Does an NDIS SIL provider need a separate privacy policy or can it be combined with confidentiality?

Many providers combine privacy and confidentiality into a single policy document, which is acceptable as long as it covers both the Australian Privacy Principles under the Privacy Act 1988 and the specific confidentiality obligations under the NDIS Practice Standards. The key is that all required elements are present and clearly structured, not which document title you use.

How often does an NDIS privacy policy need to be reviewed?

At minimum, your privacy and confidentiality policy should be reviewed annually and whenever there is a change to relevant legislation, the NDIS Practice Standards, or Commission rules. The 2026 strengthened registration framework is a trigger for a thorough review. Your document control register should record the review date and the outcome of each review.

What happens if our privacy policy is found to be non-conformant at an NDIS audit?

A non-conformance finding against your privacy and confidentiality policy will typically require a corrective action plan with a specified timeframe for resolution. Depending on the severity and whether participant harm is involved, the Commission may also initiate a compliance or enforcement action. Repeated or serious non-conformance can affect your registration.

Are there specific privacy requirements for SIL providers that don't apply to other NDIS providers?

SIL providers hold particularly sensitive categories of information — including behaviour support plans, restrictive practice authorisations, and 24-hour personal care records — which means the volume and sensitivity of the information managed is typically higher than for lower-intensity supports. The obligations under the Practice Standards apply to all registered providers, but the evidence required to demonstrate compliance is more extensive for SIL given the nature of the supports.

Can participants request a copy of their own support records under NDIS rules?

Yes. Under Australian Privacy Principle 12, participants have a right to access their personal information held by your organisation. The NDIS Practice Standards also require that participants are treated with respect for their dignity and rights, which includes access to information about their own supports. Your privacy policy must describe the process for making and responding to such a request.

Do staff need to sign a confidentiality agreement as well as follow the privacy policy?

Best practice — and what most approved quality auditors expect to see — is that staff both sign a confidentiality agreement as part of their employment and receive documented training on the organisation's privacy and confidentiality policy. These two mechanisms work together: the agreement creates a legal obligation, while the policy training ensures staff understand how to fulfil it in practice.

Common Mistakes in an NDIS Privacy and Confidentiality Policy

Why Your Privacy and Confidentiality Policy Is a High-Risk Document

For SIL providers and other registered NDIS providers, the privacy and confidentiality policy is not a box-ticking formality. It sits at the intersection of the NDIS Practice Standards, the NDIS Code of Conduct, the Privacy Act 1988 (Cth), and — from 2026 — the strengthened registration framework that the NDIS Commission is progressively rolling out. A policy that looks complete on paper but contains structural gaps can trigger non-conformance findings at audit and, more seriously, can leave participants without the protections they are entitled to.

The mistakes below are drawn from the types of deficiencies commonly identified during NDIS quality audits and Commission compliance reviews. If you recognise your current policy in any of them, the time to act is before your next audit cycle, not after a finding is issued.

Mistake 1: Treating the Policy as a Generic Privacy Statement

Many providers adapt an off-the-shelf privacy policy written for general business use. These documents typically address how a commercial entity handles customer data under the Australian Privacy Principles (APPs), but they make no reference to the specific obligations that apply to an NDIS provider, including:

The duty to maintain confidentiality of participant information under the NDIS Practice Standards (Support Provision module and the High Intensity Daily Personal Activities module where relevant).
Obligations under the National Disability Insurance Scheme Act 2013 (Cth) regarding disclosure of protected information.
The obligation under the NDIS Code of Conduct to respect the privacy of people with disability.

The fix: Start with the NDIS Practice Standards and Code of Conduct as your framework. A generic APP-compliant policy is a starting point only — layer in every NDIS-specific obligation explicitly.

Mistake 2: Omitting Participant Consent Provisions

The NDIS Practice Standards require that participants are actively involved in decisions about their own supports, which extends to how their personal and sensitive information is collected, used and shared. A policy that simply says "we collect information to deliver services" without explaining when and how participant consent is obtained — and what a participant can do if they withdraw it — is substantively incomplete.

This is especially important for SIL providers because the information held is often highly sensitive: health diagnoses, behaviour support plans, restrictive practice authorisations, medication records, and incident reports. Each category of sensitive information carries its own consent considerations under both the Privacy Act and the Practice Standards.

The fix: Include a dedicated section describing what constitutes consent in your organisation, how consent is documented, the process for a participant to vary or withdraw consent, and what happens to service delivery if certain information cannot be shared.

Mistake 3: No Reference to Incident Reporting Disclosure Rules

Registered NDIS providers are required to report certain incidents to the NDIS Commission under the mandatory incident management and reportable incidents framework. A privacy and confidentiality policy that makes no mention of this creates a false impression that all participant information is held in strict confidence at all times.

