What is a reportable incident under the NDIS and does it need to go in the incident register?

Yes. Every reportable incident — including the death of a participant, serious injury, abuse, neglect, unlawful physical or sexual contact, and unauthorised use of restrictive practices — must be recorded in the incident register and also notified to the NDIS Commission as soon as practicable. Non-reportable incidents should also be recorded in the register for internal quality management purposes.

How long must an NDIS provider keep incident register records?

The NDIS (Provider Registration and Practice Standards) Rules set minimum retention periods for records. Providers should also check applicable state or territory legislation, which may impose longer retention obligations, particularly for records involving children or people with complex support needs. When in doubt, retain longer.

Can my NDIS incident register be a spreadsheet or does it need to be software?

The NDIS Commission does not mandate a specific format. A well-designed spreadsheet can be compliant if it captures all required fields, is version-controlled, is stored securely, and can be readily accessed by auditors. Purpose-built quality management software provides added benefits for trend analysis and governance reporting, but is not required.

Do workers need to report incidents directly to the NDIS Commission or only management?

Workers report incidents internally according to your organisation's incident management procedure. It is the registered provider (through its key personnel) who has the legal obligation to notify the NDIS Commission of reportable incidents. However, workers must understand their obligation to report internally without delay, as this triggers the provider's notification timeline.

What happens if we miss the notification deadline for a reportable incident?

Late notification is a compliance breach. The NDIS Commission has broad powers to investigate, issue compliance notices, impose conditions on registration, and in serious cases take further regulatory action. Late notification that is self-identified and reported proactively, with an explanation, is generally treated more favourably than notification only discovered through audit or complaint.

Do incidents involving restrictive practices need to be reported to anyone other than the NDIS Commission?

Yes. Unauthorised use of a restrictive practice is a reportable incident to the NDIS Commission. Additionally, depending on your state or territory, you may need to notify the relevant behaviour support or restrictive practices authorisation body. Providers operating across multiple states must be aware of each jurisdiction's requirements.

NDIS Incident Register Checklist for New Providers (2026)

Why a Compliant Incident Register Is Non-Negotiable for New Providers

For any organisation seeking or holding NDIS registration, the incident register is not simply a piece of paperwork — it is a core operational safeguard that sits at the heart of several NDIS Practice Standards. Auditors from approved quality auditors (AQAs) will examine your register during both initial certification and ongoing surveillance audits. Gaps in the register are one of the most common non-conformances cited against new providers, and they can delay or prevent registration.

The strengthened NDIS Practice Standards framework, which applies to providers from 2026, places even greater emphasis on governance, continuous improvement, and evidence of how providers respond to harm. Your incident register is the primary evidence source for all three.

This checklist is designed specifically for new registered or soon-to-be-registered SIL and disability support providers building their register from scratch.

Part 1 — Incident Register Structure Checklist

Before you record a single incident, your register must have the correct fields. Use this tick-list to confirm your template is complete.

Mandatory Fields for Every Incident Entry

Unique incident reference number — assign a sequential or coded ID so each incident can be traced across your quality management system.
Date and time of the incident — record when the incident occurred, not only when it was discovered or reported internally.
Date and time the incident was identified / reported to management — the gap between occurrence and identification is itself a data point for continuous improvement.
Location of the incident — include address or service site; for in-home SIL, note which participant's home.
Description of the incident — factual, objective narrative of what happened. Avoid opinion or blame language.
Category / type of incident — classify using the NDIS Commission's defined categories (e.g., unexpected death, serious injury, abuse, neglect, use of unauthorised restrictive practice, unlawful sexual or physical contact, etc.).
Participant(s) involved — record participant name or unique identifier consistent with your client management system. Do not leave this blank for incidents affecting unnamed or unidentified people.
Worker(s) or other parties involved — include staff member ID or role; avoid full names in shared registers unless your privacy policy permits it.
Immediate actions taken — what was done at the time to ensure safety? This includes first aid, calling emergency services, removing a risk, or contacting the participant's guardian or support network.
Notification to participant and/or their decision-maker — record when and how the participant (and, where applicable, their nominee, guardian, or carer) was informed.
Was this a reportable incident under the NDIS (Incident Management and Reportable Incidents) Rules? — a clear yes/no field, with reasoning if borderline.
Date and method of NDIS Commission notification (if reportable) — log when you notified the Commission via the myNDIS provider portal, and who submitted the report.
Investigation status — open, under review, completed.
Root cause analysis summary — a brief documented analysis of contributing factors once the investigation is complete.
Corrective and preventive actions (CAPAs) — what systemic changes were made to prevent recurrence?
CAPA due date and completion date — assigns accountability and creates an audit trail.
Responsible person for CAPA — named role or staff member.
Date closed — the incident should remain open until all CAPAs are completed and verified.
Reviewer / approver — governance sign-off confirming the investigation is complete and adequate.

