Is a privacy policy mandatory for NDIS registered providers?

Yes. Registered NDIS providers must demonstrate compliance with the NDIS Practice Standards, which require documented governance of participant information. The Privacy Act 1988 also requires any organisation handling personal information to have a clearly expressed privacy policy. Absence of a policy is typically a non-conformance finding at audit.

Do SIL providers have different privacy obligations than other NDIS providers?

The same legal framework applies, but SIL providers face additional practical risks — such as accidental disclosure between housemates, family members requesting access without participant consent, and staff using personal devices in shared living environments. Your policy should address these SIL-specific scenarios explicitly.

What is a notifiable data breach and what must we do if one occurs?

Under the Privacy Act 1988, a notifiable data breach occurs when personal information is accessed or disclosed without authorisation and is likely to result in serious harm to the affected individual. Providers must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware of a suspected breach.

How often should an NDIS privacy policy be reviewed?

At a minimum, annually. You should also review the policy after any data breach, significant organisational change, introduction of new technology, or legislative update. Record the date of each review and the next scheduled review date on the document's cover page.

Can we share a participant's information with their family members?

Generally, only with the participant's informed consent. Exceptions exist where sharing is required by law, is necessary to lessen a serious and imminent threat to health or safety, or where the participant lacks capacity and a guardian or nominee has provided consent. Your policy must document the process for each scenario.

Does our privacy policy need to be available to participants?

Yes. The Australian Privacy Principles require that organisations make their privacy policy freely available, in a form that is easy to understand. For NDIS providers, this typically means providing a copy to participants at intake, making it available on request, and publishing a version on your website if you have one.

How to write an NDIS privacy and confidentiality policy (2026 template + example)

Why registered NDIS providers need a privacy and confidentiality policy

Every NDIS registered provider — including SIL (Supported Independent Living) providers — must demonstrate compliance with the NDIS Practice Standards and the NDIS Code of Conduct. The Practice Standards include specific requirements around the rights of participants, governance, and the management of participant information. Auditors from approved quality auditors look for a documented, implemented privacy policy as evidence that these obligations are being met.

Beyond the NDIS framework, registered providers handling personal information about participants are also bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Failing to maintain an adequate policy can result in adverse audit findings, conditions on registration, or referral to the NDIS Quality and Safeguards Commission for investigation.

With the strengthened Practice Standards taking effect for new and renewing registrations from 2026, auditors are placing greater scrutiny on whether privacy documentation is embedded in day-to-day operations — not just filed away.

What must your policy cover: the seven core sections

A compliant NDIS privacy and confidentiality policy should address the following areas. Each section maps to a discrete requirement under either the Practice Standards, the Code of Conduct, or the Privacy Act.

Purpose and scope — State what the policy covers, who it applies to (board, staff, volunteers, contractors), and which services and sites it governs.
Legal framework — Reference the Privacy Act 1988, the Australian Privacy Principles, the NDIS Act 2013, and the NDIS (Provider Registration and Practice Standards) Rules 2018. This shows auditors you understand your obligations holistically.
What information you collect and why — List categories of personal and sensitive information collected (support plans, health records, financial details, incident records) and the lawful basis for each category.
Consent — Describe how and when informed consent is obtained from participants or their nominees before collecting, using, or disclosing information. Include how consent is recorded and reviewed.
Storage, security, and access controls — Detail physical security (locked cabinets), electronic security (access permissions, encryption, audit trails), retention periods, and the process for secure disposal. The Practice Standards require that participant records are protected from unauthorised access.
Disclosure and sharing — Clarify when information may be shared without consent (genuine emergency, legal obligation, mandatory reporting) versus when consent is required. SIL providers frequently share information with allied health professionals, families, and funding bodies — each scenario should be addressed.
Data breach response — Outline the steps your organisation takes when a breach is suspected or confirmed, including notification timelines to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme, and to affected participants.

