The British and American governments have attempted to turn the debate over secret surveillance after the Guardian's revelations of a covert US program which appeared to garner and analyse emails and other personal information held by some of the world's leading internet companies.

After two days in which both administrations appeared flat-footed and embarrassed by the disclosures, US officials sought to downplay the importance of the Prism system, set up by the National Security Agency (NSA), while the British foreign secretary, William Hague, flatly denied GCHQ might have tried to bypass UK laws governing the collection and retention of personal data.

Hague, the cabinet minister responsible for GCHQ, is expected to make a statement on the issue to the House of Commons on Monday, but experts noted the foreign secretary still had many questions to answer, and raised further concerns about the rigorousness of a regulatory and oversight regime that critics have long argued is totally inadequate.

One senior Whitehall source involved in this security process, who spoke on condition of anonymity, said he had never heard of Prism until the Guardian revealed its existence last week.

In an interview on Sunday, Hague refused to be drawn on the details of classified documents obtained by the newspaper, which stated that GCHQ had last year generated 197 intelligence reports from Prism, the program set up in 2007 to help the US monitor traffic of potential suspects abroad. The papers also showed GCHQ, the UK's eavesdropping and security agency, had access to Prism since at least May 2010.

Since the revelations on Friday, neither GCHQ nor any government minister has denied the agency had access to material gathered by the program, which appears to have given the NSA ways of retrieving information from companies such as Google, Skype, Yahoo, Microsoft and Apple.

Hague also refused to say whether he had authorised GCHQ's access to Prism, or how many Britons had been spied upon, while insisting it was "nonsense" for people to think analysts at the agency in Cheltenham "are sitting around working out how to circumvent a law with another agency in another country".

But ministers have also not attempted to explain why GCHQ would need to access information from Prism, rather than going through the normal legal protocol when seeking information from an internet company based in another country. This involves making a formal request to the US department of justice, which would make the approach to the firm on the UK's behalf. The company then has to decide whether to provide information.

In the UK, GCHQ is bound by the Regulation of Investigatory Powers Act to seek approval for intercepting material from telecoms and UK-based internet companies.

Nick Pickles, director of Big Brother Watch, the privacy and civil liberties campaign group, said: "Every year, hundreds of requests for information on British users of American services are refused for a variety of reasons, including because they ask for more than the law allows. I hope the foreign secretary is able to reassure people that this arrangement with the NSA has not been used when information was denied under the normal process.

"UK law requires that any directed surveillance is focused on a specific individual or premises. There is a clear concern that the collection of the relevant information was not collected as part of a directed operation, and if that has happened the legality of obtaining the information is far from clear.

GCHQ, the UK’s eavesdropping and security agency and the NSA's counterpart

"It's important to ascertain if British infrastructure has been unknowingly caught up in activity that goes beyond what US law allows. It's absolutely right that GCHQ and other agencies can access information and monitor individuals suspected of threatening our safety. While specific details cannot be revealed, the legal authority should be subject to parliamentary debate and today's statement is an important part of maintaining public confidence."

Prof Peter Sommer, a cybersecurity expert, said it was well known the US and British intelligence agencies shared information, but asked whether Hague and Theresa May, the home secretary, had any way of independently verifying what the GCHQ, MI5 and MI6 were telling them.

The intelligence and interception commissioner, who reviews whether the agencies are working to the letter of the law, and the members of the parliamentary intelligence and security committee (ISC), have some powers of scrutiny, but Sommer questioned whether they had enough resources to give proper oversight.

"Is the prime minister satisfied that the ISC have the requisite resources and skills to conduct effective scrutiny of GCHQ, SIS [secret intelligence service] and MI5 when so much must depend on detailed technical knowledge of how mega-databases, the internet and communications systems work? Sommer said.

"The common theme here is that ability of the auditors of the agencies to know what precise questions to ask. I doubt they are being lied to, but I wonder if there is an absence of full disclosure."

Mike Rispoli, spokesman for Privacy International, added: "The foreign secretary has told us that if you are a law-abiding citizen, then you have nothing to fear. We've heard this excuse before; it's the sorry line the governments trot out to appease the public.

"We do have something to fear, and that is the British government making an end run around privacy law to gather broad intelligence on citizens they would not be able to legally attain otherwise. There is a reason why vacuuming up people's personal data in such an invasive manner violates their rights.

"We hope Mr Hague, GCHQ, and the British government start to take the privacy rights of individuals seriously, and treat the public's concerns about this terrifying program with respect. It is not 'nonsense' as Hague suggests, to be worried about their actions."