The security service MI5 has handled large amounts of personal data in an “undoubtedly unlawful” way, a watchdog has said.
The Investigatory Powers Commissioner said information gathered under warrants was kept too long and not stored safely.
Civil rights group Liberty said the breaches involved the “mass collection of data of innocent citizens”.
The high court heard MI5 knew about the issues in 2016 but kept them secret.
“MI5 have been holding on to people’s data – ordinary people’s data, your data, my data – illegally for many years,” said Megan Goulding, a lawyer for Liberty, which brought the case.
“Not only that, they’ve been trying to keep their really serious errors secret – secret from the security services watchdog, who’s supposed to know about them, secret from the Home Office, secret from the prime minister and secret from the public.”
The criticism of MI5 emerged in the High Court on Tuesday as Liberty challenged parts of the Investigatory Powers Act.
Under the act, MI5 can apply to judges for warrants to obtain information such as people’s location data, calls, messages and web browsing history.
As well as “bulk data” collection, which can include information about ordinary members of the public, MI5 can use targeted interceptions of communications and computer hacking for investigations such as counter-terrorism.
But the act includes safeguards about how all this information is stored and handled. It is against the law to keep data when it is no longer needed, or to store it in an unsafe way.
MI5 had a “historical lack of compliance” with the law, said Lord Justice Sir Adrian Fulford, who oversees the security service’s use of data as Investigatory Powers Commissioner.
In a ruling revealed during the court case, he said the security service would be placed under greater scrutiny by judges when seeking warrants in future – which the commissioner compared to a failing school being placed in “special measures”.
Liberty said the revelations meant that some of the warrants issued to MI5 may not have been lawful, because the security service knew over several years that it was not handling data correctly but did not tell the judges.
The court heard that senior members of MI5 were aware three years ago that there were serious issues with the management of data.
MI5 informed the Home Office and Number 10 of the concerns in April this year, but the commissioner said they should have revealed them earlier.
Discussions between lawyers and clients were among the information wrongly held by the security service, Liberty said.
The pressure group said such material should be protected by legal privileges, but instead it was being seen by people at MI5.
Lawyers for MI5 said they could not explain the exact nature of the breaches in open court, not because they were “embarrassing” but because there were “serious national security concerns”.
The security service has now taken “immediate and substantial steps” to comply with the law, Home Secretary Sajid Javid has said.
Julian Milford, representing Mr Javid and Foreign Secretary Jeremy Hunt, acknowledged in court “the existence of serious compliance risks”.
But he said these specific issues were a “complete irrelevance” to Liberty’s court case, which was challenging the legality of the whole system of information gathering created by the Investigatory Powers Act.