Telstra has warned that public trust in the security of their data will be eroded if government agencies continue to be allowed access to it without appropriate authorisation.

More than 60 agencies, including local councils, state coroners, Centrelink, the National Disability Insurance Agency and the Australian Sports Anti-Doping Authority, have been accessing data using a loophole in the Telecommunications Act that allows them to bypass restrictions in the 2015 data retention legislation, under which access was restricted to only 20 agencies, primarily police and other law enforcement bodies.

In a submission to the parliamentary review of the data retention laws, Telstra said the reasons the agencies had for accessing the data may have been “significant in their own domain” but doing so could “erode public trust in the regime and undermine the relationship we have with our customers in relation to protection of their privacy”.

Telstra has proposed that all organisations should be required to follow the process for accessing telecommunications data under the data retention legislation. This would not mean adding more organisations to the list of law enforcement agencies, but would require them to follow the same procedure to access the data, and ensure that all requests were reasonable and proportionate.

The Communications Alliance, the peak industry body, has warned that many agencies do not know what to do with the data once they receive it.

“They then take up more of the [company’s] time to explain the data, then sometimes also call on [telecommunications companies] to appear in court on relatively minor issues as expert technical witnesses.”

The alliance also heavily criticised the government’s tardy reporting on metadata access. The home affairs department is required to put out a report every financial year on the number of times agencies accessed metadata, but it took until last week for the report covering the 2017-18 financial year to be released, with no sign of the report covering the last financial year.

The alliance has called for the law to be changed to require the government to release the report by 30 September after each financial year.

The department has denied that companies are required to hand over the data if it is collected solely for the purpose of complying with the data retention law. The department said in its submission only data retained “in the course of their usual business” can be accessed outside the data retention scheme.

The office of the Australian information commissioner has called for the government to consider requiring agencies to obtain a warrant before accessing the data, and limit access to the purposes of investigating a serious offence or to safeguard national security.

Guardian Australia reported last week that ACT police, which has the power to access metadata, unlawfully accessed metadata more than 3,000 times, including in two cases that resulted in information that may have been used in a prosecution.

These are the agencies that have been granted access under the data retention regime:

Australian Competition and Consumer Commission

Australian Criminal Intelligence Commission

Australian Commission for Law Enforcement Integrity

Australian federal police

Australian Securities and Investments Commission

Crime and Corruption Commission (Qld)

Crime and Corruption Commission (WA)

Department of Home Affairs

Independent Broad-Based Anti-Corruption Commission (Vic)

Independent Commission Against Corruption (NSW)

Independent Commission Against Corruption (SA)

Law Enforcement Conduct Commission

NSW Crime Commission

NSW police

NT police

Qld police

SA police

Tas police

WA police

Theses are the agencies that have been skirting around the scheme to access data under the Telecommunications Act, according to the Communications Alliance: