NDIS Commission Record Keeping Requirements
The NDIS Practice Standards, specifically the Core Module outcomes relating to information management (Outcome 2.4), require registered providers to maintain records that are accurate, up to date, and complete; stored securely with appropriate access controls; accessible to authorised personnel when needed; retained for the required period; and managed in accordance with Australian Privacy Principles.
The NDIS Commission does not prescribe a specific technology or system for record keeping. Providers can choose their own tools and platforms, provided the records meet the quality and security standards outlined above. This flexibility allows providers to select solutions appropriate to their size and complexity, from simple cloud storage for very small providers to comprehensive NDIS management platforms for larger organisations.
However, flexibility does not mean informality. Auditors expect to see a documented Information Management Policy that describes how your organisation creates, stores, protects, retrieves, and disposes of records. The policy must be implemented in practice, not just written on paper. During audits, assessors typically request specific records and evaluate how quickly and completely they can be produced.
What Records NDIS Providers Must Store
NDIS providers must maintain both participant-related records and organisational records. Here is a comprehensive list of record types that auditors expect to see.
Participant Records
| Record Type | Content | Practice Standard |
|---|---|---|
| Personal details | Name, DOB, address, NDIS number, emergency contacts, cultural background, communication preferences | 1.3, 3.1 |
| Service agreements | Signed agreements specifying services, fees, terms, and conditions | 3.1 |
| Consent forms | Consent to collect, use, and share personal information; consent for specific activities | 1.3 |
| Support plans | Individual support plans linking to NDIS plan goals, support strategies, worker instructions | 1.1, 3.2 |
| Progress notes | Shift-by-shift documentation of support delivered, participant responses, and goal progress | 1.1, 3.2 |
| Risk assessments | Individual risk assessments, safety plans, and mitigation strategies | 2.2 |
| Incident records | Incident reports, investigation outcomes, follow-up actions | 2.4 |
| Complaints | Complaints received, investigation process, resolution, satisfaction follow-up | 1.5 |
| Communication logs | Significant communications with participants, families, support coordinators, and other providers | 1.1 |
Organisational Records
| Record Type | Content | Practice Standard |
|---|---|---|
| Policy documents | All organisational policies, procedures, and guidelines with version control | 2.1, 2.3 |
| Worker records | Employment records, qualifications, screening checks, training records | 2.6 |
| Training register | Training completed, dates, attendees, competency assessments | 2.6 |
| Worker screening register | NDIS Worker Screening Check status, expiry dates, verification records | 2.6 |
| Incident register | Central register of all incidents with status tracking | 2.4 |
| Complaints register | Central register of all complaints with resolution tracking | 1.5 |
| Continuous improvement register | Improvement actions identified, responsible person, completion dates | 2.3 |
| Financial records | Billing records, invoices, payment records, financial reports | 2.5 |
Digital vs Paper Records
The NDIS Commission does not mandate digital record keeping, but in practice, digital records are now the expected standard. Paper-based systems create multiple compliance risks that digital systems address.
Why Digital Records Are Preferred
- Searchability: Digital records can be searched and retrieved in seconds. Paper records require manual searching through filing cabinets, which delays audit responses and compromises day-to-day operations.
- Access control: Digital systems can restrict access based on user roles — workers see participant records relevant to their roster, coordinators see broader information, and management has full access. Paper files in a filing cabinet are accessible to anyone with a key.
- Audit trail: Digital systems log who accessed, created, or modified a record and when. Paper records have no inherent audit trail.
- Backup and recovery: Digital records can be backed up automatically to multiple locations. Paper records destroyed by fire, flood, or theft are gone permanently.
- Remote access: Support workers in the field can access participant information immediately. Paper records require physical access to the office.
- Storage efficiency: Seven years of participant records for 50 participants would fill multiple filing cabinets. The same records fit on a system that costs a few dollars per month.
When Paper Records May Still Be Needed
Some records may originate on paper and need to be digitised: signed consent forms and service agreements (scan and store digitally, retain originals or destroy after scanning if your policy permits), handwritten notes from situations where technology was not available, external correspondence received by post, and certificates and qualifications provided by workers in paper form.
Best practice is to scan paper documents within 24 hours and store them in the participant's digital file. Many NDIS software platforms allow document uploads and photo attachments for this purpose.
