Is an incident register mandatory for all NDIS providers?

All registered NDIS providers must maintain an incident management system, which requires keeping an incident register. Unregistered providers are not subject to the Practice Standards but must still comply with the NDIS Code of Conduct, and serious incidents involving participants can still be investigated by the Commission.

What is the difference between an incident and a reportable incident?

All incidents involving participants should be recorded in the register. However, only certain incidents — defined in the NDIS (Incident Management and Reportable Incidents) Rules 2018 — must be formally reported to the NDIS Commission. These include participant death, serious injury, abuse, unlawful physical or sexual contact, and use of an unauthorised restrictive practice.

Can I use a spreadsheet as my incident register?

Yes. The Commission does not mandate a specific format. A well-designed spreadsheet, a quality management system, or dedicated compliance software are all acceptable, provided the register captures all required information, is kept current, and is accessible to authorised staff and auditors.

What happens if my incident register is incomplete during an audit?

An incomplete or inadequate incident register is a non-conformance under the NDIS Practice Standards. Depending on severity, the auditor may require a corrective action plan, and the Commission may impose conditions on your registration, issue a compliance notice, or take further enforcement action.

Do SIL providers have additional incident register requirements compared to other providers?

SIL providers are subject to heightened audit scrutiny because SIL is a high-intensity, higher-risk support. They must meet both the Core Module and the High Intensity Daily Personal Activities module of the Practice Standards, which includes robust incident recording, investigation, and reporting. Auditors pay particular attention to restrictive practice incidents and cross-referencing with behaviour support plans in SIL settings.

Do you need an NDIS incident register? Provider requirements

Q: How quickly must I notify the NDIS Commission of a reportable incident?

For the most serious reportable incidents — including death, serious injury, and abuse — providers must submit an initial notification to the Commission within 24 hours of becoming aware of the incident. A full written report must follow within the timeframe specified in the relevant rules.

Who needs an NDIS incident register?

Every registered NDIS provider is legally required to have an incident management system, and a functioning incident register sits at the core of that system. This obligation applies regardless of the size of your organisation — whether you employ a handful of support workers or operate across multiple sites delivering Supported Independent Living (SIL) and other high-intensity supports.

Unregistered providers who deliver supports to NDIS participants are not subject to the NDIS Practice Standards, but they remain bound by the NDIS Code of Conduct and may face scrutiny from the NDIS Quality and Safeguards Commission (the Commission) if incidents involving participants are reported by other means.

For SIL providers specifically, the obligations are heightened. SIL is classified as a higher-risk support, which means providers are audited against the Core Module and the High Intensity Daily Personal Activities module of the NDIS Practice Standards. Both modules require robust incident recording and reporting practices.

What the NDIS Practice Standards require

The NDIS Practice Standards (made under the National Disability Insurance Scheme Act 2013) set out the quality standards that registered providers must meet. The Incident Management standard requires providers to:

Establish, maintain, and implement an incident management system.
Record all incidents, near-misses, and alleged incidents involving NDIS participants.
Investigate incidents in a timely and thorough manner.
Take corrective action to reduce the risk of recurrence.
Report certain incidents to the Commission within required timeframes.
Involve participants in the review process where appropriate and safe to do so.

The incident register is the documentary foundation of this system. Without it, a provider cannot demonstrate compliance during an audit, and there is no reliable mechanism for identifying patterns or systemic risks.

What must an incident register include?

The Commission does not prescribe a single mandatory template, but audit evidence consistently shows that a compliant register must capture the following information for every recorded incident:

Field	What to record
Date and time	When the incident occurred (and when it was reported internally)
Location	The address or setting where the incident took place
Participant identifier	Participant name or unique ID (de-identified in external reports)
Incident type	Classification — e.g., injury, alleged abuse, medication error, unauthorised restrictive practice
Description	Factual, objective account of what occurred
People involved	Staff, participant, third parties, witnesses
Immediate actions taken	First aid, emergency services contacted, participant support provided
Reportability determination	Whether the incident is a reportable incident to the Commission and the basis for that decision
Commission notification status	Date reported, reference number, follow-up submissions lodged
Investigation outcome	Findings, contributing factors, corrective actions
Review sign-off	Name and role of the person who completed the review

Reportable incidents — what must be notified to the Commission?

