What must be included in an NDIS incident register?

An NDIS incident register must include the date and time of the incident, the date the provider became aware, a participant identifier, a description of what occurred, immediate actions taken, the reportable incident category, whether and when the NDIS Commission was notified, investigation outcomes, corrective actions taken, and confirmation that the participant was informed.

How quickly must a SIL provider notify the NDIS Commission of a reportable incident?

The notification timeframe depends on the category of reportable incident. The most serious incidents — such as the death of a participant — require notification very shortly after the provider first becomes aware. The timeframe clock starts at the point of first knowledge, not after internal review. Providers should consult the NDIS (Incident Management and Reportable Incidents) Rules 2018 and NDIS Commission guidance for the specific timeframes by category.

Does a SIL provider need to link their incident register to their restrictive practices register?

Yes. When an incident involves or results in the use of a regulated restrictive practice — including an emergency or unauthorised use — providers must document the event in both the incident register and the restrictive practice register, with a clear cross-reference between the two records. Both may need to be reported to the NDIS Commission.

How long must an NDIS incident register be retained?

Providers must retain incident registers for the minimum period specified by NDIS Commission requirements and applicable state or territory record-keeping legislation. Because auditors may request historical records during a certification or verification audit, registers should be stored in a secure, accessible, and tamper-evident system for the full required retention period.

What happens if an incident register is found to be non-conformant during an NDIS audit?

A non-conformance in incident management is a serious audit finding. Depending on severity, it can result in conditions being placed on your registration, requirements for a corrective action plan with specified timeframes, additional monitoring, or — in cases of serious non-compliance — referral to the NDIS Commission's compliance and enforcement team.

Are staff required to record incidents they are unsure are 'reportable'?

Best practice — and most compliant — is to record any event that could potentially be a reportable incident at the time of first knowledge and escalate it to the incident manager for formal determination. Self-assessment by frontline workers that leads to non-recording is a common and serious compliance gap. A well-designed incident form with a decision-support prompt reduces this risk.

Common Mistakes in an NDIS Incident Register (2026 Guide for SIL Providers)

Why Your Incident Register Is Under More Scrutiny in 2026

The NDIS Commission's strengthened Practice Standards, which underpin the 2026 mandatory re-registration framework, place incident management at the centre of provider governance. For SIL and disability support providers, the incident register is not merely an administrative record — it is audited evidence of your commitment to participant safety, your capacity to identify systemic risk, and your operational culture. Quality auditors use incident registers to test whether providers are meeting the requirements set out under the NDIS (Incident Management and Reportable Incidents) Rules 2018 and the updated Practice Standards Outcome 2.3 (Incident Management).

Despite this, incident registers remain one of the most commonly non-conformant documents found during NDIS audits. The errors below are drawn from patterns consistent with NDIS Commission guidance materials and audit findings communicated to the sector. Addressing them now will reduce your risk of a non-conformance finding before your next re-registration window.

Mistake 1: Not Recording Every Reportable Incident

The NDIS Commission defines a specific list of reportable incidents — including death of a participant, serious injury, abuse or neglect, unlawful sexual or physical contact, use of restrictive practices not in a behaviour support plan, and the commission of a crime against a participant. Providers frequently omit incidents because staff incorrectly assess the event as "minor" or because the participant appeared unharmed at the time.

The fix: Create a clear internal decision tree so frontline workers never self-assess whether something is reportable. If in doubt, record it and escalate to your incident manager for a formal determination. Your policy should state that every potential incident is logged within your register at the point of first knowledge, regardless of initial severity assessment.

Mistake 2: Missing or Incorrect Notification Timeframes

The NDIS Commission requires that providers notify the Commission of reportable incidents within prescribed timeframes — with the most serious categories (such as the death of a participant) requiring notification within very short windows after the provider becomes aware. A frequent mistake is providers treating the date the incident was reviewed internally as the start of the notification clock, rather than the date it was first known to the organisation.

The fix: Your incident register must include a field for "Date and Time Provider First Became Aware." Train all staff — including after-hours and on-call workers — that notification obligations begin at the point of awareness, not after investigation. Use automated reminders tied to your register so your Incident Manager is alerted to escalate immediately.

Mistake 3: Vague or Incomplete Incident Descriptions

Incident entries that read "participant fell — attended to" are not fit for purpose. NDIS auditors expect each entry to capture: who was involved (using participant identifiers, not full names in unsecured systems), what occurred, where and when it happened, who witnessed it, what immediate action was taken, and the outcome for the participant. Missing any of these elements makes it impossible to identify trends or demonstrate person-centred response.

