What Australian Privacy Principles apply to NDIS providers?

All 13 Australian Privacy Principles (APPs) under the Privacy Act 1988 apply to NDIS providers with an annual turnover of more than $3 million, or any provider that provides health services (which includes most disability support services). The most critical APPs for NDIS providers are: APP 1 (open and transparent management), APP 3 (collection of sensitive information with consent), APP 6 (use and disclosure limitations), APP 11 (security of personal information), APP 12 (access to personal information), and APP 13 (correction of personal information).

Do NDIS providers need consent to collect health information?

Yes. Health information is classified as 'sensitive information' under the Privacy Act 1988 and requires explicit consent before collection. For NDIS providers, this means obtaining written consent from participants (or their nominee/guardian) before collecting health information, disability-related information, medication details, and clinical records. The consent form must specify what information is being collected, why it is needed, who it will be shared with, and how it will be stored and protected.

How long must NDIS providers retain participant records?

NDIS providers should retain participant records for a minimum of 7 years after the last service was provided to the participant. For participants who were children when services were provided, records should be retained until the participant turns 25, or 7 years after the last service, whichever is longer. Records relating to reportable incidents should be retained for a minimum of 7 years from the date of the incident. These requirements align with general healthcare record retention standards and NDIS Commission expectations.

What is the Notifiable Data Breach scheme and how does it apply to NDIS providers?

The Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 requires organisations to notify the Australian Information Commissioner and affected individuals when a data breach is likely to result in serious harm. For NDIS providers, this is particularly important because they hold large volumes of sensitive health and disability information. A breach could include unauthorised access to participant records, lost or stolen devices containing participant data, or email misdirection of sensitive information. Notification must occur within 30 days of the provider becoming aware of the breach.

Can NDIS participants access their own records?

Yes. Under APP 12 (Access to personal information), participants have the right to access any personal information the provider holds about them. The provider must respond to an access request within 30 days. Access can only be refused in limited circumstances, such as where providing access would reveal information about another person, would pose a serious threat to someone's safety, or would prejudice legal proceedings. If access is refused, the provider must give written reasons and advise the participant of their right to complain to the Australian Information Commissioner.

How to Write an NDIS Privacy Policy: Australian Privacy Principles for Disability Providers

Legislative Context for NDIS Privacy

Privacy for NDIS providers sits at the intersection of multiple pieces of legislation. Your privacy policy must address requirements from all of the following sources:

Privacy Act 1988 (Cth) — The primary federal legislation governing the handling of personal information, including the 13 Australian Privacy Principles (APPs) and the Notifiable Data Breaches scheme
NDIS Act 2013 (Cth) — Sections 60 and 67 deal with the protection and use of information by the NDIA and providers
NDIS (Provider Registration and Practice Standards) Rules 2018 — Outcome 1.3 (Participation and Inclusion) and Outcome 2.4 (Information Management) both have privacy dimensions
NDIS Code of Conduct — Requires workers to respect the privacy of people with disability
State and territory health records legislation — Such as the Health Records Act 2001 (Vic), Health Records and Information Privacy Act 2002 (NSW), etc.

Key Threshold

The Privacy Act applies to most NDIS providers. While the Act generally applies to organisations with annual turnover exceeding $3 million, it also applies to organisations that provide a health service, which includes most disability support services. This means even small NDIS providers with low turnover are likely covered by the APPs.

All 13 APPs Mapped to NDIS Obligations

The following table maps each of the 13 Australian Privacy Principles to the specific NDIS obligations they create for disability service providers:

