Is a privacy policy required if I am an unregistered NDIS provider?

Unregistered providers are not subject to the NDIS Practice Standards, but they may still have Privacy Act 1988 obligations if they collect health information. Importantly, SIL supports typically require providers to be registered, so most SIL operators will need a compliant privacy and confidentiality policy as part of their Practice Standards obligations.

What is the difference between a privacy policy and a confidentiality policy for NDIS purposes?

In NDIS compliance, the two are often combined in a single document. A privacy policy addresses your obligations under the Privacy Act 1988 and the NDIS Practice Standards regarding how participant personal information is collected, stored, used, and disclosed. A confidentiality policy focuses on worker obligations to keep participant information private. Auditors expect to see both aspects addressed.

How often should an NDIS provider review their privacy and confidentiality policy?

Best practice is to review the policy at least annually and after any significant change to your operations, any privacy breach or incident, or any update to the NDIS Practice Standards or the Privacy Act 1988. Your policy should state its review cycle, and you should keep a record of each review.

Do support workers need to be trained on the privacy policy?

Yes. Auditors assess whether workers have received privacy training, not just whether a policy document exists. Training should cover what types of information are confidential, when disclosure is permitted, how to handle requests from family members or third parties, and what to do if a privacy breach occurs. Training records should be kept for audit purposes.

Can a participant request access to their own records under NDIS rules?

Yes. Participants have a right to access their own records under the Privacy Act 1988 (Australian Privacy Principle 12) and this right is reinforced by the NDIS Practice Standards' emphasis on participant rights and dignity. Your privacy policy should describe the process for participants to make an access request and the timeframe within which your organisation will respond.

What happens if there is a privacy breach involving a participant's NDIS information?

Depending on the nature of the breach, you may have obligations to notify both the Office of the Australian Information Commissioner under the Notifiable Data Breaches scheme and the NDIS Commission if the breach constitutes a reportable incident. Your privacy and confidentiality policy should include a breach response procedure describing how incidents are identified, contained, assessed, and reported.

Do you need an NDIS privacy and confidentiality policy? Provider requirements

Who needs an NDIS privacy and confidentiality policy?

If you are a registered NDIS provider, the short answer is yes — you are required to have a documented privacy and confidentiality policy. This obligation flows from the NDIS Practice Standards, which set out the quality requirements every registered provider must meet and against which approved quality auditors assess your organisation.

For Supported Independent Living (SIL) providers specifically, the stakes are higher than for many other registration groups. SIL involves people living in shared accommodation with high levels of daily support, which means your organisation handles some of the most sensitive personal information imaginable — medical histories, behavioural support plans, financial details, and intimate personal care records. A vague or missing policy is not just a paperwork gap; it is a meaningful risk to participant dignity and safety.

Unregistered providers are not subject to the Practice Standards directly, but the vast majority of SIL funding requires registered providers. If you are delivering SIL, you are almost certainly registered — and if you are registered, a privacy and confidentiality policy is mandatory.

The legal framework behind the requirement

The privacy obligation for NDIS providers sits at the intersection of two distinct legal frameworks:

The NDIS Act 2013 and Quality and Safeguarding Framework — which established the NDIS Commission and gives it enforcement powers over registered providers.
The Privacy Act 1988 (Cth) — which imposes the Australian Privacy Principles (APPs) on entities with annual turnover above the threshold, and on all health service providers regardless of size. Most NDIS providers collecting health information fall within the Privacy Act's reach.

The NDIS Practice Standards sit on top of both frameworks. The Core Module, which applies to all registered providers, includes an explicit standard on privacy and dignity. The High Intensity Daily Personal Activities and SIL modules add further expectations around information management because of the intimate nature of the support delivered.

The strengthened Practice Standards framework, progressively implemented from 2024 and consolidating further into 2026, places renewed emphasis on rights-based practice and participant control over personal information. Auditors now look not only for a policy document but for evidence that workers understand it, that participants have been told about it in an accessible format, and that it is genuinely applied day-to-day.

What your privacy and confidentiality policy must cover

A policy that simply restates the Privacy Act is insufficient. Auditors expect to see a document tailored to your organisation's actual operations. At minimum, your policy should address the following areas:

1. What information you collect and why

Clearly describe the categories of personal and sensitive information your organisation collects — names, contact details, NDIS plan information, health and medical records, behavioural support data, financial information, and any other data relevant to delivering supports. State the lawful basis for collection and the specific purpose each category serves.

