decade.

The report's criticism will heap more pressure on Key, who as prime minister oversees the bureau.

GCSB director Ian Fletcher said in February that his agency did not illegally spy on anyone else on behalf of law enforcement agencies.

But the Kitteridge report contradicts this - questioning the lawfulness of GCSB surveillance involving 85 New Zealanders. The agency is forbidden from spying on anyone with citizenship or permanent residence here.

The illegal spying was conducted between April 2003 and September last year and done on behalf of the Security Intelligence Service, the domestic spy agency.

The 71-page report also reveals a series of failings within the bureau's management and culture, which led to the illegal spying.

Kitteridge recommends an immediate overhaul of the law covering the GCSB's activities - and says the agency may have breached other laws, including the Privacy Act and the Defence Act.

A review of these legal issues is already underway.

She is also critical of former GCSB deputy director Hugh Wolfensohn, who quit over the Dotcom scandal last year. He was the sole legal adviser and the chief architect of GCSB legislation and staff were reluctant to challenge him, the report says.

But she also points to under-resourcing of his office and notes that his requests for more lawyers were ignored.

Agency staff worked faithfully and were devastated to learn they were not acting within the law. There was no evidence they acted in bad faith or believed the end justified the means, the report says.

Culture problems at the agency could take a year to fix, Kitteridge says.

The GCSB's organisation was overly complex, fragmented and had too many managers. Poor performing staff were tolerated, rather than fired or disciplined, because of fears that disgruntled former employees could pose a security risk.

The agency was also isolated and disconnected from the rest of the public service.

GCSB staff were reluctant to stray outside classified channels or seek external advice. New legislation was not analysed for possible implications on GCSB's activities.

Record-keeping within the bureau was poor, with staff relying on oral briefings or emails. Kitteridge struggled to find crucial policy documents and noted that some audit reports were missing.

She also identified a lack of oversight by the Inspector-General of Intelligence and Security, the watchdog who visited only four times a year, and was tied up with SIS work.

Kitteridge was tasked with reviewing the GCSB after the bureau conducted illegal surveillance on Dotcom, the German internet entrepreneur who has New Zealand permanent residency.

She was seconded to the agency in October last year and visited spy agencies in Australia and MI6 in Britain as part of her review. Her report was completed last month.

Key, who is in China, has pledged to publicly release the review findings. The report is due to be discussed by Parliament's secret intelligence and security committee next week.

It is understood new legislation will be introduced to Parliament soon after the report's release.

Police are already investigating the GCSB's illegal spying on Dotcom after a complaint from the Green Party.

Kitteridge's findings are likely to strengthen Labour's call for an independent inquiry into the country's intelligence agencies.



SENIOR SPY 'HAD TOO MUCH ON HIS PLATE'

The man responsible for making sure the GCSB followed the law wore too many hats and didn't have time to deal with legal advice, the report reveals.

Hugh Wolfensohn resigned over the Dotcom spy scandal after almost 25 years with the bureau. His job title was deputy director of mission enablement (DDME) at the spy agency.

Wolfensohn was the GCSB's only legal adviser from his appointment in 1988. He also occasionally stepped in as acting director.

Wolfensohn, sometimes known as Agent CX, was placed on gardening leave in September last year and subsequently resigned. Prime Minister John Key refused to say last week if he received a golden handshake.

In February last year, Wolfensohn dismissed police and GCSB fears that they may have illegally spied on Kim Dotcom.

The illicit surveillance came to light in September last year when Dotcom's lawyers began questioning which other agencies were involved in Operation Debut, the joint police and FBI raid on Dotcom's mansion in January 2012.

The Kitteridge report outlines Wolfensohn's multiple and pivotal roles - and concludes he had too much on his plate.

Wolfensohn admitted he devoted at most 5-10 per cent of his time to legal work.

He had asked for more lawyers on a number of occasions, but none were appointed, the report says.

His only back-up came when legally qualified intelligence analysts were twice seconded to work with him, but they were inexperienced and needed considerable supervision.

Wolfensohn was the chief architect of the flawed GCSB Act. He interpreted the law and was responsible for its implementation and operation. These were conflicting roles, the report says.