APP	Principle	NDIS Application
APP 1	Open and transparent management	Have a clearly expressed, up-to-date privacy policy. Make it available to participants. Train staff on privacy obligations.
APP 2	Anonymity and pseudonymity	Where practicable, individuals may deal with you anonymously. For service delivery, this is rarely practical, but for complaints and feedback it should be offered.
APP 3	Collection of solicited information	Only collect personal information that is reasonably necessary for your functions. For sensitive information (health, disability), obtain explicit consent. Document the purpose of collection.
APP 4	Dealing with unsolicited information	If you receive personal information you did not request (e.g., from a hospital referral), determine whether you could have collected it under APP 3. If not, destroy or de-identify it.
APP 5	Notification of collection	Provide a privacy notice to participants at intake. The notice must state what information you collect, why, who you may share it with, and how they can access and correct it.
APP 6	Use or disclosure	Only use or disclose personal information for the primary purpose it was collected, or a directly related secondary purpose the individual would reasonably expect. Exceptions exist for serious threats to health/safety and law enforcement.
APP 7	Direct marketing	Do not use participant information for direct marketing without explicit consent. This is rarely an issue for NDIS providers but must be addressed in the policy.
APP 8	Cross-border disclosure	If you use cloud services or software hosted overseas, you must take reasonable steps to ensure the overseas recipient handles the information consistently with the APPs.
APP 9	Adoption of government identifiers	Do not adopt NDIS participant numbers as your internal identifier unless operationally necessary. If you use NDIS numbers, do not disclose them inappropriately.
APP 10	Quality of personal information	Take reasonable steps to ensure information is accurate, up-to-date, complete, and relevant. For participant health records, this means regular review and correction.
APP 11	Security of personal information	Protect information from misuse, interference, loss, unauthorised access, modification, or disclosure. This includes physical security (locked cabinets), digital security (passwords, encryption), and staff training.
APP 12	Access to personal information	Participants have the right to access any personal information you hold about them. Respond within 30 days. Limited exceptions apply.
APP 13	Correction of personal information	If a participant requests correction of inaccurate information, you must correct it within 30 days or provide reasons for refusal.

Consent for Sensitive Information

NDIS providers handle substantial volumes of sensitive information as defined by the Privacy Act. Sensitive information includes:

Health information: Diagnoses, medical histories, medications, specialist reports, hospital discharge summaries
Disability information: Disability type, functional assessments, NDIS plan details, support needs assessments
Biometric information: Photos used for identification purposes
Racial or ethnic origin: Relevant for cultural safety planning
Criminal record information: Relevant for participants with forensic disability

Under APP 3, sensitive information can only be collected with the individual’s explicit consent. For NDIS providers, this means:

Consent Requirements

Consent must be informed — the participant must understand what they are consenting to
Consent must be voluntary — not coerced or bundled with service agreement consent
Consent must be specific — specify the types of information being collected and the purposes
Consent must be current — review consent annually and whenever the scope of information collection changes
Consent must be documented — use a written consent form signed by the participant or their nominee/guardian

Your privacy policy should include separate consent forms for: consent to collect personal information, and consent to share personal information with specified third parties. These are separate from the service agreement.

For support workers documenting participant information in progress notes, our free NDIS Notes Rewriter helps ensure notes contain only necessary and relevant information, avoiding over-collection of personal details.

Privacy Notice Requirements

APP 5 requires you to notify individuals about the collection of their personal information at or before the time of collection. For NDIS providers, this means providing a privacy notice during participant intake/onboarding. The privacy notice must include:

Your organisation’s name and contact details
The types of personal information you collect
Why you collect this information (the purposes)
How the information will be used
Who the information may be disclosed to (categories of recipients)
Whether any information will be disclosed overseas
How the participant can access and correct their information
How to make a complaint about privacy
The consequences (if any) of not providing the information

Accessibility

The privacy notice must be accessible. Provide it in Easy Read format for participants with intellectual disability. Offer it in the participant’s preferred language. Where a participant cannot read, explain the notice verbally and document that this was done. The SIL Rescue Kit includes a plain-English Privacy Notice (Document 56) specifically designed for participant accessibility.

Notifiable Data Breach Requirements

Part IIIC of the Privacy Act 1988 established the Notifiable Data Breaches (NDB) scheme, which applies to all organisations covered by the APPs. For NDIS providers, the scheme has particular significance because the information you hold — health records, disability information, medication details — is highly sensitive and a breach is more likely to result in “serious harm.”

What Constitutes a Data Breach

A data breach occurs when personal information is subject to unauthorised access, unauthorised disclosure, or loss. Common scenarios for NDIS providers include:

A staff member’s laptop or phone containing participant records is lost or stolen
Participant records are emailed to the wrong recipient
Paper records are left unsecured and accessed by unauthorised persons
A cyber-attack compromises the provider’s digital systems
A staff member accesses participant records without a legitimate work reason
Shift notes or handover sheets are left visible in common areas of a SIL house

Notification Obligations

If a data breach is likely to result in serious harm to any individual whose information is involved, the provider must:

Conduct an assessment within 30 days of becoming aware of the breach
If the assessment confirms serious harm is likely, notify the Australian Information Commissioner (OAIC)
Notify the affected individuals as soon as practicable
Include in the notification: what happened, what information was involved, what steps the provider is taking, and what steps the individual can take

Your privacy policy should reference the NDB scheme and include or reference a separate Data Breach Response Plan that sets out the step-by-step process for responding to a breach. The SIL Rescue Kit includes a Data Breach Response Plan (Document 59) as a standalone document.

