Is a code of conduct policy mandatory for all NDIS registered providers?

Yes. All registered NDIS providers must have documented policies and procedures that demonstrate compliance with the NDIS Code of Conduct. This is assessed by approved quality auditors against the NDIS Practice Standards during registration and renewal audits.

Does the NDIS Code of Conduct apply to unregistered providers?

Yes. The NDIS Code of Conduct applies to all NDIS providers and workers under the NDIS Act 2013, including unregistered providers. However, only registered providers are subject to Practice Standards audits that require documented policies.

What happens if a SIL provider does not have a code of conduct policy?

During a registration or renewal audit, the absence of a code of conduct policy will result in a non-conformance against the Practice Standards. This can delay or prevent registration renewal. In serious cases, the NDIS Commission can issue compliance notices or take enforcement action.

Do the code of conduct obligations apply to contractors and volunteers, not just employees?

Yes. The NDIS Code of Conduct applies to all workers — including employees, contractors, agency staff, and volunteers — who deliver NDIS supports. A compliant policy must clearly state that it applies to all categories of worker, and contracts with third-party staff should reflect this.

How often does a code of conduct policy need to be reviewed?

Best practice, and what auditors expect to see, is an annual review at minimum. The policy should also be reviewed whenever the NDIS Commission updates the Code of Conduct Rules or the Practice Standards, or following a significant Code of Conduct incident within the organisation.

What is the difference between the NDIS Code of Conduct and a provider's own code of conduct policy?

The NDIS Code of Conduct is a legally binding instrument that sets out seven obligations for all providers and workers. A provider's code of conduct policy is an internal governance document that explains how the organisation implements, communicates, and enforces those obligations within its own workforce and service context.

Do you need an NDIS code of conduct policy? Provider requirements

Who must have an NDIS code of conduct policy?

The short answer is: every registered NDIS provider. The NDIS Code of Conduct, established under the National Disability Insurance Scheme (Code of Conduct) Rules 2018, applies to all registered providers and their workers — regardless of the size of the organisation, the supports delivered, or the registration group. SIL providers, core support workers, therapy providers, and plan managers are all covered.

Unregistered providers are also subject to the Code of Conduct under the NDIS Act 2013, even though they are not audited against the Practice Standards. This means the obligation to behave in accordance with the Code is universal, but the obligation to maintain a documented policy is enforced through the Practice Standards for registered providers.

For SIL providers specifically, the stakes are higher. Because SIL involves workers providing supports in participants' homes — often to people with complex support needs and limited ability to self-advocate — the Commission treats documentary evidence of code-of-conduct governance as a core safeguarding requirement.

Why the Code of Conduct matters legally

The NDIS Code of Conduct is not a guideline or a best-practice aspiration. It is a legally binding instrument made under the NDIS (Incident Management and Reportable Incidents) Rules and the broader NDIS legislative framework. Breaches can result in:

Banning orders against individual workers
Compliance notices and directions issued to providers
Enforceable undertakings
Civil penalties for providers and, in serious cases, for workers personally
Suspension or revocation of provider registration

The seven obligations in the Code require providers and workers to act with respect for individual rights, respect privacy, provide supports safely and competently, act with integrity, take reasonable steps to prevent and respond to violence and abuse, take reasonable steps to prevent sexual misconduct, and not engage in any form of exploitation.

Having a policy is not just about ticking a box — it is the mechanism by which providers demonstrate that these obligations have been embedded into their organisation's operating culture.

What the NDIS Practice Standards require

The NDIS Practice Standards set out what registered providers must do to comply with the NDIS Act. Under the strengthened 2026 framework, providers are assessed against the Practice Standards during initial registration and renewal audits conducted by approved quality auditors.

The Practice Standards relevant to a code of conduct policy sit primarily within the Rights and Responsibilities and Governance and Operational Management modules. Specifically, providers must demonstrate:

That they have documented policies and procedures governing worker conduct
That workers are informed of their obligations under the Code of Conduct at the point of recruitment and through ongoing training
That the organisation has screening, supervision, and performance management processes tied to code-of-conduct standards
That complaints and incidents related to worker conduct are managed in accordance with documented procedures

For SIL providers audited under the High Intensity Support module, auditors will also look at how the code of conduct intersects with the management of restrictive practices and behaviour support — areas where worker conduct failures carry the most serious risk of harm.

