What are the most common consent policy mistakes identified in NDIS audits?

The most frequently cited consent policy non-conformances in NDIS quality audits include: treating consent as a one-off signature event, not documenting consent withdrawal, failing to provide accessible formats for participants with communication needs, and not linking the consent policy to incident management and restrictive practices procedures.

Does an NDIS consent policy need to cover supported decision-making?

Yes. The NDIS Practice Standards and the rights-based approach underpinning the NDIS Act require providers to presume capacity and support participants to make their own decisions before involving a guardian, nominee, or substitute decision-maker. Your consent policy must reflect this hierarchy and document the steps taken to support participant decision-making.

How often should a consent policy be reviewed?

The NDIS Commission expects policies to be kept current and reviewed regularly. Best practice is an annual scheduled review plus an immediate review whenever the policy is implicated in an incident, complaint, or significant regulatory change — such as the strengthened 2026 practice standards. Each review should be version-controlled and dated.

Can a participant withdraw consent at any time under the NDIS?

Yes. The NDIS framework is clear that consent must be voluntary and can be withdrawn at any time. Providers must have a documented process for recording withdrawal of consent, updating the participant's support plan, and notifying relevant staff. Failure to document and act on withdrawn consent is a serious compliance risk.

Do SIL providers need separate consent forms for restrictive practices?

Yes. Restrictive practices carry additional regulatory requirements under the NDIS (Restrictive Practices and Behaviour Support) Rules and require specific, separate consent processes that go beyond a general service consent form. Bundling restrictive practice consent into a general intake form is a common audit non-conformance.

What happens if a provider's consent policy is found non-compliant in an NDIS audit?

A non-compliant consent policy can result in a non-conformance finding in the audit report, requiring a corrective action plan within a specified timeframe. Depending on the severity and whether it relates to active participant harm, the NDIS Commission may also commence compliance and enforcement action under the NDIS Act.

Common Mistakes in an NDIS Consent Policy (2026 Guide for SIL Providers)

Why Your Consent Policy Is a High-Risk Document

Consent sits at the intersection of participant rights, service delivery, and legal obligation under the NDIS framework. For Supported Independent Living (SIL) providers and other registered NDIS organisations, a weak or outdated consent policy is not a minor administrative gap — it is a direct non-conformance under the NDIS Practice Standards and the NDIS Code of Conduct.

With the strengthened 2026 registration and practice standards framework placing greater emphasis on rights-based practice, approved quality auditors are scrutinising consent documentation more closely than ever. The following are the seven most common mistakes providers make, and — more importantly — how to fix each one before your next audit.

Mistake 1: Treating Consent as a One-Off Event

Many providers collect a signed consent form during the intake process and never revisit it. This fundamentally misunderstands the NDIS Commission's expectation. Under the NDIS Practice Standards, consent must be ongoing and dynamic — it can be withdrawn at any time, and providers must actively check that consent remains valid as circumstances, supports, or preferences change.

The fix: Build consent review triggers into your support planning cycle. Document each review in the participant's file, including the date, what was discussed, and whether consent was reaffirmed, modified, or withdrawn. Your policy should state explicitly that consent is not a one-time event.

Mistake 2: Using Inaccessible Language and Formats

A consent policy written in dense legal or clinical language fails participants who have cognitive impairments, low literacy, or who communicate through augmentative and alternative communication (AAC) methods. Consent that is not genuinely understood is not valid consent. The NDIS Practice Standards require that information is provided in a format appropriate to the individual participant's needs and communication style.

The fix: Develop Easy Read versions of your consent forms. Offer audio, visual, and Auslan alternatives where relevant. Document in the participant's file which format was used and why. Your policy should mandate a communication needs assessment before consent is sought.

Mistake 3: Failing to Document Withdrawal of Consent

Providers frequently document initial consent thoroughly but have no clear process for recording when a participant withdraws consent — either verbally, through behaviour, or in writing. A verbal refusal that is not captured in the participant's record creates significant risk, both for the participant's safety and for the provider during an audit or complaint investigation.

The fix: Your policy must contain an explicit section on withdrawal of consent: what it looks like, who is responsible for recording it, the timeframe for updating the participant's care plan, and how staff are notified. Treat withdrawal documentation with the same rigour as initial consent.

