Section 23 of the GCSB Act imposes an obligation on them to destroy irrelevant records obtained by interception as soon as practicable. So if for example they are spying on someone under a warrant and intercept them looking at a food website for a lasagna recipe, that's irrelevant to security and has to be destroyed. So are they obeying this part of the law? I used the OIA to ask them, and the answer is that they just don't know
GCSB destroys irrelevant communications, and copies and records of these under s 23 of the GCSB Act in different ways depending on the system that collected them. Records of such destruction are not kept for all systems.
Where GCSB's systems hold specific records of destruction, GCSB can confirm records of seven instances of disposal between 1 July 2014 and 30 June 2015.
I'm assuming that those instances cover the disposal of multiple records, but even so, with over sixty interception warrants and access authorisations issued last year, plus Cthulhu-knows how many warrantless interceptions under s16, it seems... low. I'd suggest that the current spy review look at this, except we all know that its a rubber-stamp which is likely to respond by removing the requirement to destroy irrelevant records, rather than making the spies obey the law. Because that's how spying works in this country: they piss on the law, and face no consequences for doing so.