Do NDIS community access providers need to be registered?

Yes. Providers delivering community access supports to NDIS participants who are plan-managed by the NDIA (agency-managed) must be registered with the NDIS Quality and Safeguards Commission. Providers delivering only to self-managed or plan-managed participants may operate unregistered but are still bound by the NDIS Code of Conduct and must have complaints and incident management systems.

How often do policies and procedures need to be reviewed?

The NDIS Practice Standards do not prescribe a single mandatory interval, but auditors expect a documented review cycle — in practice, at least annually and whenever relevant legislation, Commission guidance, or your service model changes. Each document should carry a version number, review date, and named owner.

What are the reportable incident categories for community access providers?

Under the NDIS (Incident Management and Reportable Incidents) Rules 2018, the five categories include: the death of a participant; serious injury; abuse or neglect; unlawful sexual or physical contact or assault; and use of an unauthorised restrictive practice. Community access providers must report these to the Commission within prescribed timeframes — immediate verbal notification for the most serious, followed by a written report.

Do I need a behaviour support policy even if I do not use restrictive practices?

Yes. The Practice Standards require all providers to have a policy addressing restrictive practices. If your organisation does not use them, the policy should explicitly state this commitment and describe how workers respond to challenging behaviour using positive behaviour support approaches. This also protects you if a worker inadvertently uses a practice that meets the regulatory definition.

What is the difference between a policy and a procedure in NDIS compliance terms?

A policy sets your organisation's commitment, principles, and obligations — the 'what and why'. A procedure provides step-by-step operational instructions for how workers carry out that commitment — the 'how'. Both are required. Auditors check that workers can demonstrate the procedure in practice, not just that the policy document exists.

Can I use a generic policy template for community access?

Generic templates are a starting point only. Auditors evaluate whether policies reflect your actual service model — community settings, lone working arrangements, the specific participants you support, and your organisation's size and structure. Templates must be customised with your organisation's name, roles, processes, and the specific risks of community-based delivery before they are audit-ready.

NDIS community access provider: policies and procedures you need (2026)

Why community access providers face tighter scrutiny in 2026

Community access supports sit at the intersection of several high-risk categories under the NDIS Quality and Safeguards Commission framework. Participants are typically in community settings — public spaces, transport, recreational venues — where the provider's ability to supervise, respond to incidents, and uphold rights is tested in real time. The Commission's strengthened Practice Standards, phased in from late 2024 and consolidated through 2025–2026, place greater emphasis on evidence of practice, not just policy on paper.

If your organisation delivers Assistance with Social, Economic and Community Participation (support catalogue item group 04), this guide sets out the minimum policy and procedure framework you need to demonstrate compliance at registration and re-registration — and to survive an unannounced quality audit.

The mandatory policy and procedure suite

The NDIS Practice Standards require registered providers to have documented systems that address each core module applicable to their registration groups. For community access providers, this generally means the Core Module plus, where applicable, the High Intensity Daily Personal Activities module if complex supports are delivered in community. Below is the complete list of policies and associated procedures your compliance file must contain.

1. Rights and responsibilities

Participant rights policy — must articulate participants' right to make decisions, take acceptable risks, and live a life of their choosing. Reference the NDIS Act 2013 objects and principles.
Advocacy access procedure — how workers actively facilitate access to independent advocates, including the National Disability Advocacy Program.
Supported decision-making procedure — practical steps workers take when a participant needs assistance to make a choice, distinct from substituted decision-making.

2. NDIS Code of Conduct

Code of Conduct compliance policy — acknowledgement that all workers (employees, contractors, volunteers) are bound by the Code under the National Disability Insurance Scheme (Code of Conduct) Rules 2018.
Worker obligations procedure — what to do and what not to do in community settings, including obligations around privacy, dignity, and conflicts of interest.

3. Worker screening and recruitment

Worker screening policy — confirms all workers in risk-assessed roles hold a current NDIS Worker Screening Clearance and that checks are verified before commencement.
Recruitment and induction procedure — covers reference checks, qualifications verification, and the minimum content of induction training (Code of Conduct, incident reporting, participant rights, emergency procedures).
Ongoing training and supervision procedure — specifies frequency of supervision, mandatory refresher training, and how worker performance is reviewed.

4. Incident management

This is one of the most scrutinised areas for community access providers because incidents frequently occur away from a fixed site.

Incident management policy — defines what constitutes a reportable incident under the NDIS (Incident Management and Reportable Incidents) Rules 2018, including the five categories of reportable incidents.
Incident reporting procedure — step-by-step: identify, respond, document, notify the Commission within required timeframes, support the participant, and review to prevent recurrence.
Post-incident review template — a structured form that captures root cause, contributing factors, and actions taken.

