Does every registered NDIS provider need a restrictive practices policy?

No, but the requirement applies more broadly than many providers expect. Any registered provider whose supports involve participants with Behaviour Support Plans, or where a regulated restrictive practice could be used, must have a compliant policy. Providers in purely administrative or low-risk registration groups may not require one, but should document their reasoning.

Can an unregistered NDIS provider implement a restrictive practice?

No. Only registered NDIS providers can implement regulated restrictive practices, and only when operating within an authorised Behaviour Support Plan. Unregistered providers are prohibited from using any regulated restrictive practice under the NDIS Rules.

What happens if a restrictive practice is used without state or territory authorisation?

Using a regulated restrictive practice without authorisation is a breach of the NDIS (Restrictive Practices and Behaviour Support) Rules 2018. It must be reported as a reportable incident to the NDIS Commission, and the provider may face enforcement action including civil penalties or conditions on their registration.

How often does a restrictive practices policy need to be reviewed?

The NDIS Commission does not prescribe a fixed review interval in legislation, but best practice — and what auditors look for — is at least an annual review, or whenever there is a significant change in the types of supports delivered, the participant cohort, or relevant legislation and guidance in your state or territory.

Is environmental restraint really a regulated restrictive practice?

Yes. Environmental restraint is one of the five categories defined in the NDIS Rules and is frequently missed. Locking cupboards to restrict food access, limiting use of personal devices, or restricting access to parts of a home without authorisation all constitute environmental restraint and must be governed by an authorised Behaviour Support Plan.

What do auditors specifically look for in a restrictive practices policy under the 2026 standards?

Under the strengthened 2026 Practice Standards, auditors assess whether the policy is operationally embedded — not just filed. They examine training records, incident data use, reduction pathway evidence, state authorisation processes, and participant engagement. A well-drafted policy that is not reflected in practice will still result in a non-conformance finding.

Do you need an NDIS restrictive practices policy? Provider requirements

Who is required to have a restrictive practices policy?

Not every registered NDIS provider needs a standalone restrictive practices policy, but the scope is wider than many organisations realise. Under the NDIS Practice Standards, a policy is mandatory if your organisation:

delivers supports where a regulated restrictive practice may be used, even infrequently;
supports participants who have an active Behaviour Support Plan (BSP) developed by a specialist behaviour support provider;
employs or engages support workers who may need to implement regulated restrictive practices as directed by an authorised BSP; or
is registered under the Specialist Behaviour Support registration group.

If your organisation operates only in low-risk, non-restrictive supports — for example, plan management or transport — and has no foreseeable contact with regulated practices, you may not require this policy. However, the boundary shifts under the strengthened 2026 framework: providers are expected to demonstrate proactive governance, and an absence of any policy where risk exists is itself a non-conformance finding at audit.

Unregistered providers cannot legally use regulated restrictive practices at all. Only registered providers operating within an authorised BSP framework may implement them.

What counts as a regulated restrictive practice?

The NDIS (Restrictive Practices and Behaviour Support) Rules 2018 define regulated restrictive practices across five categories:

Seclusion — confining a person to a space from which they cannot freely exit.
Chemical restraint — using medication primarily to influence behaviour rather than for a therapeutic purpose.
Mechanical restraint — using a device to prevent, restrict or subdue movement.
Physical restraint — using physical force to prevent, restrict or subdue movement.
Environmental restraint — restricting a person's free access to all parts of their environment, objects or activities.

Environmental restraint is frequently underestimated. Locking a pantry, limiting access to a phone, or restricting movement between rooms without authorisation can all constitute environmental restraint. Your policy must address all five categories, even if your organisation currently implements only one.

What must the policy cover?

The NDIS Commission expects your restrictive practices policy to be a living governance document, not a one-page statement of intent. At minimum, a compliant policy must address the following areas:

1. Rights and dignity foundation

The policy must articulate your organisation's commitment to the human rights of participants, including the right to freedom from restrictive practices and the goal of eliminating their use over time. This is a direct reflection of the United Nations Convention on the Rights of Persons with Disabilities (UNCRPD), which underpins the NDIS framework.

2. Authorisation and governance

The policy must describe how your organisation ensures that any regulated restrictive practice is:

only ever implemented in accordance with an authorised Behaviour Support Plan;
authorised under the relevant state or territory mechanism prior to use; and
reviewed and reduced in line with the BSP and Commission expectations.

