Australia’s privacy commissioner, Timothy Pilgrim, does not have jurisdiction to monitor all local and state agencies who access Australians’ personal phone and web data under commonwealth laws.

The Office of the Australian Information Commissioner released its annual report last week, which detailed record numbers of data breach complaints against government agencies and private companies.

In an interview with Guardian Australia, Pilgrim said government agencies and private organisations had “some way to go” to keep up with the most up-to-date security measures.

The annual report comes at a time when the federal government is expected to soon introduce a bill that will force telecommunications companies to retain Australian’s personal phone and web browsing data, commonly known as “metadata”, for two years.

The federal government and enforcement agencies have argued this is an important measure for combating crime and responding to terrorism threats.

Australia’s federal Privacy Act covers commonwealth government agencies and private organisations, which would include telecommunications providers.

But state, territory and local government agencies are not covered by the act, despite these agencies being able to access metadata under the federal Telecommunications (Interception and Access) Act.

Pilgrim told Guardian Australia: “It comes down to the coverage of the Privacy Act. We can start from the perspective that all Australian government agencies – that is commonwealth government agencies – that are covered by the Privacy Act need to comply with the same data security standards as do the private sector organisations.

“The issue then is what is the breadth of those agencies that are collecting that information in these circumstances, and then you’d need to look at what happens with those organisations that are not covered by the Privacy Act.”

While there are some obligations to prevent the disclosure of information under the Telecommunications (Interception and Access) Act, the Privacy Act has a much more comprehensive framework of privacy principles that agencies must comply with.

The act also allows individuals to seek redress that can involve fines or sanctions imposed by the privacy commissioner, but none of these measures will be available if breaches arise from state or local government agencies misusing personal information.

Instead individuals will be left to seek recourse within state or territory regimes, which vary in their effectiveness and adds to an already complex interaction of state and federal powers.

When asked about the mandatory data retention proposals, Pilgrim said that if organisations were retaining or collecting new datasets, he would expect them to “undertake appropriate risk assessments to ensure that the security systems they have in place are sufficient to protect that information”.

“I would suggest that the more sensitive information organisations and agencies are collecting, the more they need to focus on making sure they’ve got the right level of security in place, the strongest types of security to protect that information, the most up-to-date security measures in place.”

He also added that “the focus on data security in the coming year is going to be a key area for all organisations, both government and private sector”.

Accessing Australians’ personal data under telecommunications interception laws has resulted in data breaches occurring in the past.

In August Guardian Australia revealed the Australian Federal Police was involved in an embarrassing breach where details of a criminal investigation were posted on a publicly available website due to poorly redacted documents, potentially jeopardising an operation.

Pilgrim added that he had seen an increasing awareness in the community of privacy rights.

“What I’ve seen in quite a number of years working in this area is that every year the community do continue to exercise their rights in increasing number. People are becoming more aware, particularly in the online environment, of how their personal information is being used,” he said.

The Office of the Australian Commissioner, which Pilgrim’s role is part of, is set to be abolished in a bill introduced by the federal government. If the legislation succeeds in passing, Pilgrim’s office will become part of the Australian Human Rights Commission.