The NDIS (Incident Management and Reportable Incidents) Rules 2018 define which incidents must be formally reported to the Commission. Reportable incidents include:

Death of an NDIS participant while receiving supports.
Serious injury of an NDIS participant while receiving supports.
Abuse or neglect of an NDIS participant.
Unlawful sexual or physical contact with, or assault of, an NDIS participant.
Sexual misconduct involving an NDIS participant by a provider or worker.
The use of a restrictive practice on a participant that is not authorised under the relevant state or territory law, or that was not in the participant's behaviour support plan.

For the most serious incidents — those involving death, serious injury, or abuse — providers must submit an initial notification to the Commission within 24 hours of becoming aware of the incident. A full written report must then follow within a further prescribed period. Your incident register must track both the initial notification and the finalisation of each reportable incident report.

The 2026 strengthened registration framework

From late 2025 and across 2026, the NDIS Commission has been rolling out the strengthened NDIS Practice Standards and the revised registration framework introduced following the 2023 Independent Review of the NDIS. Key changes relevant to incident registers include:

Greater emphasis on continuous improvement — providers must demonstrate that incident data is actively used to review and improve practices, not merely filed.
Stronger governance expectations — senior leaders and boards are expected to receive regular incident trend reports.
Enhanced scrutiny of incident management during registration renewal audits, with approved quality auditors specifically checking register completeness and timeliness of Commission notifications.
Clearer requirements around worker screening and incident response for SIL and other high-intensity settings.

Providers renewing registration or applying for registration for the first time in 2026 should ensure their incident register and associated policies reflect these strengthened expectations, not just the minimum pre-2024 baseline.

What auditors look for

When an approved quality auditor assesses your incident management system, they are looking for evidence that the register is:

Current and complete — all incidents, including near-misses and minor incidents, are recorded, not just reportable ones.
Consistent with other records — incident entries align with progress notes, medication records, and restrictive practice registers.
Timely — entries are made promptly after the incident, and Commission notifications were submitted within the required timeframes.
Properly investigated — each reportable incident shows evidence of a documented investigation, identified causes, and actions taken.
Used for improvement — incident trends are analysed and the outcomes of that analysis are visible in policy updates, training records, or management meeting minutes.

Common non-conformances found during audits include: incidents recorded in shift notes but not transferred to the register; reportable incidents not notified to the Commission; registers that capture the incident but contain no investigation outcome or corrective action; and registers that are managed by one staff member with no oversight from leadership.

Consequences of non-compliance

Failing to maintain an adequate incident register is not a minor administrative oversight under the NDIS framework. The Commission has broad enforcement powers and can:

Issue a compliance notice requiring immediate remediation.
Impose conditions on your registration.
Suspend or ban a provider or individual worker.
Apply to the Administrative Appeals Tribunal for banning orders against workers who fail to report or who conceal incidents.
Refer matters to police or other authorities where incidents involve potential criminal conduct.

Beyond enforcement, an inadequate register creates serious practical risks: if a participant is harmed and the provider cannot demonstrate it identified, reported, and acted on prior incidents, the reputational and legal exposure is significant.

Steps to set up a compliant incident register

Choose your format — a well-structured spreadsheet, a dedicated quality management system, or purpose-built NDIS compliance software all work, provided they capture the required fields and are accessible to authorised staff.
Define incident categories — align your classification system with the Commission's definitions of reportable incidents so staff can quickly identify what must be reported.
Train all staff — every worker delivering supports must know how to identify an incident, the internal reporting pathway, and the timeframes involved. Document the training.
Assign ownership — nominate a responsible person (typically the practice manager or compliance officer) who reviews entries, signs off investigations, and manages Commission notifications.
Build in a review cycle — schedule quarterly analysis of incident trends and ensure the outcomes of that analysis are recorded and acted upon.
Cross-reference related documents — your incident register should link to your complaints register, restrictive practices register, and behaviour support plans so patterns across these records can be identified.
Test it — run a tabletop exercise with staff: present a scenario and see whether your team can correctly identify it as a reportable incident, complete the entry, and initiate the Commission notification process.

Practical tools and support

If you are building your incident management documentation from scratch or preparing for a registration audit, having a tested, audit-ready template set significantly reduces the time and risk involved. The 74-document SIL compliance kit available at ndiscompliant.com.au includes an incident register template, incident investigation form, and reportable incidents policy — all aligned to the current NDIS Practice Standards and the 2026 strengthened framework. It is designed specifically for SIL and high-intensity support providers who need documentation that will hold up under auditor scrutiny.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.