How long must NDIS providers keep records?

NDIS providers must retain records for a minimum of 7 years from the date the record was created, or from the date the service was last provided. For participants who are minors at the time the service was provided, records must be retained until the participant reaches 25 years of age (or 7 years, whichever is longer). These requirements apply to both electronic and paper records.

What does Practice Standard Outcome 2.4 require for information management?

NDIS Practice Standard Core Module Outcome 2.4 (Information Management) requires registered providers to: collect, use, store and destroy information in accordance with relevant legislation; maintain accurate, complete, and contemporaneous records; protect participant information from unauthorised access; provide participants access to their own records on request; and have systems that preserve the integrity of records (preventing alteration). Providers must also have a documented Information Management Policy.

Can NDIS records be kept electronically?

Yes. Electronic records are acceptable provided they: are stored securely with access restricted to authorised personnel; have audit trails showing who created, accessed, or modified records; are backed up regularly with disaster recovery capability; cannot be altered without a traceable record of the change; and are retrievable in a readable format for audit purposes. Providers using cloud-based systems should ensure data residency and privacy obligations are met.

What happens if an NDIS provider's records are found to be inadequate at audit?

Inadequate records are one of the most common audit findings. Depending on severity, consequences can include: a non-conformance finding requiring a corrective action plan; conditions on your registration; a compliance notice; a ban on taking new participants; or in serious cases, suspension or cancellation of registration. Inadequate records also undermine your ability to defend billing claims if they are reviewed by the NDIA.

NDIS Documentation Requirements: What Providers Must Keep for Audit

Practice Standard Outcome 2.4: Information Management

Core Module Outcome 2.4 of the NDIS Practice Standards (Information Management) is the primary legislative basis for NDIS documentation requirements. It requires registered providers to demonstrate that they:

Collect, use, store, and destroy information in accordance with applicable legislation, including the Privacy Act 1988 and relevant state/territory privacy laws
Maintain records that are accurate, complete, and created in a contemporaneous manner (i.e., at the time of or immediately after the relevant event)
Protect participant information from unauthorised access, loss, misuse, and interference
Have systems for managing, retaining, and (when appropriate) destroying records
Provide participants with access to information held about them

This outcome is assessed at every certification and verification audit. It is also the first thing a Commission compliance inspector will examine following a complaint or reportable incident investigation.

What Records Must Be Kept

NDIS providers are required to maintain records across several categories. Below is a comprehensive overview of what must be kept:

Participant records

Current NDIS plan (or relevant extracts) for each participant
Service agreement signed by the participant or their nominee
Participant Support Plan (including goals, risk assessment, medication details where relevant)
Progress notes / shift notes for every support delivery session
Incident reports and associated documentation
Consent forms (consent to collect information, consent to share information)
Participant Rights Statement acknowledgement
Behaviour Support Plan and restrictive practice records (where applicable)
Medication Administration Records (MARs) where medication support is delivered

Organisational / governance records

Policies and procedures (current versions plus version history)
Incident Register
Complaints Register
Continuous Improvement Register
Risk Register
Document Control Register (Doc 48 in the SIL Rescue Kit)
Internal Audit Program and Reports
Board / governance meeting minutes

Workforce records

Worker Screening Clearances and status records
Training Register / Matrix (showing completion of mandatory training)
Signed Code of Conduct Acknowledgements
Induction checklists
Supervision records and performance reviews
Position descriptions and employment contracts

Financial records

NDIS payment records (service bookings, payment requests)
Participant Money Register (for providers managing participant funds)
General financial records (in accordance with relevant financial legislation)

Retention Periods: 7 Years, Age 25, and Other Rules

Understanding retention periods is critical. Destroying records too early is a compliance breach. The key rules under the NDIS (Provider Registration and Practice Standards) Rules 2018 are:

Record Type	Minimum Retention Period	Notes
All service delivery records (progress notes, shift notes, incident reports)	7 years from date created or date of last service	For participants who were minors when service was delivered: retain until participant turns 25 or 7 years, whichever is longer
Participant consent forms and rights documents	7 years from date signed or last service	As above for minors
Incident reports and investigation records	7 years from date of incident	NDIS Commission may request access at any time within registration period and beyond
Policies and procedures (superseded versions)	7 years from date superseded	Document control register must record version history
Worker Screening records	Duration of employment + 7 years	Must be able to demonstrate clearances were current at time of service delivery
Behaviour Support Plans and restrictive practice records	7 years from last use	State/territory approval records may have additional requirements
Financial records (general)	7 years (ATO requirement)	May be longer depending on grant or funding conditions

Important: The "Age 25" Rule

If you support any participants who are under 18, you must retain their records until they reach 25 years of age — even if this is longer than 7 years. A child supported at age 10 means their records must be kept for at least 15 years. This is a commonly overlooked requirement.

Electronic vs Paper Records Requirements

Both electronic and paper records are acceptable under the NDIS Practice Standards. The format is less important than whether the records meet the substantive requirements.

