Is a privacy policy mandatory for NDIS registration?

Yes. The NDIS Practice Standards require registered providers to have documented procedures for protecting participant privacy and confidentiality. An approved quality auditor will assess both the policy document and the evidence that it is implemented in practice, including worker training records and consent forms.

Does the Privacy Act 1988 apply to NDIS providers?

It depends on your organisation's size and the type of information you handle. Organisations with an annual turnover above the threshold are covered by the Australian Privacy Principles. However, all registered NDIS providers must handle health and disability information with care regardless of turnover, because the NDIS Practice Standards and the NDIS Act 2013 impose their own obligations.

What is a Notifiable Data Breach and do we need a procedure for it?

A Notifiable Data Breach occurs when personal information is lost or accessed without authorisation and is likely to result in serious harm to the individual. If the Privacy Act applies to your organisation, you are required to notify the OAIC and affected individuals. Even if you are below the threshold, having a documented breach response procedure is considered best practice and may be reviewed during your NDIS audit.

Can we share a participant's information with their family members?

Only if the participant has provided explicit consent or if the person is a legally recognised guardian, nominee, or decision-maker for that participant. Family members do not automatically have a right to access a participant's records. Your policy should include a procedure for verifying authority before any information is released to a third party.

How long do we need to keep participant records?

The NDIS Practice Standards do not specify a single universal retention period. You should consider other applicable legislation (such as state-based health records laws), your insurance obligations, and any disputes that may arise. A documented retention schedule stating the period for each record type and the method of secure disposal is what auditors expect to see.

What happens if our privacy policy is found non-conformant at audit?

The auditor will record a non-conformance which is reported to the NDIS Commission. Depending on severity, this may result in conditions being placed on your registration, a requirement for corrective action within a set timeframe, or in serious cases, referral to the Commissioner. Addressing identified gaps promptly and providing evidence of corrective action is essential.

NDIS Privacy and Confidentiality Policy Checklist for New Providers

Why Privacy and Confidentiality Policy Is Non-Negotiable for NDIS Registration

When you apply for NDIS provider registration, the NDIS Quality and Safeguards Commission will assess your organisation against the NDIS Practice Standards. Privacy and confidentiality sits within the Core Module under the Rights and Responsibilities standard. This means an approved quality auditor will look for documented evidence that you collect, use, store, and disclose participant information lawfully and respectfully — and that every staff member understands their obligations.

The strengthened NDIS Practice Standards framework reinforces that privacy is not a back-office administrative function. It is a fundamental participant right. Getting this wrong can result in audit non-conformances, conditions placed on your registration, or referral to the Commissioner for investigation.

Use the checklist below to build or assess your policy before your certification or verification audit.

The Core Requirements Your Policy Must Address

Before working through the checklist, it helps to understand the key legal and regulatory foundations:

Privacy Act 1988 (Cth) — If your organisation has an annual turnover above the threshold, or handles health information, the Australian Privacy Principles (APPs) apply.
NDIS Practice Standards — The Rights and Responsibilities standard requires that participants are informed of their privacy rights and that information is handled with integrity.
NDIS Code of Conduct — Workers must respect the privacy of people with disability.
NDIS Act 2013 — Contains specific provisions about the disclosure of information relating to NDIS participants.

NDIS Privacy and Confidentiality Policy Checklist

Work through each item and mark it complete only when you have documented evidence — not just an intention to act.

1. Policy Document Foundations

The policy has a clear title, version number, review date, and the name of the accountable person or role.
The policy states its purpose: to protect participant personal and sensitive information in line with the Privacy Act 1988 and NDIS Practice Standards.
The policy lists all categories of information your organisation collects (e.g., contact details, health information, financial information, support plans, incident records).
The policy identifies all the ways information is collected (verbal consent, written forms, referrals, plan managers, other providers).
The policy is written in plain language and is available in accessible formats on request.

2. Consent and Participant Rights

Your intake process includes a written consent form explaining what information is collected, why, and who it may be shared with.
Participants are informed of their right to access, correct, or request deletion of their personal information.
Procedures exist for participants who lack capacity to consent, including the involvement of a guardian, nominee, or plan manager where appropriate.
Participants are told if their information will be used for any secondary purpose (e.g., quality audits, training, research) and separate consent is obtained.
The policy states how consent is recorded and stored.