The fix: Use a structured incident form with mandatory fields. A well-designed register template (whether electronic or paper-based) forces staff to answer each element before the record can be saved or submitted. Where a field cannot be completed at the time, it must be flagged for follow-up with a specified date by which it will be finalised.

Mistake 4: No Follow-Up Actions or Corrective Measures Recorded

Recording that an incident occurred is only the first step. The NDIS Practice Standards require that providers investigate incidents, identify contributing factors, and implement corrective actions to prevent recurrence. Registers that contain only the initial report — with no documentation of investigation outcomes, staff actions taken, or systemic changes made — demonstrate a compliance gap that auditors will note as a significant non-conformance.

The fix: Add dedicated columns or sections to your register for: investigation outcome, root cause identified, corrective action taken, responsible person, and date closed. Close-out entries should be signed off by your Incident Manager or a designated senior staff member. Periodic review — at least quarterly — should be documented to show that register data is being analysed for trends.

Mistake 5: Failing to Link Incidents to the Behaviour Support Plan or Restrictive Practice Register

For SIL providers, many incidents involve or occur alongside the use of regulated restrictive practices. A common failure is treating the incident register and the restrictive practices register as completely separate documents with no cross-referencing. Under the NDIS framework, an incident involving an unauthorised or emergency use of a restrictive practice must be notified to the Commission and recorded in both registers, with a clear link between them.

The fix: Your incident form should include a prompt: "Did this incident involve or result in the use of a restrictive practice?" If yes, the relevant restrictive practice entry reference number should be recorded, and the participant's Behaviour Support Practitioner notified in accordance with your policy. This cross-referencing is a key indicator auditors use to assess integration of your management systems.

Mistake 6: No Evidence of Participant and Family Notification

The NDIS Code of Conduct and strengthened Practice Standards place strong emphasis on transparency with participants and, where applicable, their families or guardians. Providers often document the internal management of an incident thoroughly but omit any record of whether the participant was told what happened, what the outcome of the investigation was, and what changes were made as a result. This is an E-E-A-T gap as well as a compliance gap.

The fix: Add a field to your register: "Was the participant and/or their support network informed? Date and method of communication." Where a participant has a support coordinator or nominee, record their involvement. This demonstrates person-centred practice and directly addresses the Commission's expectation of open disclosure.

Mistake 7: Storing Registers in a Way That Prevents Audit Access

Incident registers stored across multiple spreadsheets, in personal email inboxes, or in paper files that are not retained for the required minimum period create significant audit risk. Approved quality auditors will request access to your incident register as part of your NDIS certification audit. If you cannot produce a complete, chronological, tamper-evident register for the required retention period, you face a non-conformance even if every individual entry was correctly completed.

The fix: Maintain your incident register in a single, secured, consistently formatted system. Ensure your document retention policy specifies the minimum holding period in line with NDIS Commission requirements and relevant state record-keeping legislation. Your register should be accessible to your compliance team within a short timeframe of any audit request.

What a Compliant NDIS Incident Register Entry Must Include

Field	Requirement
Incident reference number	Unique identifier for cross-referencing
Date and time of incident	When the event occurred
Date provider became aware	Triggers notification timeframe obligations
Participant identifier	De-identified where appropriate for data security
Location and service context	Where the incident occurred and what support was being delivered
Description of incident	What happened, who was involved, what was observed
Immediate action taken	First response by staff
Reportable incident category	Classification against NDIS Commission categories
Commission notification date	If applicable; must be within prescribed timeframe
Investigation outcome	Root cause and contributing factors
Corrective action and responsible person	What changed and who is accountable
Participant notification	Date and method of communication with participant/family
Date closed	Signed off by incident manager

Preparing for the 2026 Audit: Priority Actions

Conduct an internal review of your last 12 months of incident entries against the checklist above and identify gaps.
Update your incident form template to make all mandatory fields compulsory before submission.
Deliver a refresher to all SIL support workers on what constitutes a reportable incident and what to do within the first hour.
Establish a quarterly incident register review process that produces a written trend analysis — this is direct audit evidence.
Cross-check your restrictive practice register against your incident register to ensure all linked events are recorded in both.
Confirm your document retention and storage approach meets NDIS Commission requirements.

If your organisation is building or refreshing your full suite of compliance documents ahead of re-registration, the 74-document audit-ready SIL compliance kit available at ndiscompliant.com.au covers incident management policy and register templates alongside all the other Practice Standards documentation your auditors will request.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.