MI5 has committed “serious” breaches of surveillance safeguards in the way it handles information obtained under interception warrants, the home secretary, Sajid Javid, has admitted.

So severe was the compliance failure that the Investigatory Powers Commissioner’s Office (IPCO) sent a team of inspectors into the intelligence agency for a week to investigate, according to the human rights organisation Liberty.

Liberty is one of a number of NGOs taking legal action over what it alleges are excessively intrusive surveillance powers. The IPCO, chaired by the appeal court judge Sir Adrian Fulford, is the official body responsible for overseeing government surveillance practices.

In a written statement to parliament last week that was not widely noticed, Javid said he was notifying MPs of “compliance risks MI5 identified and reported within certain technology environments used to store and analyse data, including material obtained under the Investigatory Powers Act”.

The risks related to material obtained through “lawful interception”. Javid added: “A report of [IPCO] suggests that MI5 may not have had sufficient assurance of compliance with these safeguards within one of its technology environments.

“The compliance risks identified are limited to how material is treated after it has been obtained. They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so.”

The IPCO report concluded the risks were both “serious and required immediate mitigation”. Work to implement those mitigations is “being treated as a matter of the highest priority, both by MI5 and the Home Office”, the statement added.

The home secretary said he had established an independent review to “consider and report back” on what lessons could be learned. The data involved could have included private messages, digital browsing histories and location information but the categories of information involved are likely to remain secret.

Megan Goulding, a lawyer at Liberty, said: “This is a clear-cut example of how the supposed safeguarding and oversight system is failing to protect us from the excessive and unwarranted surveillance and data retention powers created under the ‘snooper’s charter’.

“The breach in itself is deeply concerning but on top of that the way this has unfolded – with IPCO only finding out because MI5 reported it, and the wider public only knowing apparently because of our legal case – shows how fatally flawed the oversight system for security services is.

“It is possible, from what is known, that millions of innocent people’s data is being shared widely with foreign governments. If the government has its way, we will never know if this is the case.

“If the UK’s surveillance regime is to have a semblance of legitimacy, the public needs to know what happened, and how badly our privacy and the security of our information were put at risk.”