Mistake 4: Not Distinguishing Between Types of Consent

A single generic consent form that covers everything — sharing information with third parties, delivering personal care, administering medication, implementing a behaviour support plan, and photographing a participant — conflates consent types that carry very different legal and ethical weights. Bundling all consent into one form makes it nearly impossible to demonstrate that a participant understood and agreed to each specific matter.

The fix: Separate your consent processes by category. At minimum, distinguish between: consent for service delivery, consent for sharing personal information, consent for the use of restrictive practices (noting that additional regulatory requirements apply here), and consent for photography or media use. Each category should have its own record.

Mistake 5: No Process for Supported Decision-Making

Under the NDIS's rights-based approach, participants — including those with significant cognitive disabilities — are presumed to have decision-making capacity. A consent policy that defaults to obtaining consent from a guardian, nominee, or family member without first attempting to support the participant to make their own decision is inconsistent with the NDIS Code of Conduct and the spirit of the National Disability Insurance Scheme Act 2013.

The fix: Your policy must reflect the supported decision-making hierarchy: support the participant first, involve a supporter or nominated person if needed, and only involve a legal guardian or plan nominee as a last resort or where legally required. Document the steps taken to support the participant's decision in every instance.

Mistake 6: Consent Policy Not Connected to Other Operational Policies

One of the most common non-conformances identified in NDIS quality audits is a consent policy that exists in isolation — not referenced by, or connected to, the provider's incident management policy, restrictive practices policy, privacy policy, or behaviour support procedures. Auditors look for an integrated policy framework, not a collection of standalone documents.

The fix: Map your consent policy to every other policy it touches. Add cross-references in the document itself. When a restrictive practice requires specific consent steps, ensure your restrictive practices policy points to the consent policy and vice versa. This interconnectedness demonstrates systems thinking — a key expectation in the 2026 strengthened standards.

Mistake 7: Ignoring the Emergency and Incapacity Scenarios

Most consent policies focus on routine decision-making and say nothing about what happens when a participant temporarily loses capacity (for example, during a medical emergency or an acute mental health episode), or when a dispute arises between a participant and their nominee. Without a documented process for these scenarios, staff are left to improvise — which creates risk for everyone.

The fix: Add a dedicated section to your policy covering emergency consent, incapacity protocols, and dispute escalation. Reference the relevant provisions of the NDIS Act and any applicable state guardianship legislation. Ensure staff are trained on these scenarios, and that training is recorded.

What a Compliant NDIS Consent Policy Must Include

To consolidate the above, a consent policy that meets NDIS Commission expectations in 2026 should address all of the following:

A clear definition of consent and the legal basis for requiring it
The principle of presumption of capacity and supported decision-making
Consent types (service delivery, information sharing, restrictive practices, media)
Accessible communication requirements and alternatives
The process for obtaining, documenting, reviewing, and withdrawing consent
Roles and responsibilities — who obtains consent, who records it, who is notified
Emergency and incapacity protocols with escalation pathways
Connection to related policies (privacy, incident management, behaviour support)
Staff training obligations and frequency
Policy review cycle and version control

A Practical Self-Check Before Your Audit

Before submitting to an NDIS quality audit, run your consent policy through these questions:

Does the policy explicitly state that consent is ongoing and can be withdrawn at any time?
Does it address Easy Read and alternative communication formats?
Is there a documented process for when a participant withdraws consent?
Are consent types separated and clearly defined?
Does the policy align with supported decision-making principles rather than defaulting to guardians?
Are cross-references to related policies documented within the policy text?
Is there a scenario-based section covering emergencies and incapacity?

If you answered "no" to any of the above, the policy needs revision before your audit submission.

Getting the Full Documentation Suite Right

Consent policy gaps rarely occur in isolation — they usually signal broader documentation risk across intake, incident reporting, restrictive practices, and quality governance. If you are preparing for mandatory registration or a re-registration audit under the 2026 framework, it is worth auditing your entire document set, not just the consent policy. The ndiscompliant.com.au 74-document SIL compliance kit includes an audit-ready consent policy alongside the full suite of documents quality auditors check — a practical starting point for providers who need to close multiple gaps efficiently.

Whatever approach you take, the priority is the same: make sure your consent policy reflects real, rights-based practice — not just a box to tick. Auditors and, more importantly, your participants, will know the difference.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.