What must an NDIS privacy policy include?

An NDIS privacy policy must address: what personal information is collected and why; the legal basis for collection (consent, or a permitted purpose under the Privacy Act 1988); how information is stored, secured, and protected; who can access participant information and under what circumstances; how information is shared with third parties (and the consent required); participant rights to access and correct their own information; data breach notification obligations; and how long records are retained before secure destruction.

Does the Privacy Act 1988 apply to small NDIS providers?

Yes. While the Privacy Act 1988 (Cth) generally exempts businesses with an annual turnover under $3 million from the Australian Privacy Principles, NDIS providers are not exempt. The NDIS Practice Standards impose privacy and confidentiality obligations that are functionally equivalent to the APPs regardless of organisational size. Additionally, any provider that receives federal government funding — which all NDIS providers effectively do through NDIS funding — may be directly subject to the Privacy Act. NDIS providers should comply with the APPs as a minimum standard.

How long must NDIS providers keep participant records?

The NDIS Practice Standards require providers to retain records for the period required by relevant legislation. In practice, this means: participant records should be retained for 7 years after the last service delivery (consistent with general Australian record-keeping requirements); records relating to minors should be retained until the person turns 25 or for 7 years from the date of last service, whichever is longer; financial records must be retained for 7 years as required by the Corporations Act 2001 and tax legislation. Records must be securely destroyed (not simply deleted) at the end of the retention period.

NDIS Privacy and Confidentiality Policy: What Providers Must Include

Outcome 1.3: Privacy and Dignity

Privacy is not simply about keeping information confidential. Under the NDIS Practice Standards, Outcome 1.3 connects privacy to the broader principle of participant dignity — the right of every person to control information about themselves and to be treated with respect in how that information is handled.

The quality indicators under Outcome 1.3 require that providers demonstrate:

Participant information is collected only for purposes directly related to service delivery
Participants are informed about what information is collected, why, and how it will be used
Participant information is stored securely and accessed only by those who need it
Participant information is not disclosed to third parties without informed consent, except in permitted circumstances
Participants can access, review, and request correction of their personal information
The provider has a documented privacy policy and data breach response plan

Outcome 1.3 must be read alongside the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. While the NDIS Practice Standards set the compliance framework for the NDIS Commission, the Privacy Act sets the broader legal obligations that apply to the organisation.

The Privacy Act 1988 and Australian Privacy Principles

The Privacy Act 1988 (Cth) governs the handling of personal information by Australian government agencies and private sector organisations. The 13 Australian Privacy Principles (APPs) that form Schedule 1 of the Act apply to any organisation that is an "APP entity" — which includes NDIS providers who receive Commonwealth funding.

The APPs most relevant to NDIS providers are:

APP	Title	Key Requirement for NDIS Providers
APP 1	Open and transparent management of personal information	Have a current, publicly available privacy policy
APP 3	Collection of solicited personal information	Only collect information that is reasonably necessary for service delivery
APP 5	Notification of collection	Tell participants what information is collected and why, at or before the time of collection
APP 6	Use or disclosure of personal information	Only use or disclose information for the primary purpose it was collected, or with consent
APP 11	Security of personal information	Take reasonable steps to protect information from misuse, interference, loss, and unauthorised access
APP 12	Access to personal information	Give participants access to their own information when requested
APP 13	Correction of personal information	Correct inaccurate information when requested by the participant

Importantly, disability-related health and medical information is classified as sensitive information under the Privacy Act. Sensitive information attracts higher protection requirements — in particular, collection and disclosure of sensitive information generally requires the participant's explicit consent, not merely implied consent.

What NDIS Providers Must Include in Their Privacy Policy

A compliant NDIS privacy and confidentiality policy must address all of the following:

Types of Information Collected

The policy must identify the categories of personal information collected. For NDIS providers, this typically includes: name, address, and contact details; date of birth; NDIS number and plan details; disability diagnoses and medical history; support needs assessments; behaviour support plans; medication information; financial information (for self-managed funding); and photographs or video (if collected).

Purposes of Collection

Each category of information must be linked to a specific, legitimate purpose. "Service delivery" is not specific enough. The policy should state, for example, that health information is collected "to enable safe and appropriate support delivery, to inform risk assessment, and to comply with relevant health and safety legislation."

How Information Is Stored and Secured

The policy must describe the security measures in place for both physical records (lockable filing, access-controlled premises) and electronic records (password protection, encryption, user access controls, regular security updates). This includes how the organisation responds to staff departures to prevent ongoing access to participant records.

Who Can Access Information

The policy must specify who within the organisation has access to participant information (typically: assigned workers, coordinators, and management — not all staff). It must also describe the process for authorising access, and what happens if a worker accesses information they are not authorised to view.

Disclosure to Third Parties

NDIS providers frequently need to share participant information with external parties — allied health professionals, other providers, the NDIA, family members. The policy must describe the circumstances in which information is shared, the consent process required, and the exceptions (e.g., mandatory reporting, health emergencies).

Participant Rights

The policy must inform participants of their right to access their personal information, request corrections, and make complaints about privacy handling. It should include the contact details of the Office of the Australian Information Commissioner (OAIC) as the external regulator: oaic.gov.au, 1300 363 992.