Record Retention Periods
Record retention is a compliance requirement that many small providers overlook until audit time. The consequences of premature record disposal can be severe, particularly if records are needed for an investigation or complaint resolution.
| Record Type | Minimum Retention Period | Notes |
|---|---|---|
| Participant service records | 7 years from creation or last service | Whichever is later |
| Records for child participants | Until participant turns 25 | 7 years after turning 18 |
| Incident records | 7 years minimum | Longer if subject to investigation or legal proceedings |
| Worker records | 7 years after employment ends | Includes screening checks, training, performance records |
| Financial records | 7 years | ATO requirement for tax purposes; aligns with NDIS requirements |
| Restrictive practice records | 7 years minimum | State legislation may require longer retention |
| Complaints records | 7 years from resolution | Including investigation notes and outcomes |
If a participant leaves your service, you must retain their records for the full retention period — not delete them. If a worker resigns, their employment records must also be retained. Your digital record keeping system must support record retention without active user accounts, and must prevent accidental or premature deletion.
Data Security Requirements
NDIS providers handle highly sensitive personal information, including health records, disability details, behaviour support plans, and incident reports. The security obligations are significant.
Minimum Security Measures
- Unique user accounts for every person who accesses records — no shared logins
- Strong passwords with minimum length requirements and regular rotation
- Multi-factor authentication (MFA) for administrative access where available
- Role-based access controls restricting information to authorised personnel
- Encryption of data in transit (HTTPS/TLS) and at rest
- Automatic session timeouts on unattended devices
- Regular security updates and patches for all software and devices
- Anti-malware protection on all devices that access participant records
- Audit logging of record access, creation, modification, and deletion
- A documented Data Breach Response Plan with clear procedures and responsibilities
Mobile Device Security
Support workers access participant records on mobile phones and tablets in the field. Additional security considerations for mobile devices include device passcode or biometric lock requirements, remote wipe capability for lost or stolen devices, prohibition on storing participant records locally on personal devices, use of the software platform's app rather than downloading records to the device, and regular app updates to maintain security patches.
Privacy Obligations Under the APPs
The Australian Privacy Principles (APPs) under the Privacy Act 1988 govern how NDIS providers collect, use, store, and disclose personal information. Key principles for record keeping include the following.
APP 1 — Open and Transparent Management
You must have a clearly expressed privacy policy that explains how you handle personal information. This policy should be available to participants and their families. The NDISCompliant SIL Rescue Kit includes a Privacy and Confidentiality Policy and a Privacy Notice in plain English designed for participants.
APP 6 — Use or Disclosure
Personal information can only be used for the purpose it was collected for, or for a directly related secondary purpose that the participant would reasonably expect. Sharing participant information with other providers requires consent unless an exception applies (such as a serious and imminent threat to life).
APP 11 — Security of Personal Information
You must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. When personal information is no longer needed (and the retention period has expired), you must take reasonable steps to destroy or de-identify it.
Notifiable Data Breaches Scheme
If your organisation experiences a data breach that is likely to result in serious harm to affected individuals, you must notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals. A data breach response plan is essential — it should define what constitutes a breach, who is responsible for assessment and notification, and the steps to contain and remediate the breach.
Backup and Disaster Recovery
Data loss is not a theoretical risk. Hardware failures, ransomware attacks, accidental deletion, and natural disasters can all destroy records. A robust backup strategy is a compliance requirement, not just an IT best practice.
Backup Requirements
- Frequency: Daily automated backups at minimum. Critical records (progress notes, incidents) should be backed up in real-time or near-real-time.
- Location: Backups stored in a different physical location from the primary data. Cloud-based platforms typically handle this automatically through geographically distributed data centres.
- Testing: Regular restoration testing to verify backups are complete and can be recovered. Untested backups provide false confidence.
- Retention: Backup copies should be retained long enough to recover from incidents discovered days or weeks after they occur. A 30-day backup retention allows recovery from data corruption or accidental deletion that is not immediately noticed.
- Encryption: Backup data must be encrypted to the same standard as primary data.
Disaster Recovery Planning
Your disaster recovery plan should address how records will be accessed if your primary system is unavailable, who is responsible for activating the recovery plan, the maximum acceptable downtime before recovery must be complete, how you will communicate with participants and staff during a system outage, and how you will verify data integrity after recovery.
Cloud vs On-Premise Storage
The cloud versus on-premise debate is largely settled for small NDIS providers: cloud storage is the right choice in almost all cases. Here is why.