3. Information Storage and Security

The policy specifies where records are stored (cloud system, locked physical files, or both) and who has access.
Access to participant records is role-based: only staff with a legitimate need can access sensitive information.
Password controls, encryption, or equivalent security measures are documented for electronic records.
Physical records are secured when not in active use (locked cabinets, restricted office access).
A retention and disposal schedule states how long records are kept and how they are securely destroyed when no longer required.

4. Disclosure and Sharing

The policy lists permitted disclosures: other support providers involved in the participant's plan, emergency services, mandatory reporting obligations, and NDIS Commission audits.
Staff understand that they must not share participant information outside these permitted purposes without explicit consent.
Procedures cover how to handle third-party requests (e.g., from family members, legal representatives, other agencies) including verifying identity and authority before releasing any information.
Information sharing with plan managers and support coordinators is covered, with reference to relevant service agreements.

5. Data Breach Response

Your policy includes a data breach response procedure that aligns with the Notifiable Data Breaches scheme under the Privacy Act 1988 (if applicable).
Staff know how to identify a suspected data breach and who to report it to internally.
The procedure states timelines for internal investigation and any required notification to the Office of the Australian Information Commissioner (OAIC) or the affected participant.
Incidents involving privacy breaches are logged and reviewed as part of your incident management system.

6. Worker Training and Accountability

All workers, including contractors and volunteers, receive privacy and confidentiality training as part of their induction.
Training records are maintained and can be produced for an auditor.
Workers sign a confidentiality agreement at the commencement of employment or engagement.
Annual refresher training or acknowledgement is documented.
The policy identifies a Privacy Officer or equivalent responsible person within the organisation.

7. Complaints and Review

Participants are told how to make a complaint about a privacy matter, including the right to escalate to the OAIC or the NDIS Commission.
Privacy complaints are captured in your complaints management system and treated with the same urgency as other complaints.
The policy is reviewed at least annually or following a significant incident, regulatory change, or audit finding.
Review outcomes and any policy updates are documented and communicated to staff.

Common Audit Non-Conformances to Avoid

Approved quality auditors routinely find the following gaps during NDIS registration audits:

Policy exists but procedures do not. A policy statement saying "we protect privacy" is insufficient. Auditors look for step-by-step procedures that workers actually follow.
Consent forms are missing or incomplete. Generic service agreement clauses do not satisfy the requirement for informed consent regarding information handling.
No data breach response procedure. Many smaller providers have never considered this until an auditor asks for it.
Training not documented. Verbal induction training does not count. Records must show who was trained, when, and on what.
Retention schedules absent. Providers keep records indefinitely "just in case" without a documented rationale or destruction process.
No accessible format available. Participants with cognitive or communication disabilities must be able to receive privacy information in a format they can understand.

Practical Example: What a Compliant Consent Clause Looks Like

Element	Example wording in a consent form
What we collect	"We collect your name, contact details, NDIS plan number, health and disability information, and support goals."
Why we collect it	"To deliver the supports listed in your service agreement and meet our obligations under the NDIS Practice Standards."
Who we may share it with	"Other providers named in your plan, your plan manager, the NDIS Commission for audit purposes, or emergency services where safety is at risk."
Your rights	"You may request access to, or correction of, your records at any time by contacting our Privacy Officer."
Complaints	"If you are unhappy with how we handle your information, you may contact the OAIC at oaic.gov.au."

Pulling It All Together Before Your Audit

A solid privacy and confidentiality policy is one document within a much broader compliance framework. New providers approaching registration often find that building each required policy in isolation takes significantly more time than working from an integrated system. The ndiscompliant.com.au 74-document audit-ready SIL compliance kit includes a pre-built privacy and confidentiality policy, consent forms, data breach response procedure, and training records template — all mapped to the current NDIS Practice Standards — which can substantially reduce your preparation time.

Regardless of your approach, the most important thing is that your policy is lived rather than filed. Auditors speak to workers, observe intake processes, and sample participant records. A document that workers have never read will not protect you in an audit.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.