Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

The Cosmetic Institute reported data breach

6 June 2017

My office has contacted The Cosmetic Institute about this reported data breach.

The Privacy Act 1988 recognises the sensitive nature of health information and provides extra protections around it in recognition of the significant impact any misuse of that information can have on an individual.

If we are notified of a potential privacy breach my office makes contact with the organisation to provide advice to ensure in the first instance that they are minimising and mitigating the data breach. When there is a real risk of serious harm organisations are encouraged to notify affected individuals.

When investigating a data breach my office will evaluate the systems and processes that were in place to protect personal information and how the organisation managed the data breach. This includes if they provided appropriate notification to people affected by the breach.

In resolving an investigation, I have a range of enforcement powers including seeking enforceable undertakings, making a determination and the power to seek a civil penalty for serious or repeated breaches of privacy. In resolving complaints from individuals I can also require an organisation to make an apology, change their practices or systems, or pay compensation.

If any person has any concerns about how their privacy has been managed they can contact my office via or 1300 363 992.

Timothy Pilgrim PSM
Australian Information and Privacy Commissioner


  • In 2015-16, the Office of the Australian Information Commissioner received 107 voluntary data breach notifications and 16 mandatory data breaches relating to health information.
  • A Notifiable Data Breaches scheme has been established to ensure that affected individuals are notified about serious data breaches. The NDB scheme will apply to all businesses, government agencies and other organisations covered by the Privacy Act 1988 and will commence on 22 February 2018.