Electronic records must:

Be stored on a system with role-based access controls (only authorised staff can view or edit records)
Maintain an audit trail showing who created, accessed, or modified any record and when
Be backed up regularly — with off-site or cloud backup recommended
Be protected against loss through hardware failure, ransomware, or natural disaster
Be exportable or printable in a format suitable for audit review
Comply with Australian privacy law regarding data storage (consider data residency if using offshore cloud providers)

Paper records must:

Be legible — typed or clearly handwritten
Be stored in a secure location with restricted physical access (locked filing cabinet in a locked office)
Be protected from deterioration, moisture, and fire (consider off-site archiving for older records)
Be indexed or filed in a way that allows easy retrieval for audit
Be transported securely if removed from the premises

Access and Security Requirements

Under Outcome 2.4 and the Privacy Act 1988, participant information must be protected from unauthorised access. For small providers, this means:

Staff access controls: Workers should only have access to records relating to participants they support. A casual worker at one SIL house should not have access to records at other houses.
Visitor access: Hardcopy records should never be left where visitors, contractors, or non-support staff can access them.
Transmission security: When sharing participant information (e.g., with allied health providers), use encrypted email or secure file transfer. Do not email unencrypted participant files.
Device security: If workers use personal devices to access documentation systems, these must have password protection and remote wipe capability.
Disposal: Records that have reached their retention period must be disposed of securely — shredding for paper, secure deletion for electronic records.

Record Integrity: The No Alterations Rule

One of the most serious documentation compliance issues is record alteration. Under both the NDIS Practice Standards and general legal principles, records must not be altered after the fact in a way that misrepresents what was originally documented.

For paper records: If a correction is needed, draw a single line through the incorrect text (so it remains readable), write the correction, and add your initials and the date of the correction. Never use correction fluid (Tipp-Ex) or completely cross out original text.

For electronic records: Audit trail capability in your documentation system means that any edits after the original entry are logged with the editor's name, date, and time. Providers should not delete and re-enter notes to correct them — edit within the system with the audit trail intact.

What auditors look for: Any record where the original entry has been obscured, where dates seem inconsistent, or where the audit trail shows entries made long after the documented event, will attract scrutiny. Late entries must be clearly identified as late entries.

Participant Access to Their Own Records

Under both the Privacy Act 1988 and the NDIS Practice Standards, participants have the right to access information held about them by their provider. Providers must:

Respond to participant access requests within a reasonable timeframe (generally 30 days under the Privacy Act)
Provide records in a format the participant can access (including accessible formats for participants with literacy, vision, or language needs)
Not charge excessive fees for providing access to records
Have a documented process for handling access requests

Refusal to provide access to a participant's own records is a serious compliance breach. The only legitimate reasons to decline or limit access include where disclosure would reveal information about another person, or where access could pose a serious and imminent threat to the participant or others — and even then, partial access must be offered.

What Auditors Check in Your Records System

NDIS certification and verification auditors follow a structured evidence-gathering process for Outcome 2.4. Here is what they typically examine:

Document and policy review

Your Information Management Policy (Doc 12 in the SIL Rescue Kit) — does it exist, is it current, and does it cover collection, use, storage, and disposal?
Your Document Control Register (Doc 48) — is it maintained, does it show version histories, are review dates current?
Privacy Notice — is it available to participants and written in plain English?

Sample records review

Auditors will select a sample of participant files (typically 3–5 for small providers) and review them for completeness
They check that consent forms are signed, support plans are current, and progress notes cover the service period
They look for gaps — periods where services were evidently delivered but notes are absent

Records system assessment

How are records accessed? Who has access to what?
Where are records stored? Are they secure?
What is the backup and recovery capability?
How are records disposed of at end of retention period?

Staff interviews

Auditors interview workers about how they document support delivery
They may ask: "Where do you write your shift notes?" "Who can access participant files?" "What do you do if you make a mistake in a note?"
Worker responses must be consistent with the documented policies and actual practice

Consequences of Inadequate Records

Documentation failures have real consequences. In order of severity:

Non-conformance finding at audit: The most common outcome. You are given a corrective action timeframe (typically 30–90 days). Must be resolved to maintain or renew registration.
Conditions on registration: The Commission may impose conditions limiting your scope of support delivery until records are brought up to standard.
NDIA payment reviews: The NDIA can request records to verify billing claims. Notes that don't document support clearly may result in claims being queried or repayment required.
Compliance notice: A formal notice requiring specific actions within specified timeframes. Failure to comply can trigger suspension.
Suspension or cancellation of registration: In serious cases where records failures are persistent or reflect broader governance failures.
Referral for investigation: Where record failures are associated with incidents or suspected abuse/neglect, the Commission may refer the matter for formal investigation.

Get Your Information Management Documents Audit-Ready

The SIL Rescue Kit includes Doc 12 (Information Management Policy), Doc 48 (Document Control Register), and 63 other audit-ready documents. Everything you need to meet Outcome 2.4 and the full Core Module.

Get the SIL Rescue Kit — $297

Also: Write Better Progress Notes Every Shift

The quality of your daily shift notes is the foundation of your documentation system. The NDISCompliant Notes Rewriter helps every worker produce consistent, audit-ready progress notes. Free.

Try the Notes Rewriter Free

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.