Skip the Writing — Get Audit-Ready Policies Today

The SIL Rescue Kit includes the Privacy and Confidentiality Policy (Document 06), Privacy Notice (Document 56), Consent to Collect Information (Document 29), Consent to Share Information (Document 30), and Data Breach Response Plan (Document 59) — all audit-ready.

Get the SIL Rescue Kit — $297

Record Retention and Destruction

APP 11 requires you to take reasonable steps to destroy or de-identify personal information when it is no longer needed. However, various legal obligations require you to retain records for specified periods. Your privacy policy must address this tension.

Minimum Retention Periods

Record Type	Minimum Retention	Authority
Participant service records	7 years after last service	General healthcare standard, NDIS Commission guidance
Records for child participants	Until participant turns 25 or 7 years after last service, whichever is longer	State health records legislation, best practice
Reportable incident records	7 years from incident date	NDIS (Incident Management and Reportable Incidents) Rules 2018
Employment and screening records	7 years after employment ceases	Fair Work Act 2009, state worker screening legislation
Financial records	7 years	Income Tax Assessment Act 1997
Complaints records	7 years from resolution date	NDIS Commission guidance, best practice
Restrictive practice records	7 years from the date of practice	NDIS Commission guidance

Secure Destruction

When records reach the end of their retention period, they must be securely destroyed. For paper records, this means cross-cut shredding or confidential document destruction services. For digital records, this means permanent deletion from all systems, backups, and archives. Document the destruction in a records destruction register.

Participant Access and Correction Rights

Under APP 12, participants have the right to access any personal information you hold about them. Under APP 13, they have the right to request correction of inaccurate information. Your privacy policy must describe these rights and the process for exercising them.

Access Process

Participant (or their nominee/guardian) submits an access request verbally or in writing
Acknowledge the request within 5 business days
Verify the identity of the requestor
Provide access within 30 calendar days
Provide access in the format requested by the participant where practicable (e.g., copies, inspection, electronic format)
Do not charge excessive fees — the Privacy Act allows a reasonable charge for providing access, but not for searching or retrieving the information

When Access Can Be Refused

Access can be refused in limited circumstances, including where:

Providing access would reveal information about another person (e.g., another participant in a shared SIL house, or a complainant who wishes to remain anonymous)
Providing access would pose a serious threat to the life, health, or safety of any individual
Providing access would prejudice legal proceedings
The request is frivolous or vexatious

If access is refused, you must provide written reasons and advise the participant of their right to complain to the Office of the Australian Information Commissioner (OAIC).

Third-Party Disclosure Rules

NDIS providers regularly need to share participant information with third parties. Your privacy policy must specify the circumstances in which disclosure is permitted and the safeguards that apply.

Permitted Disclosures

With consent: Where the participant has given explicit, informed consent for the disclosure (documented in the Consent to Share Information form)
NDIS Commission: Reporting obligations (reportable incidents, complaints to the Commission) override privacy restrictions
Health practitioners: Where necessary for the participant’s health care (e.g., sharing medication information with a GP or pharmacist)
Emergency services: Where there is a serious and imminent threat to life, health, or safety
Law enforcement: Where required or authorised by law (e.g., police investigation, court order)
Other NDIS providers: Where necessary for service coordination and the participant has consented
Guardians and nominees: Where the person has legal authority to receive the information

Safeguards for Disclosure

Only disclose the minimum information necessary for the purpose
Use secure transmission methods (encrypted email, secure file sharing) — not standard SMS or social media messaging
Record every disclosure: date, recipient, information disclosed, purpose, and authority (consent form reference or legal basis)
Where a participant has consented to disclosure, review the consent at least annually to ensure it remains current

Common Audit Finding

Sharing participant information via personal mobile phones, WhatsApp groups, or unsecured email is one of the most common privacy breaches in small NDIS providers. Your policy must explicitly prohibit the use of personal devices and unsecured channels for transmitting participant information. Specify what channels are approved (e.g., organisational email, approved software platforms).

All 25 Audit-Ready Policies — Written and Formatted

Or skip the writing entirely — get all 25 audit-ready policies, 25 forms, 10 registers, and 5 guides in the SIL Rescue Kit ($297). Every document is mapped to the NDIS Practice Standards and ready to customise.