The Cosmetic Institute

18 August 2017
Tags: statement

The Cosmetic Institute privacy investigation launched

18 August 2017

On 15 August 2017, the Acting Australian Information Commissioner opened an investigation into The Cosmetic Institute data breach.

The data breach allegedly occurred after an error allowed the public to view The Cosmetic Institute’s website index which included medical forms and images.

The Cosmetic Institute is cooperating with the Office of the Australian Information Commissioner’s (OAIC) inquiries. A further statement will be published at the conclusion of the investigation.

If any person has any concerns about how their privacy has been managed they can contact the OAIC on or 1300 363 992.

Back to Contents

The Cosmetic Institute reported data breach

6 June 2017

My office has contacted The Cosmetic Institute about this reported data breach.

The Privacy Act 1988 recognises the sensitive nature of health information and provides extra protections around it in recognition of the significant impact any misuse of that information can have on an individual.

If we are notified of a potential privacy breach my office makes contact with the organisation to provide advice to ensure in the first instance that they are minimising and mitigating the data breach. When there is a real risk of serious harm organisations are encouraged to notify affected individuals.

When investigating a data breach my office will evaluate the systems and processes that were in place to protect personal information and how the organisation managed the data breach. This includes if they provided appropriate notification to people affected by the breach.

In resolving an investigation, I have a range of enforcement powers including seeking enforceable undertakings, making a determination and the power to seek a civil penalty for serious or repeated breaches of privacy. In resolving complaints from individuals I can also require an organisation to make an apology, change their practices or systems, or pay compensation.

If any person has any concerns about how their privacy has been managed they can contact my office via or 1300 363 992.

Timothy Pilgrim PSM
Australian Information and Privacy Commissioner


  • In 2015-16, the Office of the Australian Information Commissioner received 107 voluntary data breach notifications and 16 mandatory data breaches relating to health information.
  • A Notifiable Data Breaches scheme has been established to ensure that affected individuals are notified about serious data breaches. The NDB scheme will apply to all businesses, government agencies and other organisations covered by the Privacy Act 1988 and will commence on 22 February 2018.

Back to Contents

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at