What your code of conduct policy must cover

A compliant code of conduct policy is more than a list of the seven Code of Conduct obligations pasted onto a page. Auditors assess whether the document is genuinely embedded in your governance and operational practices. Your policy should address the following elements:

Statement of commitment — A clear organisational commitment to upholding the NDIS Code of Conduct, signed or endorsed by leadership.
Scope — Who the policy applies to: employees, contractors, volunteers, and students on placement.
The seven Code of Conduct obligations — Each obligation stated clearly, with practical examples relevant to your service context.
Worker responsibilities — What workers are expected to do, including how to raise concerns about the conduct of colleagues.
Provider responsibilities — How the organisation will screen, induct, train, supervise, and performance-manage workers in relation to the Code.
Breach response process — How allegations of Code of Conduct breaches are investigated, what happens to workers during investigation, and how outcomes are recorded and acted upon.
Reporting obligations — Reference to reportable incident obligations and the worker screening exclusion check process.
Link to related policies — Cross-references to your complaints management, incident management, safeguarding, and restrictive practices policies.
Review schedule — The policy must be dated, version-controlled, and reviewed at least annually or when the Commission updates the Code.

Common gaps that lead to non-conformances

Based on the practice standards framework and Commission guidance, the following are the most frequently identified gaps when providers are audited:

Generic templates not contextualised — Policies that reproduce the Code verbatim but provide no organisation-specific examples or procedures.
No evidence of worker acknowledgement — There is no signed induction record or training log showing workers have read and understood the policy.
Breach response left undefined — The policy states breaches will be "dealt with appropriately" but does not describe what that process actually involves.
Policy not linked to incident management — The code of conduct policy sits in isolation rather than being integrated with reportable incident and complaints procedures.
Out-of-date content — Policies that pre-date the strengthened 2026 Practice Standards and have not been updated to reflect the revised framework.
No coverage of contractors and volunteers — The policy only applies to paid employees, leaving gaps for a workforce that often includes agency staff and volunteers in SIL settings.

The strengthened 2026 framework: what has changed

The NDIS Commission introduced a strengthened set of Practice Standards as part of the broader reforms flowing from the Independent Review of the NDIS. For providers who deliver higher-risk supports — particularly SIL, specialist disability accommodation, and behaviour support — the 2026 framework places greater emphasis on:

Worker screening and ongoing workforce governance
Proactive safeguarding rather than reactive incident reporting
Provider governance accountability at board and senior leadership level
Demonstrated organisational culture aligned to participant rights

This means a code of conduct policy that was adequate in 2022 may not satisfy an auditor under the current framework if it lacks a genuine governance narrative and does not show how leadership enforces the Code in practice.

Practical steps to get your policy audit-ready

Download the current NDIS Code of Conduct Rules from the Federal Register of Legislation and use it as your primary source document.
Map each of the seven obligations to a practical, service-specific example from your organisation's context.
Ensure the policy applies to all workers — including agency staff, contractors, and volunteers — and that your contracts and service agreements reflect this.
Build a simple induction checklist that records when each worker has been trained on the policy and when they acknowledged reading it.
Cross-reference the policy with your incident management, complaints, and restrictive practices policies so the documents work as an integrated governance system.
Set a calendar reminder for annual review, tied to any Commission updates or changes to the Practice Standards.
Ask a senior leader to sign the policy and date it — this demonstrates board-level ownership, which auditors increasingly look for under the 2026 framework.

Getting your documents in order

For SIL providers building or updating their compliance documentation, the ndiscompliant.com.au 74-document audit-ready SIL compliance kit includes a fully drafted, version-controlled Code of Conduct Policy alongside the full suite of policies, procedures, and registers that auditors assess — a practical starting point for providers who want to meet the 2026 Practice Standards without building each document from scratch.

The NDIS Commission publishes detailed guidance on both the Code of Conduct and the Practice Standards on its website, and providers should check ndiscommission.gov.au regularly for updates as the 2026 framework continues to be implemented.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.