Each Australian state and territory has its own authorisation body — for example, a Senior Practitioner, VCAT (Victoria), or NCAT (NSW). Your policy must name the applicable jurisdiction and referencing process for your service area.

3. Staff roles, training and competency

The policy must specify who is responsible for oversight of restrictive practice use within your organisation, what training workers must complete before implementing any practice, and how competency is assessed and recorded. Under the strengthened 2026 standards, worker capability verification is an explicit audit checkpoint.

4. Monitoring, data collection and reporting

Every use of a regulated restrictive practice must be recorded. Your policy must describe your recording system, who reviews incident data, how often reviews occur, and the escalation pathway when a practice is used more frequently than authorised or outside the BSP.

Reportable incidents involving restrictive practices must be notified to the NDIS Commission within the prescribed timeframes under the NDIS (Incident Management and Reportable Incidents) Rules 2018.

5. Reduction and elimination strategy

The regulatory expectation is that restrictive practices are a time-limited, last-resort measure. Your policy must describe how your organisation actively works with the behaviour support provider and participant to reduce and ultimately eliminate the practice. Providers that cannot demonstrate a reduction pathway are at heightened audit risk under the 2026 framework.

6. Participant and family engagement

Consent, where a participant has capacity, and family or guardian involvement where applicable, must be addressed. The policy should describe how participants are informed of any practice, how their feedback is sought, and how complaints about restrictive practices are handled.

Consequences of not having a compliant policy

Operating without a compliant restrictive practices policy — or with a policy that does not reflect current requirements — carries serious consequences:

Audit non-conformance: Approved Quality Auditors assess restrictive practices governance as a standalone quality area. A missing or inadequate policy can result in a non-conformance finding that delays or prevents registration renewal.
NDIS Commission enforcement action: The Commission has broad powers under the NDIS Act 2013, including banning orders, civil penalties, and enforceable undertakings. Unauthorised use of a restrictive practice is an offence under the Rules.
Reportable incident exposure: If a restrictive practice is used without authorisation and without a policy framework governing it, the incident reporting obligation is activated — and the absence of a policy compounds the compliance breach.
Risk to participants: Beyond regulatory consequences, the absence of a governance framework increases the risk of harm to participants, which is the central concern underpinning these requirements.

How the 2026 strengthened Practice Standards change the picture

The NDIS Commission's strengthened Practice Standards, progressively taking effect through 2025 and 2026, increase the specificity of what auditors assess. Key changes relevant to restrictive practices policy include:

A sharper focus on governance systems rather than document existence alone — auditors examine whether policies are operationally embedded, not merely filed;
Explicit requirements around worker training records being current and role-specific;
Greater scrutiny of data use — how does the organisation use its own incident data to drive practice improvement?
Stronger emphasis on the lived experience of participants as evidence of compliance, not just policy text.

Providers preparing for audit in 2026 should treat their existing restrictive practices policy as a review priority, not a completed task.

Practical steps to get compliant

Identify your registration groups and confirm whether any involve support where regulated practices may be used.
Map your current BSPs — list every participant with an active plan and identify which practices are authorised.
Gap-audit your existing policy against the six content areas above. If you have no policy, draft one before your next audit cycle.
Confirm state/territory authorisation pathways for each jurisdiction you operate in.
Review your training matrix to ensure every worker who may implement a practice has completed appropriate training and this is documented.
Establish a reporting calendar — know your incident notification timeframes and assign ownership of reporting.
Schedule an annual policy review and link it to your organisation's quality management cycle.

If you are building or overhauling your SIL compliance documentation suite, the 74-document audit-ready kit available at ndiscompliant.com.au includes a pre-drafted restrictive practices policy, behaviour support governance templates, staff training records, and incident reporting forms — designed to align with the 2026 strengthened standards from the outset.

Summary

If your organisation is registered to provide supports where a regulated restrictive practice could be used — or where participants have Behaviour Support Plans — a restrictive practices policy is not optional. It is a governance requirement enforceable at audit and under the NDIS Act. Under the strengthened 2026 framework, the bar has been raised from document existence to operational embedding. Review your policy now, before your auditors do.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.