Part 2 — Reportable Incidents: Notification Timelines Checklist

The NDIS (Incident Management and Reportable Incidents) Rules set out specific categories of reportable incidents and require providers to notify the NDIS Commission. Your register must make it easy to track compliance with these obligations.

Incident Type	Initial Notification Requirement	Follow-up / Full Report
Death of an NDIS participant	As soon as practicable (generally understood as within 24 hours)	Full written report within a prescribed period after the initial notification
Serious injury	As soon as practicable	Full report within prescribed period
Abuse or neglect	As soon as practicable	Full report within prescribed period
Unlawful sexual or physical contact	As soon as practicable	Full report within prescribed period
Unauthorised use of a restrictive practice	As soon as practicable	Full report within prescribed period

Important: Always confirm current prescribed timeframes directly with the NDIS Commission or your legal adviser, as the strengthened framework introduced in 2026 may adjust specific notification windows. Never rely on secondhand summaries alone when a participant's safety is at stake.

Part 3 — Governance and Review Checklist

Recording incidents is only the first step. The Practice Standards require providers to demonstrate that incidents drive learning and improvement. Auditors will look for evidence that management actually reviews the register.

The incident register is reviewed at a defined frequency (for most SIL providers this means at minimum monthly, with serious incidents reviewed immediately at leadership level).
Trends and patterns are identified — for example, a cluster of incidents at a particular site, shift time, or involving a particular worker cohort.
Trend analysis is documented in meeting minutes or a quality improvement report.
Outcomes of trend analysis feed into workforce training plans, policy updates, or environmental changes.
The Board or governing body receives regular incident summary reports (not just the full operational register).
Participants and their supporters are informed of outcomes relevant to them, in a way that is accessible and plain-language.
The register and all supporting investigation records are stored securely, with access limited to authorised personnel, consistent with the Privacy Act 1988 (Cth).
Retention periods meet the minimum requirements set under the NDIS (Provider Registration and Practice Standards) Rules and any applicable state legislation.

Part 4 — Restrictive Practices: Additional Register Requirements

If your SIL service involves any regulated restrictive practices — even practices that are transitioning toward authorisation — your incident register needs additional fields:

Type of restrictive practice used (chemical, mechanical, environmental, physical, seclusion).
State or territory authorisation status at the time of the incident.
Whether the use was authorised or unauthorised.
Behaviour support plan reference and whether it was current and in place.
Notification to the relevant state/territory NDIS restrictive practices authorisation body (in addition to the Commission).

Part 5 — Common Gaps Auditors Find in New Provider Registers

Based on the patterns that approved quality auditors consistently identify during NDIS audits, new providers should double-check for these frequent shortfalls before their first audit:

Incidents recorded but never closed — the register shows open entries with no CAPA completion date, signalling that corrective action was not followed through.
Missing participant notification records — providers often act quickly to ensure participant safety but forget to document that the participant or their decision-maker was told what happened and what the outcome was.
Borderline reportable incidents defaulted to "non-reportable" without documented reasoning — if you decide an incident does not need Commission notification, record why.
No root cause analysis — a description of what happened is not the same as an analysis of why it happened and what systemic factor needs to change.
Register stored in a format that cannot be audited — spreadsheets with no version control, or paper registers that are not indexed, are difficult for auditors to review and easy for providers to lose.
Governance sign-off absent — entries have been completed by frontline workers but never reviewed or approved by a manager or quality lead.

Building Your Register into a Broader Quality System

Your incident register should not exist in isolation. Under the strengthened NDIS Practice Standards, it connects directly to your complaints management system, your behaviour support documentation, your workforce training records, and your continuous improvement plan. Auditors are specifically looking for evidence that these systems talk to each other — that a spike in incidents led to a policy change, which was reflected in updated staff training, which is evidenced by sign-off sheets.

For new providers building all of these systems simultaneously, having a structured and pre-mapped document set can significantly reduce the time and risk involved. The 74-document audit-ready SIL compliance kit at ndiscompliant.com.au includes a pre-built incident register template with all mandatory fields, a reportable incident decision tree, and linked CAPA tracking — designed specifically for providers going through initial registration or re-registration under the 2026 framework.

Quick-Reference Summary Checklist

Register template includes all mandatory fields listed in Part 1 above.
Incident categories align with the NDIS Commission's defined reportable incident types.
Notification timelines are documented and staff know them.
Every reportable incident has a Commission notification record in the register.
All entries are reviewed and closed with CAPA sign-off.
Trend analysis occurs at a defined frequency and is documented.
Participant notification is recorded for every relevant entry.
Register is stored securely with defined access controls and retention periods.
Restrictive practice incidents have additional fields completed.
Governing body receives regular summary reporting.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.