Is a privacy policy mandatory for NDIS registered providers?

Yes. Registered NDIS providers must handle personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988, and the NDIS Practice Standards require providers to have documented processes for collecting, storing, using, and disclosing participant information. Approved quality auditors check for a current, implemented privacy policy.

How long must NDIS providers keep participant records?

The NDIS (Provider Registration and Practice Standards) Rules require records to be kept for a minimum of seven years from the date of last service, or until the participant turns 25 years of age — whichever period is longer. Your privacy policy should state your retention period and your disposal method.

Do SIL providers need a separate privacy policy from their general data policy?

Not necessarily. A single comprehensive privacy and confidentiality policy can cover all services, provided it addresses NDIS-specific requirements such as NDIS plan information, incident reports, and restrictive practices documentation. The policy should clearly cover the sensitivity categories relevant to SIL environments.

What happens if an NDIS provider has a data breach?

If a data breach is likely to cause serious harm to participants, the provider must notify both the affected individuals and the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme. Depending on the nature of the breach, the NDIS Commission may also need to be informed. Your privacy policy should link to a Data Breach Response Procedure.

Can participants request a copy of their own NDIS support records?

Yes. Under Australian Privacy Principle 12, individuals have a right to access personal information an organisation holds about them. NDIS providers must have a documented process for participants to submit access requests and must respond within a reasonable timeframe, typically 30 days.

What format should the privacy policy be provided in for participants?

The NDIS Practice Standards and the 2026 strengthened framework emphasise accessible communication. Providers are expected to offer the privacy policy in plain English, and on request, in Easy Read, translated formats, or other accessible versions. A one-page participant-friendly summary is considered best practice.

NDIS privacy and confidentiality policy example (filled-in sample)

Why NDIS providers must have a privacy and confidentiality policy

Registered NDIS providers — including SIL (Supported Independent Living) providers — are required to handle participant information lawfully and ethically. This obligation flows from multiple overlapping frameworks: the Privacy Act 1988 (Cth), the NDIS Act 2013 (Cth), the NDIS Code of Conduct, and the NDIS Practice Standards. Under the strengthened 2026 registration requirements, auditors specifically examine whether providers have a current, implemented privacy policy — not just a filed document — and whether all staff can demonstrate they understand it.

Failing to maintain an adequate privacy policy puts your registration at risk and, more importantly, can cause real harm to participants whose sensitive disability, health, and financial information you hold.

What the NDIS Practice Standards require

The Practice Standards include a dedicated outcome under the Rights and Responsibilities module: participants must be told how their personal information is collected, used, stored, and disclosed, and they must be able to access and correct their records. Specifically, providers must:

Collect only the personal information necessary to deliver supports.
Obtain informed consent before collecting, using, or disclosing personal information.
Store records securely, with access limited to authorised personnel.
Ensure participants know how to make a privacy complaint and have that complaint responded to promptly.
Comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988.

The strengthened framework — applied progressively from mid-2024 and embedded in the 2026 audit cycle — places greater emphasis on participant empowerment: the policy must be explained to participants in accessible formats, not simply handed over as a dense PDF.

Filled-in policy sample: what to include and how it reads

The following is a realistic filled-in excerpt modelled on what an approved quality auditor would expect to see. Substitute your organisation's details where indicated in brackets.

Privacy and Confidentiality Policy — Sample Excerpt

Organisation name: Sunrise Ability Services Pty Ltd
Policy number: SAS-POL-014
Version: 3.2
Effective date: 1 July 2025
Review date: 1 July 2026
Policy owner: Chief Operating Officer

1. Purpose

This policy describes how Sunrise Ability Services Pty Ltd collects, uses, stores, and discloses personal information about participants, their families, carers, and workers, in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the NDIS Practice Standards.

2. Scope

This policy applies to all employees, contractors, volunteers, and board members of Sunrise Ability Services who handle personal or sensitive information in the course of their role.