Data Breach Procedures

The policy must describe the organisation's response to data breaches, including how breaches are identified, who is notified, and the Notifiable Data Breaches (NDB) scheme obligations under the Privacy Act.

Consent is the cornerstone of compliant privacy practice for NDIS providers. Because disability-related information is sensitive information under the Privacy Act, the consent bar is higher than for ordinary personal information.

Consent to Collect Information

Before collecting a participant's personal information, the provider must obtain informed consent — meaning the participant must understand what information will be collected, why, and how it will be used. This must be documented with a signed consent form. A Consent to Collect Information form should cover:

The types of information to be collected
The purposes of collection
How information will be stored
Who will have access to it within the organisation
The participant's right to withdraw consent

Consent to Share Information

Separate consent is required before sharing participant information with third parties. A Consent to Share Information form should identify the specific third party, the specific information to be shared, and the purpose of sharing. Blanket consent forms that authorise sharing with any party for any purpose do not satisfy the APP requirements for sensitive information.

Important Distinction

Implied consent is not sufficient for sensitive disability-related information. A participant calling to request information about another participant's schedule, or a family member asking about medication details, does not trigger implied consent for disclosure. Explicit, documented consent is required — or the disclosure must fall within a recognised exception (e.g., risk to life, mandatory reporting).

Consent Exceptions

Information may be disclosed without consent in limited circumstances:

To prevent a serious and imminent threat to life or safety
As required by law (e.g., mandatory reporting of child abuse, NDIS reportable incidents)
To the NDIA or NDIS Commission in response to a lawful request
For the primary purpose of collection where it is unreasonable or impracticable to obtain consent

Data Breach Notification Obligations

Under the Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act 1988, NDIS providers that experience a data breach likely to result in serious harm to affected individuals must:

Assess the breach: Determine whether it is likely to result in serious harm to one or more affected individuals. Factors to consider include: the sensitivity of the information (disability information is high sensitivity), the number of people affected, the nature of the disclosure, and whether further harm is likely.
Notify affected individuals: As soon as practicable, notify each person at risk of serious harm. The notification must describe what happened, what information was involved, what the provider has done or will do in response, and what the affected person can do to protect themselves.
Notify the OAIC: Lodge a notification with the Office of the Australian Information Commissioner as soon as practicable — and within 30 days of becoming aware of the breach. The OAIC form is available at oaic.gov.au.

Providers must also have a documented Data Breach Response Plan that describes the steps to be taken when a breach is suspected or confirmed. The plan should assign responsibilities and include a rapid assessment process.

Record Retention Requirements

Privacy obligations do not end when a participant stops receiving services. Providers must retain records for the required period, and then securely destroy them. Key retention requirements for NDIS providers:

Record Type	Minimum Retention Period	Authority
Participant service records and support plans	7 years from last service delivery	NDIS Practice Standards / general limitation periods
Records relating to a minor	Until the person turns 25, or 7 years from last service (whichever is longer)	State/territory legislation and NDIS guidelines
Financial/accounting records	7 years	Corporations Act 2001 (Cth) / Income Tax Assessment Act
Incident records	7 years minimum; longer if litigation is likely	NDIS Commission guidance
Worker records (employment)	7 years from end of employment	Fair Work Act 2009 (Cth)

At the end of the retention period, records must be securely destroyed — not simply placed in a recycling bin. For physical records this means shredding; for electronic records it means permanent deletion or physical destruction of storage media.

Special Considerations for Disability-Related Information

NDIS providers deal with information that is, by definition, highly sensitive. Disability diagnoses, behavioural assessments, psychiatric histories, medication records, and the details of daily living assistance all fall within the "sensitive information" category under the Privacy Act.

Practical implications for NDIS providers:

Shift notes: Progress notes and shift notes contain sensitive personal information. They must be stored securely, accessible only to authorised staff, and not left in accessible locations (e.g., printed notes left in common areas at a SIL house).
Photos and video: Photographs of participants (including photos taken for incident documentation) require explicit consent. Using participant photos on social media without consent is a serious breach.
Communications: Workers discussing participant information in public places (e.g., at a coffee shop, in an open office) or via personal mobile phones may constitute a privacy breach.
Third-party requests: Family members, even close family members, do not have an automatic right to a participant's information. The participant's consent is required unless there is a legal guardianship arrangement or a documented emergency.

Need a Complete NDIS Privacy Policy Package?

The SIL Rescue Kit includes Document 06 (Privacy and Confidentiality Policy), Document 29 (Consent to Collect), Document 30 (Consent to Share), Document 56 (Privacy Notice Plain English), and Document 59 (Data Breach Response Plan) — all audit-ready and mapped to Outcome 1.3.

Get the SIL Rescue Kit — $297

Audit Readiness Checklist for Outcome 1.3

Privacy and Confidentiality Policy is current, approved, and references the Privacy Act 1988 and Australian Privacy Principles
Policy identifies the types of information collected and the purposes of collection
Policy describes security measures for physical and electronic records
Policy describes the data breach notification process including OAIC reporting obligations
Signed Consent to Collect forms are on file for all active participants
Consent to Share forms are obtained before disclosing information to third parties
Privacy Notice in plain English is provided to participants at intake
Data Breach Response Plan is documented and staff know where to find it
Record retention schedule is documented and followed
Staff training records show workers have been trained on privacy obligations

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.