5. Complaints management

Complaints management policy — affirms participants' right to complain without fear of consequences and describes how complaints are received (verbally, in writing, anonymously).
Complaints handling procedure — acknowledgement timeframes, investigation steps, resolution, escalation to the NDIS Commission if unresolved, and record-keeping requirements.

6. Restrictive practices

Even if your organisation does not intend to use regulated restrictive practices, you need a policy stating this — and a procedure for what happens if a worker inadvertently uses a practice that meets the definition.

Restrictive practices policy — commitment to behaviour support that is positive and least restrictive; acknowledgement of state/territory authorisation requirements where applicable.
Behaviour support procedure — how workers respond to challenging behaviour in community settings without resorting to unauthorised restriction.
Unauthorised restrictive practice reporting procedure — how to identify, document, and report to the Commission.

7. Risk management and safety

Risk management policy — organisation-level commitment to identifying and managing risk to participants, workers, and the public.
Individual risk assessment procedure — how a participant-specific risk assessment is completed before community access activities commence, updated when circumstances change.
Emergency and evacuation procedure — relevant in community settings: what workers do if a participant has a medical emergency, is distressed, or is at risk of harm in a public place.
Lone worker safety procedure — specific to community access, where workers may be alone with a participant in variable environments.

8. Service delivery and planning

Service agreement procedure — how service agreements are developed with participants, what they must contain, and how they are reviewed.
Support planning procedure — how individual support plans are developed in partnership with the participant, incorporating their goals and preferences.
Transition and exit procedure — what happens when a participant leaves your service, including safe handover of records and support continuity.

9. Privacy, confidentiality, and records

Privacy policy — aligned with the Privacy Act 1988 (Cth) and the Australian Privacy Principles; must address collection, use, storage, and disclosure of participant information.
Records management procedure — minimum retention periods, secure storage (physical and digital), and disposal of records.

What auditors actually check in community access

An approved quality auditor assessing a community access provider will look beyond the existence of documents. Under the strengthened standards, auditors evaluate whether policies are implemented and understood by frontline workers. Common non-conformances include:

Incident reports completed late or not at all — particularly for incidents in community where workers may delay reporting because they are uncertain whether the event meets the threshold.
Support plans that do not reflect the participant's current goals — plans written at intake and never reviewed.
Workers unable to articulate the complaints process — policy exists but workers have not been trained on it.
Risk assessments generic rather than participant-specific — a template used for all participants without individual tailoring.
No documented supported decision-making process — workers make decisions for participants without evidence of support to decide.
Screening clearances not verified or lapsed — particularly for contractors and agency staff.

Step-by-step: building your compliant policy suite

Map your registration groups to the applicable Practice Standards modules. If you are registered for group 0104 (Assistance with Social, Economic and Community Participation), confirm which sub-items you deliver.
Gap-analyse your current documents against the list above. Note any missing policies and any existing ones not reviewed in the past 12 months.
Write or update each document to reflect your actual practice — not aspirational statements. Auditors ask workers what they do; the policy must match the answer.
Version-control and date every document. Assign an owner responsible for review.
Train all staff and contractors. Keep attendance records. Induction training and annual refreshers should be documented.
Test your systems: run a mock incident, walk through your complaints procedure, review a support plan against goals. Document the outcomes.
Schedule a review cycle: at minimum annually, and whenever legislation, Commission guidance, or your service model changes.

A note on the 2026 strengthened framework

The NDIS Commission's strengthened Practice Standards bring several changes that directly affect community access providers: a sharper focus on participant outcomes (not just process compliance), new obligations around communicating rights in accessible formats, and stronger requirements around transitions between providers. Ensure your service agreement and support planning procedures explicitly address accessible communication formats for participants with communication support needs.

If you are building your policy suite from scratch or bringing an existing suite up to the strengthened standard, the 74-document audit-ready SIL compliance kit at ndiscompliant.com.au includes community access-specific policies, procedures, and templates pre-mapped to the Practice Standards — a practical starting point to reduce build time significantly.

Key document checklist

Policy / Procedure	Practice Standards link	In your suite?
Participant rights policy	Core Module 1	☐
Supported decision-making procedure	Core Module 1	☐
Code of Conduct compliance policy	Core Module 2	☐
Worker screening policy	Core Module 2	☐
Incident management policy + procedure	Core Module 2	☐
Complaints policy + procedure	Core Module 2	☐
Restrictive practices policy	Core Module 2	☐
Individual risk assessment procedure	Core Module 3	☐
Lone worker safety procedure	Core Module 3	☐
Service agreement procedure	Core Module 3	☐
Support planning procedure	Core Module 3	☐
Privacy policy + records procedure	Core Module 4	☐

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.