3. What information we collect

We may collect the following categories of information:

Full name, date of birth, address, and contact details.
NDIS plan details, funding categories, and support goals.
Health and disability-related information (sensitive information under APP 3).
Emergency contact and next-of-kin details.
Financial information necessary to claim NDIS funding on a participant's behalf.
Incident reports and restrictive practices documentation where applicable.

4. How we collect information

We collect personal information directly from participants, their nominees, or legal guardians during the intake process, from NDIS plan documents, and from allied health professionals with participant consent. We do not collect information by unlawful or unfair means.

5. Consent

Before collecting sensitive information, we obtain written consent using our Consent to Share Information form (SAS-FORM-007). Participants may withdraw consent at any time by contacting our Privacy Officer. Withdrawal of consent does not affect the legality of any prior processing.

6. Storage and security

Physical records are stored in locked filing cabinets accessible only to authorised staff. Electronic records are held in [Name of case management system], protected by multi-factor authentication and role-based access controls. Records are backed up daily. Staff are not permitted to store participant information on personal devices.

7. Retention and disposal

We retain participant records for a minimum of seven years from the date of last service, or until a participant turns 25 years of age — whichever is later — consistent with obligations under the NDIS (Provider Registration and Practice Standards) Rules 2018. After the retention period, paper records are cross-cut shredded and electronic records are permanently deleted using certified data-erasure methods.

8. Disclosure

We do not sell, rent, or trade personal information. We may disclose participant information to:

The NDIS Quality and Safeguards Commission in response to a lawful request or as required by the NDIS Act.
Other service providers involved in a participant's care, with the participant's written consent.
Emergency services or medical practitioners where there is a serious and imminent threat to life or safety.
Approved quality auditors during a registration audit.

9. Participant rights

Participants have the right to:

Access their personal information by submitting a written request to the Privacy Officer.
Request correction of inaccurate or out-of-date information.
Make a privacy complaint (see section 10).
Receive this policy in their preferred language or accessible format on request.

10. Privacy complaints

Participants who believe their privacy has been breached should contact our Privacy Officer in the first instance: [email protected] or by calling our main office. We will acknowledge the complaint within two business days and aim to resolve it within 30 calendar days. If dissatisfied with the outcome, participants may escalate to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au, or to the NDIS Quality and Safeguards Commission.

Step-by-step: how to adapt this sample for your organisation

Assign a Privacy Officer. Name a specific role (not just a department) and ensure that person has completed privacy training within the past 12 months.
Identify every system that holds participant data. List case management software, shared drives, email systems, and any paper-based records. Each should appear in your security section.
Map your consent touchpoints. Intake, plan reviews, information sharing with allied health — each requires a documented consent step. Reference the form numbers you actually use.
Set a realistic review cycle. Annual review is the minimum expectation under the Practice Standards. Mark a calendar reminder and name who is responsible for triggering the review.
Translate the policy into plain English and Easy Read. The 2026 strengthened standards emphasise accessible communication. A one-page plain-English summary for participants is strongly recommended.
Train all staff before the policy is live. Keep sign-off records; auditors will request them.
Test your breach response process. The policy should link to your Data Breach Response Procedure. Under the Notifiable Data Breaches scheme, certain breaches must be reported to the OAIC.

Common gaps auditors find

Gap	Why it matters
No named Privacy Officer	Leaves complaints with no clear owner; non-conformance under Practice Standards
Retention period not specified	Risk of premature destruction or indefinite storage
Policy not accessible to participants	Breaches APP 5 (notification of collection) and the empowerment outcomes
Consent form not cross-referenced	Auditor cannot verify the process is operationalised
No mention of data breach response	Notifiable Data Breaches obligations may go unmet

If you are building or reviewing your full documentation suite, ndiscompliant.com.au offers a 74-document audit-ready SIL compliance kit that includes a fully editable privacy policy template aligned to the current Practice Standards, alongside all other required policies, procedures, and forms.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.