Is a standalone privacy policy required under the NDIS Practice Standards?

The Practice Standards do not prescribe a standalone document with that exact title, but they require providers to demonstrate they protect participant information and uphold privacy rights. In practice, auditors expect a dedicated privacy and confidentiality policy because it is the clearest way to show your procedures are documented, reviewed, and accessible to staff and participants.

Does the Privacy Act 1988 apply to all NDIS providers?

The Privacy Act and the Australian Privacy Principles apply to organisations with an annual turnover above the prescribed threshold, as well as to any organisation that handles health information — which almost all NDIS providers do. Small providers below the turnover threshold who handle health information are still covered. Check the OAIC's guidance if you are unsure of your status.

What is a notifiable data breach and how does it affect NDIS providers?

A notifiable data breach occurs when personal information is lost or accessed without authorisation and the breach is likely to result in serious harm to one or more individuals. NDIS providers holding health or sensitive information must notify both the Office of the Australian Information Commissioner and the affected individuals as soon as practicable. The NDIS Commission may also need to be notified depending on the circumstances.

Can a SIL provider share participant information with family members?

Generally, personal information can only be shared with a participant's family member with the participant's consent, unless a specific legal exception applies — for example, an emergency situation or where the participant lacks capacity and a nominated representative is authorised. Your privacy policy should document the circumstances under which family sharing is permitted and the consent process required.

How often should an NDIS privacy policy be reviewed?

Most quality auditors expect a minimum annual review, documented with a version date and sign-off by a responsible person. A review should also be triggered by significant changes such as new legislation, a privacy breach, a change in the types of information collected, or adoption of new software systems.

What happens if an auditor finds a major non-conformance in privacy?

A major non-conformance means the provider has not met a requirement of the Practice Standards in a way that poses a significant risk. The auditor will document it in their report and the NDIS Commission will require a corrective action plan within a specified timeframe. Repeat or unresolved non-conformances can affect registration decisions and may trigger a compliance investigation.

NDIS privacy and confidentiality policy: what auditors look for

Why privacy and confidentiality is a core audit focus

For SIL providers and registered NDIS organisations, privacy is not a box-ticking exercise. The NDIS Commission treats the handling of participant information as a direct indicator of participant safety and dignity. During a certification or verification audit, an approved quality auditor will examine your privacy and confidentiality framework closely — not only whether a policy document exists, but whether it is implemented, understood by staff, and reflected in your day-to-day practices.

The obligations stem from multiple sources that auditors hold together: the NDIS Practice Standards (in particular the Rights and Responsibilities module), the NDIS Code of Conduct, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and — from 2026 — the strengthened Practice Standards framework that places greater weight on governance, transparency, and participant-centred documentation.

What an approved quality auditor actually checks

Auditors are trained to look beyond the existence of a policy. They use a triangulation approach: document review, staff interviews, and participant feedback. The following areas are the most commonly examined during a privacy audit.

1. The policy document itself

Auditors will read your privacy and confidentiality policy and expect it to cover, at minimum:

The types of personal and sensitive information your organisation collects (including health information, disability-related records, financial details, and family circumstances)
The lawful basis for collecting each category of information
How information is stored, including physical and electronic security controls
Who can access participant records and under what circumstances
Procedures for sharing information with third parties, including other service providers, families, and government agencies
How participants can access, correct, or request deletion of their own information
How the organisation responds to a privacy breach or suspected breach
Reference to the Privacy Act 1988 and Australian Privacy Principles
A review schedule (typically annual or following a significant incident)

A policy that is generic, undated, or clearly copied from a template without adaptation to your service type will attract scrutiny. Auditors note when the policy does not reflect the realities of the service — for example, a SIL provider whose policy makes no mention of support worker access to in-home records.

2. Consent and information collection procedures

Under the Australian Privacy Principles, organisations must generally collect personal information directly from the individual and only with their knowledge. For NDIS participants, this means your intake process must include a clearly worded consent form that:

Explains what information is being collected and why
Identifies who the information may be shared with
Gives the participant a genuine choice to withhold consent for non-essential disclosures
Is accessible — written in plain English, available in alternative formats where needed

Auditors will ask to see a sample consent form and may compare it against what participants report they were told during intake.

