The UK's security agencies acted unlawfully over about 15 years by collecting large quantities of data on individual UK citizens without proper oversight, a tribunal ruled yesterday.

Following a legal challenge by campaign group Privacy International, the Investigatory Powers Tribunal (IPT) ruled that data collection by GCHQ, MI5 and MI6 did not comply with the European Convention on Human Rights (ECHR), which was made enforceable in the UK by the Human Rights Act 1998, until a published supervision regime was implemented in November 2015.

Chaired by Mr Justice Burton, the tribunal found that the collection of bulk communications data (BCD) – covering who made what phone and web-based communications with whom, though not the content – failed to comply with the article 8 right to privacy prior to the 2015 regime. Similarly the retention of bulk personal datasets infringed article 8 for the decade up to March 2015, at which point the practice was publicly acknowledged.

GCHQ claimed that the practices were vital for identifying and developing intelligence targets, but its methods were held to infringe article 8, under which any interference with personal data must be lawful and necessary.

Section 94 of the Telecommunications Act 1984, under which the data were collected, was held not to give sufficient indication that the powers conferred could be used for this purpose. "It seems difficult to conclude that the use of BCD was foreseeable by the public when it was not explained to Parliament”, the tribunal stated.

The policy now in force includes guidance as to how collected data should be acquired, managed and destroyed.

In a statement the Home Office said it was pleased that the tribunal had confirmed the current lawfulness of the existing bulk communications data and bulk personal dataset regimes. The Government was "committed" to providing greater transparency and stronger safeguards for bulk data collection powers available to intelligence agencies.

The Investigatory Powers Bill now before Parliament will provide a further statutory basis for bulk data collection and retention, but opponents continue to claim that it does not go far enough to make the security services accountable.