This policy sets out how Newcastle Cosmetic Doctor (NCD) protects patient information, governs the safe use of artificial intelligence (AI), and maintains cybersecurity and incident response, including the Notifiable Data Breach (NDB) scheme. It applies to all staff, contractors and vendors handling NCD data. It aligns with the Privacy Act and Australian Privacy Principles (APPs), OAIC NDB obligations, ACSC Essential Eight, and clinical governance standards for cosmetic medicine. ^{1 2 3 4 5}

1. Roles & Accountability

• Privacy Officer: oversees APP compliance, consent, access/correction, privacy impact assessments, and NDB notifications.
• Information Security Officer (ISO): leads cybersecurity controls (Essential Eight), vendor security, incident response drills.
• AI Steward: approves AI use-cases, enforces de-identification, prompt/output logging, and human-in-the-loop review.
• Medical Director: ensures alignment with Ahpra/MBA cosmetic practice standards and clinical governance.

^{2 4 6 7 5}

2. Data Classification & Inventory

NCD classifies data as (a) Clinical Record (highly sensitive: notes, photos, imaging, treatment parameters), (b) Personal Identifiable Information (PII), (c) Operational (rosters, invoices), and (d) Marketing (non-clinical content). Systems holding each class are inventoried; owners and retention rules are assigned. Clinical photos are part of the medical record by default and governed by APPs. ^{2 8}

3. Collection, Use & Disclosure (APP 3–8)

We collect only what is reasonably necessary for care, with informed consent. Uses are limited to care delivery, safety/quality, and lawful requirements. Cross‑border disclosure of personal information requires due diligence on overseas recipients and patient consent where required; de‑identification is preferred. ²

4. Retention & Secure Destruction

Medical records (incl. photos/consents) are retained for ≥7 years after last entry for adults and until age 25 for minors, then securely destroyed or archived per policy. Backups and logs follow the same retention controls. ⁸

5. Clinical Photography & Digital Media

Clinical photos are captured to clinical standards and stored in the medical record. Any use in marketing requires separate, explicit consent and image integrity (no filters/alterations that could mislead). All advertising must comply with Ahpra and TGA codes; pricing must comply with ACCC rules (no drip pricing, clear totals). ^{2 8 9 10 11 12}

6. AI Use Policy (Permitted, Prohibited, Controls)

• Permitted: De‑identified admin drafting (patient comms templates), stock content ideation, policy formatting—with human reviewprior to use.
• Prohibited: Uploading identifiable patient records or images to unapproved AI; using AI to diagnose, set treatment plans, or alter clinical before/after documentation; generating misleading marketing claims.
• Controls: Human‑in‑the‑loop sign‑off; prompt/output logging; vendor vetting (security, data location, DPAs); enforce APP 8 for cross‑border disclosures; de‑identify by default.

^{2 8 9 11 12}

7. Vendor Management, Contracts & Benchmarks

Cloud/AI vendors must disclose data residency, sub‑processors, retention and deletion terms; sign Data Processing Agreements; and meet industry security benchmarks (e.g., ISO/IEC 27001; 27701 for privacy). Vendors handling therapeutic goods data must respect TGA and advertising constraints. ^{2 13 14 10}

8. Cybersecurity Controls (ACSC Essential Eight)

Minimum controls: MFA everywhere; patching OS/apps; backups (offline/immutable) tested quarterly; application control; restrict admin privileges; macro hardening; user app hardening; network segmentation; security awareness training and phishing simulations. ⁵

9. Incident Response & Notifiable Data Breach (NDB) Procedure

Suspected breach → contain (isolate systems, revoke access), assess within 30 days whether serious harm is likely, notify OAIC and affected individuals if criteria met, and review controls. Keep an evidence log (what, when, who, how contained), and follow ACSC guidance for technical response. ^{3 15 16}

10. Governance, Patient Rights & External Escalation

Patients can request access to/correction of their information; complaints may be escalated to HCCC NSW or OAIC if unresolved. Clinical governance and consumer partnering follow NSQHS Standards and the Australian Charter of Healthcare Rights. ^{2 17 15 18}

11. Records, Retention & Therapeutic Goods Data

All records are stored securely and retained per NSW Health rules; device/medicine data and software versions are documented; ARTG entries for relevant devices/consumables are recorded for recall traceability. ^{14 19}