Because of his knowledge and authority, staff were reluctant to challenge his advice. Kitteridge said Wolfensohn was not connected with other public service lawyers or the legal community.

There was little peer review of his work by the Crown Law Office, and he consulted only with the intelligence watchdog, the Inspector-General, on legal matters.

There was also no budget for seeking outside advice.

Wolfensohn also told Kitteridge that the culture of the bureau was to keep its work within classified channels. The report also found legal advice was not sufficiently documented or accessible.

Staff said Wolfensohn gave advice informally and in emails that could not be accessed when he was absent. This created very significant risk for the agency, which became apparent when he left last year.

Kitteridge recommended the DDME role be reformed and reviewed - which has now happened.

Wolfensohn had responsibility for legal advice, governance, performance, strategy, policy, and risk management and strategic relationships. He was also responsible for a huge number of staff including the GCSB's compliance adviser, chief financial officer, chief information officer, IT and security staff, HR, finance and logisitics, procurement and property services.

He also stepped in as acting director - and was undertaking those duties when the GSCB became involved in Operation Debut.

KEY FINDINGS:

THE LEGISLATION

* THE GCSB Act 2003 , the sole source of authority and law within the agency, is so confused it is not fit for purpose

* The key issue is with section 14 which states the GCSB may not ''take any action for the purpose of intercepting the communications of a person...who is a New Zealand citizen or a permanent resident''

* Immediate legislative reform is needed to clarify the application of the act to the GCSB'S work

* The GCSB Act has not kept pace with the internet - the act is difficult to apply to some of ntsG GCSB's ntethe bureau's work with new technology

* GCSB'S compliance with the Defence Act 1990 and the Privacy Act 1993 is also being analysed - and the agency may not have complied with the Public Records Act 2005

STAFF CULTURE

* It will take a year and a really solid effort to address GCSB's problems

* GCSB's organisation was too complex and fragmented, with too many managers

* There was a tendency to tick boxes and make assumptions but not ask questions or seek evidence

* A culture persisted where poor performance was tolerated and problematic staff redeployed internally instead of being held accountable

* There was an aversion to dealing with poor performance because of security risk from disgruntled former staff and also because vetting of new recruits takes so long

* Specialised knowledge was valued over other skills, staff stayed too long in one job and there is some passive resistance to change

* A need-to-know culture created silos

* The bureau is isolated and disconnected from the rest of the public service

* Staff faithfully followed legal advice and it was devastating and abhorrent to learn they were not acting within the law

* There was no evidence they acted in bad faith or believed the end justified the means

* Staff believe it is an organisation spread very thinly - money was directed at operations at the expense of legal and compliance advice.



TIMELINE

Dec 16, 2011: GCSB begins spying on New Zealand residents Kim Dotcom and Bram van der Kolk.

Jan 19, 2012: Prime Minister John Key is briefed on Operation Debut, the police investigation into Dotcom, on the eve of the scheduled raid on his Auckland home.

Jan 20: Police swoop on Dotcom's Coatesville mansion and arrest Dotcom.

Jan 29: Ian Fletcher starts as head of GCSB.

Feb 16: Police inform GCSB the spying on Dotcom may have been illegal.

Feb 22: The Organised and Financial Crime Agency New Zealand (Ofcanz) contacts GCSB regarding Dotcom's residency status.

Feb 29: Key visits GCSB offices for a briefing. The presentation shown includes a reference to Dotcom's arrest. Key initially did not remember the briefing, and said the first he learned of GCSB's involvement was in September.

Aug 17: With Key out of the country on a family holiday, Bill English is called on to sign a ministerial certificate suppressing GCSB's involvement in the Dotcom case.

Sept 17: Fletcher advises Key that GCSB unlawfully spied on Dotcom and Van der Kolk.

Oct 2: Cabinet Secretary Rebecca Kitteridge is seconded as associate director of GCSB to review the agency.

April 2, 2013: Key confirms he has received Kitteridge's report and will release it once he is back from China and has shown it to Parliament's security and intelligence committee.