Cloud Storage Advantages
- Automatic backups: Reputable cloud platforms (AWS, Azure, Google Cloud) replicate data across multiple data centres automatically
- Security updates: The platform provider manages security patches, reducing your IT maintenance burden
- Accessibility: Records accessible from any location with an internet connection — essential for mobile support workers
- Scalability: Storage grows with your needs without hardware purchases
- Disaster resilience: Data centres are designed to survive natural disasters, power outages, and hardware failures
- Cost: Predictable monthly costs rather than upfront hardware investment
On-Premise Storage Considerations
On-premise servers (physical hardware in your office) provide maximum control over data location but create significant responsibilities: hardware maintenance and replacement, backup management, physical security of the server location, software updates and security patching, disaster recovery planning and testing, and IT expertise requirements. For providers with 1 to 50 staff, the cost and complexity of on-premise infrastructure typically exceed the benefits. Cloud-based NDIS software platforms handle all of these responsibilities as part of the subscription.
Australian Data Sovereignty
Data sovereignty refers to the principle that data is subject to the laws of the country where it is stored. For NDIS providers handling sensitive disability and health information, data sovereignty has practical implications.
Australian Privacy Act Requirements
APP 8 (Cross-border Disclosure) requires that before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure the recipient does not breach the APPs. If you transfer personal information overseas and it is mishandled, you remain liable under Australian law.
Practical Recommendations
- Choose NDIS software platforms that store data on Australian servers
- If using international cloud platforms (AWS, Azure, Google Cloud), confirm data residency is set to Australian regions (e.g., ap-southeast-2 for AWS Sydney)
- Ask your software vendor where data is stored and processed — not just stored
- Review your software vendor's data processing agreement to ensure it meets Australian privacy requirements
- Document your data sovereignty decision in your Information Management Policy
Most Australian-built NDIS software platforms (ShiftCare, SupportAbility, Brevity, Careview) store data on Australian servers by default. This is a market differentiator for Australian vendors and simplifies your data sovereignty compliance.
Software Options for Digital Record Keeping
For NDIS providers, digital record keeping typically happens through one of three approaches.
Integrated NDIS Management Platforms
Platforms like ShiftCare, SupportAbility, Brevity, and Careview provide comprehensive record keeping as part of a broader platform that includes rostering, billing, and participant management. This is the recommended approach for most providers because all records are in one system, access controls are built in, audit trails are automatic, and the platform handles backups and security. Read our Best NDIS Software comparison for detailed reviews.
Cloud Storage with Manual Organisation
Very small providers (1 to 5 staff) may use organised cloud storage (such as Google Workspace or Microsoft 365) with a structured folder hierarchy per participant. This approach is affordable but requires disciplined manual organisation, lacks built-in compliance features (access logging, consent expiry tracking), and becomes unmanageable as participant numbers grow.
Document Management Systems
Standalone document management systems (like SharePoint or dedicated DMS platforms) can be used for policy documents, registers, and organisational records while using an NDIS platform for participant records. This hybrid approach is common in medium to large providers with existing document management infrastructure.
Implementing Digital Record Keeping
If you are transitioning from paper or informal digital records to a structured system, follow these steps to ensure compliance from day one.
Step 1: Audit Your Current Records
Before selecting software, map what records you currently have, where they are stored, and what gaps exist. This audit informs your software selection and migration planning.
Step 2: Develop Your Information Management Policy
Document your approach to record creation, storage, access, retention, and disposal. This policy is required for NDIS certification and should be completed before or during your software implementation. The NDISCompliant SIL Rescue Kit includes a complete Information Management Policy template.
Step 3: Select and Configure Your Platform
Choose an NDIS management platform appropriate to your size and service type. Configure access controls, templates, and workflows before going live. Test with a small number of participant records before full migration.
Step 4: Migrate Existing Records
Transfer existing records into the new system systematically. Prioritise current participants first, then historical records. Verify completeness after migration by spot-checking participant files.
Step 5: Train Your Team
Every person who creates, accesses, or manages records needs training on the new system and the information management policy. Training should cover not just how to use the software, but why record keeping matters for compliance and participant outcomes.
Step 6: Monitor and Improve
After implementation, regularly review record quality, completeness, and compliance. Use compliance dashboards (if available in your platform) to identify gaps. Include record keeping in your continuous improvement cycle.
Quality records start with quality documentation. The NDISCompliant Notes Rewriter helps support workers write compliant progress notes that strengthen your participant records at every shift.
Get Your Record Keeping Audit-Ready
The SIL Rescue Kit includes the Information Management Policy, Document Control Register, and Data Breach Response Plan your auditors expect to see.
Get the SIL Rescue Kit — $297Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.