Auditors will check whether your policy accurately describes the lawful bases for disclosing participant information without consent — including mandatory reporting to the Commission, disclosure to law enforcement where required by law, and sharing with other providers when necessary to ensure continuity of safe supports.

The fix: Add a clear section titled something like "When we may disclose information without your consent." List each lawful basis: mandatory incident reporting, compliance with Commission investigations, court or tribunal orders, and duty-of-care disclosures. Cite the relevant legislative authority for each.

Mistake 4: Failing to Cover Restrictive Practice Records

SIL providers who use regulated restrictive practices are required to maintain detailed records and report to the NDIS Commission. These records contain highly sensitive information about a participant's behaviour and the nature of the restrictions applied. Many privacy policies are silent on how these records are stored, who can access them, and when they can be shared (for example, with a behaviour support practitioner, a state/territory authorising body, or the Commission itself).

This silence is a non-conformance risk under the Behaviour Support module of the Practice Standards and under the NDIS (Restrictive Practices and Behaviour Support) Rules.

The fix: Add a specific provision addressing behaviour support and restrictive practice records — who holds them, the minimum retention period, access rights, and the disclosure pathway to authorised bodies.

Mistake 5: Not Describing Participant Access and Correction Rights

Under Australian Privacy Principle 12, individuals have the right to access their personal information, and under APP 13 they have the right to request correction of inaccurate information. Many NDIS provider policies acknowledge these rights in a single vague sentence without explaining how a participant actually exercises them.

From an audit perspective, the question is not just whether the right exists in your policy — it is whether a participant with a cognitive or communication disability could reasonably navigate your process to exercise it. Auditors are increasingly alert to whether policies are written in plain language and whether participants with support needs have a realistic pathway to act on their rights.

The fix: Describe the access and correction process step by step. Specify who a participant contacts, the expected timeframe for a response, whether a supported decision-making process is available, and what happens if a correction request is disputed.

Mistake 6: Outdated References to Superseded Legislation or Standards

The NDIS regulatory framework has evolved significantly since the Commission began operating, and the 2026 strengthened registration framework introduces further changes to how providers are assessed. Policies written against earlier versions of the Practice Standards — or that reference outdated Privacy Act provisions — will contain references that are no longer accurate.

Auditors will note whether your policy reflects the current legislative and standards environment. A policy that still references old module numbering, for example, signals that the document has not been reviewed and updated as required by your own document control obligations.

The fix: Build a scheduled review cycle into your document control register — at minimum annually, and immediately whenever the NDIS Commission publishes updated Practice Standards, guidance, or rules. Include version history and a next-review date on the face of the policy.

Mistake 7: No Staff Training or Accountability Mechanism

A privacy and confidentiality policy that exists as a PDF on a shared drive but is never referenced in staff induction, supervision, or training does not constitute a functioning system. The NDIS Practice Standards require providers to demonstrate that workers understand and comply with privacy and confidentiality obligations — not merely that a document exists.

Auditors may ask for evidence of staff training on privacy, records of policy acknowledgement, and examples of how privacy breaches have been managed. If your policy document is your only evidence, that is unlikely to satisfy the evidence requirements.

The fix: Attach your privacy policy to a training register. Include privacy awareness in staff induction and annual refresher cycles. Document how staff are made aware of their obligations and what the escalation process is when a privacy incident occurs.

A Practical Self-Audit Checklist

Element	Present?	NDIS Reference
Explicit reference to NDIS Practice Standards and Code of Conduct	Yes / No	NDIS Practice Standards; Code of Conduct
Participant consent process for sensitive information	Yes / No	APP 3, APP 6; Practice Standards
Lawful disclosure without consent (incident reporting, law enforcement, duty of care)	Yes / No	NDIS (Incident Management) Rules; NDIS Act s. 67
Restrictive practice records — storage, access, and disclosure	Yes / No	NDIS (Restrictive Practices and Behaviour Support) Rules
Participant access and correction rights with a clear process	Yes / No	APP 12, APP 13
Version history, review date, and document owner	Yes / No	Practice Standards — Management Systems
Evidence of staff training and acknowledgement	Yes / No	Practice Standards — Human Resources

Getting Your Documents Audit-Ready

Addressing these mistakes individually is achievable, but a privacy and confidentiality policy does not stand alone — it connects to your incident management policy, behaviour support policy, complaints policy, information management procedures, and staff training framework. If one document has gaps, the gaps often exist across the suite.

The ndiscompliant.com.au 74-document SIL compliance kit includes an NDIS-specific privacy and confidentiality policy template alongside the full document suite that approved auditors look for — built against the current Practice Standards and updated for the 2026 strengthened framework. It is a practical starting point for providers who need to close gaps quickly without rebuilding from scratch.

Whatever approach you take, the goal is the same: a policy that accurately reflects your obligations, is understood by your staff, and genuinely protects the people you support.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.