A Mi6 officer was granted "unacceptable" access to bulk personal data (BPD), a report into the activities of the intelligence services has found.
The annual report of the intelligence commissioner, Sir Mark Waller, also discovered that GCHQ accidentally spied on its own staff too much.
It came as Theresa May told MPs she had "not yet reached a decision" as to whether ministers should have to get judges to sign off on warrants for surveillance.
A separate report also published today, by the former UK ambassador to the US, Sir Nigel Sheinwald, found that the willingness of American internet companies to cooperate with British law enforcement and counter-terrorism was "incomplete".
David Cameron published Waller's report today. Part of Waller's job is to protect privacy of people who have information held one or more systems in the intelligence services.
He found that MI6 has a "strong monitoring system to prevent individuals misusing data. But in one recent instance of misuse in SIS an officer accessed the BPD system despite having moved to another role which did not require access.
"The access was for a legitimate work purpose but still unacceptable and a breach notice was issued," Waller found. However, I informed SIS that the corporate failure which allowed the officer to retain access to the system was a more serious breach. BPD systems hold highly personal data and it is vital that staff only have access if they have a business need. The officer should not have been able to retain access to the system after moving post."
Waller also discovered last GCHQ, Britain's electronic monitoring spy agency, had been snooping on its own agents. "In 2014, GCHQ reported one error to me which happened when an internal monitoring system of some staff communications was found to be capturing more information than it was authorised to," he said.
"I followed up on this error during my May inspection and the team explained that because of a lack of understanding of the systems’ full capability more data than had been authorised had been collected.
Waller said this had been a "technical error" and "not deliberate". Following the discovery of the error GCHQ deleted the captured data.
In the Commons, shadow home secretary and Labour leadership hopeful Yvette Cooper said there was "a strong case for introducing judicial authorisation" into the activity of the intelligence agencies. At the moment the UK is the only country in the Five Eyes intelligence network, Australia, Canada, New Zealand, the UK and the US, that does not have judicial authorisation.
"Those who simply defend the status quo need to explain why they think the arrangements in all those other countries are inadequate and worse than ours, given the added legitimacy that some judicial authorisation processes should bring," she said.
Her view was echoed by former Conservative Attorney General Dominic Grieve, who said it was clear that " judicial oversight system, with possible exceptions where complex issues of policy may be involved, would probably enhance trust" in the activities of the intelligence services.
May said she had yet to decide whether to adopt this approach: "I am clear that, whatever legal and privacy framework we propose, it will need to be agile and capable of responding to urgent cases. It will need to be clear and accountable, to be capable of commanding public confidence, and to ensure that sensitive powers are available in a way that will stand the test of time," she said.