Additional elements for SIL providers

SIL providers operate in shared living environments, which creates specific confidentiality risks not present in other support types. Your policy should also address:

Housemate confidentiality — Staff must not disclose one participant's information to another participant sharing the same home, even when sharing appears minor or incidental.
Visitor and family access — Document how requests from families, guardians, or informal supports to access a participant's records are handled, including how participant consent is verified first.
Use of personal devices and photographs — Include rules on staff use of personal mobile phones, photographing participants, and sharing images on personal or organisational social media.
Restrictive practice documentation — If your service uses or monitors any regulated restrictive practices, records relating to those practices carry heightened sensitivity and your policy should reflect additional controls.

Step-by-step: how to write your policy

Map your information flows. Before writing, trace every point where participant information enters, moves through, and exits your organisation. This prevents gaps in the policy.
Assign a policy owner. The NDIS Practice Standards expect that a specific role (typically a Practice Manager or Compliance Officer) is accountable for the policy. Name the role in the document.
Draft using plain language. Participants and their nominees have the right to access their records and understand how their information is used. Write in plain English at approximately a Year 8 reading level.
Cross-reference your other documents. Link to your complaints policy, incident management procedure, and consent forms. Auditors evaluate documents as a system, not in isolation.
Include a review clause. Specify that the policy will be reviewed at least annually and after any significant incident, legislative change, or audit finding. Record the date of last review and the scheduled next review on the cover page.
Obtain board or leadership sign-off. The Practice Standards require that governance arrangements are in place. A dated signature from the CEO or Board Chair demonstrates this.
Communicate the policy to all staff. Document how staff are made aware of the policy (induction, annual training) and keep records of acknowledgement. Auditors may request evidence of staff training.

Example: policy excerpt (template snippet)

Document title: Privacy and Confidentiality Policy
Version: 3.0 | Review date: July 2027 | Owner: Practice Manager

Section 4 — Consent

Bright Futures SIL Services will obtain informed consent from each participant, or their authorised representative, before collecting sensitive personal information. Consent will be:

Obtained in writing using the Participant Consent to Collect and Use Personal Information form (Form SIL-03);
Explained verbally in the participant's preferred language or communication format prior to signing;
Recorded in the participant's electronic file within one business day of being obtained;
Reviewed at each annual support plan review, or sooner if the participant's circumstances change.

Where a participant does not have capacity to provide consent, Bright Futures will seek consent from the participant's guardian or nominee and document the basis for this decision in the participant's record.

Adapt the above to reflect your organisation's actual forms, systems, and decision-making processes. Do not submit a policy that still contains template placeholder text — auditors treat this as evidence that the document has not been implemented.

What auditors check during a privacy audit

Approved quality auditors will look for evidence that the policy is lived, not just written. Common audit activities include:

Interviewing staff on their understanding of privacy obligations and what to do in a breach
Reviewing a sample of participant files to confirm consent forms are present and current
Inspecting physical storage (cabinets locked, visitor access restricted)
Checking electronic access logs or permissions settings for case management software
Requesting training records to confirm all staff have completed privacy induction

The most common non-conformance finding in this area is a policy that exists on paper but has not been translated into staff practice — particularly around photographing participants or sharing information with family members without verified consent.

Keeping the policy current in 2026

The NDIS Commission's strengthened Practice Standards introduce a greater emphasis on continuous improvement and proactive risk management. Providers should treat their privacy policy as a living document. Schedule a formal review whenever:

There is a change to the Privacy Act or Australian Privacy Principles (including any future reforms)
A notifiable data breach occurs
A new digital system for storing participant records is introduced
An audit finding or complaint relates to information management

If you are building or refreshing your compliance document suite, the 74-document audit-ready SIL compliance kit at ndiscompliant.com.au includes an editable privacy policy template alongside consent forms, incident procedures, and all other documents typically requested at audit — which can save considerable time at renewal.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.