2. How information is stored and protected

Explain your storage arrangements for both physical records (locked filing systems, restricted access areas) and electronic records (access controls, encryption, system permissions). Include your data breach response process, referencing your obligations under the Notifiable Data Breaches scheme where the Privacy Act applies to your organisation.

3. Who can access information and under what conditions

Specify which staff roles have access to which types of records, how authorisation is granted, and what happens when a worker leaves your organisation. Address third-party disclosure — when can you share information with allied health professionals, family members, plan managers, or the NDIS Commission? Under what circumstances is consent required?

4. Participant rights

Participants have the right to access their own records, request corrections, and lodge a complaint if they believe their information has been mishandled. Your policy must describe how your organisation gives effect to those rights in practice, including the process for receiving and responding to access requests within a reasonable timeframe.

5. Confidentiality obligations for workers

Your policy should make explicit that confidentiality obligations apply to all workers — employees, contractors, and volunteers — and that these obligations continue after the working relationship ends. Reference your employment contracts, service agreements, or codes of conduct where appropriate.

6. Incident and breach management

Describe how your organisation identifies, manages, and reports privacy breaches. This should connect to your broader incident management policy and your obligations to notify the NDIS Commission of reportable incidents, some of which may involve unauthorised disclosure of participant information.

7. How participants are informed

Participants must be told about your privacy practices in a way they can understand. Your policy should specify when and how privacy information is provided — typically at the point of service agreement — and how you meet accessibility requirements for participants with communication support needs.

What the NDIS Code of Conduct adds

The NDIS Code of Conduct applies to all registered providers and their workers and includes a duty to respect the privacy of people with disability. This is not a passive obligation. Workers who gossip about a participant's situation, share photos without consent, or access records they have no legitimate reason to view are potentially in breach of the Code — and your organisation can be held accountable for not having adequate systems to prevent this.

A well-drafted privacy and confidentiality policy, backed up by worker training records and a complaint-handling process, demonstrates to the Commission that your organisation takes this duty seriously.

What auditors actually look for

When an approved quality auditor assesses your privacy and confidentiality arrangements, they are not simply checking that a document exists. Expect them to review:

Whether the policy is current and has been reviewed within your stated review cycle
Evidence that workers have received training on privacy obligations and that training is documented
Whether participants are given a plain-language summary of your privacy practices at intake
Your consent forms and whether they accurately reflect what you do with information
Whether your information systems (case management software, shared drives, paper files) have appropriate access controls in place
How you have handled any privacy complaints or breaches in the audit period, and what improvements you made

Common non-conformances in SIL audits include policies that have not been reviewed in several years, training records that are missing for newer staff, and consent forms that are too broad or too vague to be meaningful.

Consequences of not having a compliant policy

The NDIS Commission has a range of enforcement tools available when providers fail to meet the Practice Standards. These range from requiring a compliance action plan through to issuing compliance notices, banning orders, and — in serious cases — cancelling registration. Privacy failures that result in harm to participants can also give rise to complaints under the Privacy Act 1988, with the Office of the Australian Information Commissioner (OAIC) having separate investigation and penalty powers.

For SIL providers, the reputational risk is significant. Participants and their families making decisions about where to live are entitled to trust that your organisation handles sensitive information responsibly. A Commission investigation or a publicised privacy breach can undermine that trust in ways that are difficult to repair.

Practical steps to get your policy right

Audit what you currently have. If you have a policy, check when it was last reviewed and whether it reflects how your organisation actually operates today, including any new digital systems or outsourced functions.
Map your information flows. List every type of personal information you collect and trace where it goes — who accesses it, where it is stored, when it is shared, and when it is destroyed.
Write for your workers, not just for auditors. The best policy is one your support workers can read and act on. Use plain language, real examples, and clear guidance on common scenarios such as family members asking for updates.
Connect it to your training program. A policy that sits in a folder is worth little. Schedule induction training and annual refreshers, and keep attendance records.
Review it on a defined cycle. At minimum, review your policy annually and whenever there is a significant change to your operations, a privacy incident, or an update to the NDIS Practice Standards or the Privacy Act.

Providers building out their full SIL compliance document suite will find that privacy and confidentiality is one of a cluster of interconnected policies — alongside incident management, complaints handling, restrictive practices, and worker screening — that auditors assess together. The ndiscompliant.com.au 74-document SIL compliance kit includes a ready-to-customise privacy and confidentiality policy alongside the full range of documents an approved quality auditor expects to see, designed specifically for the 2026 strengthened Practice Standards framework.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.