How do the Australian Privacy Principles apply to cosmetic clinic photos and patient data?
Cosmetic clinics handle sensitive health information from the moment a consultation opens. Before-and-after photographs, treatment notes, intake-form answers about prior procedures and identifiable post-procedure imagery are all health information under the Privacy Act 1988. APP 11 requires reasonable steps to protect that information; APP 6 governs use and disclosure; the Notifiable Data Breach scheme requires notification of eligible breaches that are likely to cause serious harm.
Reviewed 2026-05-03Privacy Act 1988 — Australian Privacy Principle 11.1.
If an APP entity holds personal information, the entity must take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure.
The substance, in plain English.
Cosmetic-clinic data is health information by definition. The Privacy Act treats information about an individual's health, treatment, or a health service provided to them as sensitive personal information. Before-and-after photographs are identifiable health information when the patient can be recognised — the threshold is functional, not legal — and the consent and protection obligations apply from intake onwards.
APP 3 + APP 6 govern collection and use. Health information may only be collected with consent, and may only be used for the primary purpose of collection unless a permitted secondary use applies. A photograph collected for clinical record-keeping cannot be repurposed as marketing collateral without separate, specific consent. Consent embedded in a generic intake-form tickbox is unlikely to meet the standard for marketing use, and AHPRA's testimonial rules apply on top.
APP 11 requires reasonable security steps. For a cosmetic clinic that means: encrypted at-rest storage of clinical photos, role-based access controls inside the practice management system, multi-factor authentication on staff logins, vendor due diligence on cloud-hosted PMS providers, and a documented retention/destruction policy. The OAIC's first civil-penalty action under the Privacy Act — Australian Information Commissioner v Australian Clinical Labs — resulted in a $4.2 million penalty for failure to take reasonable steps under APP 11.1, plus $800,000 for failure to assess an eligible data breach.
Cloud storage of clinical photos brings APP 8 (cross-border disclosure) into scope. If the PMS provider, photo backup or imaging tool stores data outside Australia, the clinic must take reasonable steps to ensure the overseas recipient does not breach the APPs in relation to the information — and APP 8 holds the clinic accountable for the overseas recipient's acts. Default Apple iCloud / Google Drive backup of clinical photos on a practitioner's personal device is a common APP 11 + APP 8 failure mode.
The Notifiable Data Breach scheme requires notification of an eligible data breach — unauthorised access, disclosure or loss of personal information that is likely to cause serious harm to an individual. Healthcare is the most-notified sector under the NDB scheme: 102 healthcare data breaches reported in the first half of 2024 alone. A leaked before-and-after archive, an exposed cloud bucket of clinical photos, or a phishing-driven email account takeover that exposes patient correspondence is almost always notifiable.
Maximum penalty: Civil penalties up to $50 million per breach for body corporates (or three times the benefit obtained, or 30% of adjusted turnover during the breach period — whichever is greater) under the Privacy Act 1988 as amended in 2022. $2.5 million per breach for individuals..
Recent enforcement under this provision:
- 2025
Australian Clinical Labs — first Privacy Act civil penalty
Federal Court ordered ACL to pay $5.8M in penalties — $4.2M for failing to take reasonable steps to protect personal information under APP 11.1 (223,000+ contraventions), $800K for failing to assess an eligible data breach, plus further penalties — in the first civil-penalty proceeding to reach resolution under the Privacy Act.
OAIC — ACL ordered to pay penalties for Medlab Pathology data breach
- 2024
Notifiable Data Breaches Report — H1 2024
OAIC's January–June 2024 NDB report recorded healthcare as the most-notified sector with 102 breaches, ahead of finance and government. Cyber incidents (phishing, compromised credentials, ransomware) accounted for the majority.
OAIC — Notifiable Data Breaches Report: January to June 2024
- 2022
Privacy Act 2022 amendments — penalty uplift
The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 increased maximum civil penalties for serious or repeated interferences with privacy from $2.22M to $50M (or 3x benefit obtained, or 30% of adjusted turnover) for body corporates — a 22-fold increase aimed at the cyber-incident response posture.
OAIC — Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022
A worked example.
A Gold Coast injectables clinic stores patient before-and-after photos on the operating practitioner's iPhone, with iCloud backup enabled to a personal Apple ID. The intake form has a single tickbox marked "I consent to the collection of photographs". The clinic uses a third-party Practice Management System hosted in Singapore and emails clinical photos to the prescribing GP using a generic Gmail account. Three APP exposures sit on this stack: APP 11 (unencrypted personal-device storage with cloud backup the clinic does not control), APP 8 (cross-border PMS hosting without due-diligence steps), and APP 3 / APP 6 (consent at the intake form is too generic to support marketing use of the photos, even if the practitioner intends to use them later). A leaked phone or compromised iCloud account would be a notifiable data breach affecting every patient whose photos are on the device. The clean version: enterprise-grade clinical-imaging software with encrypted at-rest storage and role-based access, an Australian-hosted PMS or APP 8 due-diligence on the overseas provider, and tiered consent — collection consent at intake, separate marketing-use consent before any external use of an image.
The questions that come next.
Are before-and-after photos always health information under the Privacy Act?
If the patient is identifiable from the image, yes. The Privacy Act's definition of health information turns on whether the information is about an individual's health, treatment, or a health service provided to them. Cropped, de-identified images may sit outside the definition, but the threshold for de-identification is functional — if a reasonable person could re-identify the individual from the image alone or in combination with other available information, it remains health information.
Can a generic intake-form tickbox give consent for marketing use of clinical photos?
Unlikely. APP 6 requires that secondary use beyond the primary purpose of collection be supported by specific consent, a permitted use, or a legal authority. A single tickbox covering both clinical record-keeping and marketing use does not give the patient a meaningful chance to refuse one and accept the other. Tiered, specific consent — separate at intake, separate before any external use — is the safer pattern. AHPRA's testimonial rules apply on top of consent.
Our PMS is hosted overseas — is that a breach?
Not on its own. APP 8 requires reasonable steps to ensure the overseas recipient does not breach the APPs, and the clinic remains accountable for the overseas recipient's handling of the information. Reasonable steps usually include a written agreement, contractual obligations matching the APPs, vendor due diligence on the recipient's security posture, and consent or notification of cross-border disclosure at intake.
When does a cosmetic clinic data breach become notifiable?
When the breach is an eligible data breach — unauthorised access, disclosure or loss of personal information that is likely to result in serious harm to one or more individuals. For a cosmetic clinic the threshold is usually clearly met for any unauthorised access to identifiable clinical photos, intake forms describing prior procedures, or treatment plans. Notification to OAIC and affected individuals is required as soon as practicable, typically within 30 days of becoming aware of the breach.
What's the maximum penalty for a Privacy Act breach by a cosmetic clinic in 2026?
Since the 2022 amendments, civil penalties for serious or repeated interferences with privacy reach the greater of $50M, three times the benefit obtained from the conduct, or 30% of the body corporate's adjusted turnover during the breach period. Individuals face up to $2.5M. The Australian Clinical Labs proceeding ($5.8M total) was the first civil-penalty action to reach resolution and signals the OAIC's willingness to pursue substantive penalties.
Read it for yourself.
Brief us with the regulator already in line one.