12. Training, Audit & Continuous Improvement

Onboarding and annual refreshers cover privacy, cyber hygiene, AI safe‑use, advertising/consumer law, and incident response. Quarterly audits review access logs, AI logs, vendor risk, backup restores, and breach drills. ^{5 15 8}

Appendix A – NDB Quick‑Response Card (Post on Wall)

1. Contain: disconnect affected endpoint/account; rotate credentials; preserve forensic copies.
2. Assess: (≤30 days): what data, who is affected, risk of serious harm.
3. Decide: if likely serious harm → notify OAIC + individuals.
4. Notify: what happened, what info, recommended steps, contact details.
5. Review: root cause, patch, train, update policies; log actions.

^{3 4 6}

Appendix B – AI Prompt/Output Log Template (De‑identified Only)

• Date/Time
• Staff
• Purpose
• Prompt (redact identifiers)
• Output summary
• Human reviewer
• Decision (approved/edited/rejected)
• System/Vendor
• Data location
• Notes

Sources

1. OAIC – Privacy Act 1988 overview Link, viewed 8 October 2025, https://www.oaic.gov.au/privacy/the-privacy-act ↩︎
2. OAIC – Australian Privacy Principles (APPs) Link, viewed 8 October 2025, https://www.oaic.gov.au/privacy/australian-privacy-principles ↩︎
3. OAIC – Notifiable Data Breaches (NDB) scheme Link, viewed 8 October 2025, https://www.oaic.gov.au/privacy/notifiable-data-breaches ↩︎
4. ACSC – Essential Eight Link, viewed 8 October 2025, https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight ↩︎
5. ACSQHC – NSQHS Standards Link, viewed 8 October 2025, https://www.safetyandquality.gov.au/standards ↩︎
6. Ahpra 2025 – Guidelines for non‑surgical cosmetic procedures Link, viewed 8 October 2025, https://www.ahpra.gov.au/News/2025-01-31-Guidelines.aspx ↩︎
7. Medical Board of Australia – Cosmetic medical and surgical procedures guidelines Link, viewed 8 October 2025, https://www.medicalboard.gov.au/Codes-Guidelines-Policies/Cosmetic-medical-and-surgical-procedures-guidelines.aspx ↩︎
8. NSW Health – Health Records Retention PD2020_025 Link, viewed 8 October 2025, https://www.health.nsw.gov.au/policies/pd/2020/PD2020_025.html ↩︎
9. TGA – Therapeutic Goods Advertising Code (2021) – legislation Link, viewed 8 October 2025, https://www.legislation.gov.au/F2021L01661/latest ↩︎
10. TGA – Advertising code guidance Link, viewed 8 October 2025, https://www.tga.gov.au/resources/publication/publications/advertising-code-guidance ↩︎
11. ACCC – Advertising and selling guide Link, viewed 8 October 2025, https://www.accc.gov.au/business/advertising-and-marketing/advertising-and-selling-guide ↩︎
12. ACCC – Price displays (drip pricing) guidance Link, viewed 8 October 2025, https://www.accc.gov.au/consumers/pricing/price-displays ↩︎
13. ISO/IEC 27001 – Information security management (overview) Link, viewed 8 October 2025, https://www.iso.org/isoiec-27001-information-security.html ↩︎
14. ISO/IEC 27701 – Privacy information management (overview) Link, viewed 8 October 2025, https://www.iso.org/standard/71670.html ↩︎
15. OAIC – Data breach preparation and response guide Link, viewed 8 October 2025, https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response ↩︎
16. ACSC – Incident preparedness & response (Ransomware playbook) Link, viewed 8 October 2025, https://www.cyber.gov.au/resources-business-and-government/incident-management/prepare-and-respond-cyber-security-incidents/incident-preparedness-and-response/ransomware-playbook ↩︎
17. HCCC NSW – How to make a complaint Link, viewed 8 October 2025, https://www.hccc.nsw.gov.au/Complaints/How-to-make-a-complaint ↩︎
18. ACSQHC – Australian Charter of Healthcare Rights Link, viewed 8 October 2025, https://www.safetyandquality.gov.au/our-work/partnering-consumers/australian-charter-healthcare-rights ↩︎
19. TGA – Australian Register of Therapeutic Goods (ARTG) search Link, viewed 8 October 2025, https://www.tga.gov.au/resources/artg ↩︎