3. Staff training and awareness

A policy is only as strong as the staff who follow it. Auditors will ask workers directly: "What do you do if a family member calls asking about a participant's support schedule?" or "Where do you store case notes?" Common non-conformances arise when staff cannot articulate the organisation's privacy rules or when training records show privacy has not been covered in induction or refreshers.

Your training evidence should include:

Induction checklists that include privacy training
Sign-off records for annual privacy refreshers
Scenario-based training materials that reflect real situations in your service type

4. Information security controls

Under the NDIS Practice Standards, providers must take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access. Auditors will ask about:

Password policies and multi-factor authentication for electronic records
Physical document security (locked filing, clean-desk practices)
Procedures for disposing of records containing personal information
Controls on personal devices used by support workers
Cloud storage and third-party software — are data processing agreements in place?

5. Breach identification and response

The Notifiable Data Breaches (NDB) scheme under the Privacy Act requires eligible organisations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. NDIS providers holding health information are squarely in scope.

Auditors want to see a documented breach response procedure that includes:

How a potential breach is identified and escalated internally
The assessment process for determining whether notification is required
Template notifications for the OAIC and affected participants
A breach register (even if it contains no entries — a blank register demonstrates the system exists)

6. Participant access and complaints

Participants have the right under the APPs to request access to their own personal information and to have inaccurate information corrected. Auditors check whether your policy and procedures explain how a participant makes such a request, your response timeframe, and the process for managing disagreements about access.

Separately, the NDIS Code of Conduct requires providers to have a complaints management system. Auditors will check that privacy complaints can be lodged through this system and are handled appropriately, including referral to the OAIC where relevant.

Common non-conformances auditors find

Non-conformance	Why it fails	The fix
Policy not reviewed within the stated period	Demonstrates policy is not actively managed	Add a calendar-triggered review with sign-off by a named role
Staff unaware of breach reporting procedure	Policy exists but is not operationalised	Include breach scenarios in annual training and test knowledge
Consent forms do not specify third-party sharing	Breaches APP 5 (notification of collection)	Rewrite intake consent to list all foreseeable sharing parties
No data processing agreement with software vendors	Cloud tools handling participant data without contractual controls	Obtain DPAs from each vendor; file with IT register
Breach register absent or inaccessible	Cannot demonstrate NDB compliance	Implement a simple register; log even near-misses
Policy uses generic language not matching service type	Auditors cannot verify it reflects actual practice	Tailor policy to SIL context — in-home access, shift handovers, family involvement

The 2026 strengthened framework: what is changing

The NDIS Commission's strengthened Practice Standards, progressively taking effect through 2026, place greater emphasis on governance and operational management. For privacy, this means auditors will probe more deeply into whether privacy obligations are embedded in governance structures — not just documented in a standalone policy. Expect questions about board or leadership oversight of privacy risk, how privacy considerations feature in new service design decisions, and whether your organisation has a named privacy officer or equivalent accountability role.

The strengthened framework also reinforces the link between privacy and participant dignity and autonomy. Auditors will look at whether participants are genuinely informed and in control of their own information, not simply processed through a consent form at intake.

How to prepare: a practical audit-readiness checklist

Pull your current privacy and confidentiality policy and check the version date and review log.
Map every category of personal information you hold against the purpose for collection and the APP that applies.
Review your intake consent form — does it name all third parties you share information with?
Check training records: has every current staff member completed privacy training in the last 12 months?
Locate your breach register and confirm the response procedure is documented and tested.
Obtain or renew data processing agreements with any cloud software vendors.
Confirm your complaints procedure explicitly covers privacy complaints and references the OAIC as an external avenue.
Brief your management team on how privacy risk is reported and overseen at a governance level.

If you are working through a full registration or re-registration audit, privacy policy gaps rarely appear in isolation — they tend to sit alongside gaps in incident management documentation, complaints records, and participant rights procedures. The ndiscompliant.com.au 74-document SIL compliance kit includes a fully drafted privacy and confidentiality policy, breach register template, consent form, and staff training acknowledgement forms, aligned to the current Practice Standards and the 2026 strengthened framework — useful if you are building your document set from scratch or conducting a gap review before your audit date.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.