What does the NDIS Quality and Safeguards Commission do?

The NDIS Commission is the independent national regulator of NDIS providers. It registers providers, monitors compliance with the NDIS Practice Standards and Code of Conduct, handles complaints from participants and others, oversees reportable incident notifications, manages the NDIS Worker Screening Database, authorises the use of restrictive practices, and takes enforcement action against providers and workers who breach their obligations. It was established to ensure NDIS participants receive safe, quality supports.

Can the NDIS Commission take action against unregistered providers?

Yes. The NDIS Commission's jurisdiction covers both registered and unregistered providers. While unregistered providers are not audited against the Practice Standards, they are subject to the NDIS Code of Conduct and the Commission's complaints and enforcement powers. The Commission can investigate complaints about unregistered providers, issue compliance notices, and issue banning orders against individual workers of unregistered providers.

What is a banning order and when does the NDIS Commission issue one?

A banning order prohibits a person from providing any NDIS supports or services, either for a specified period or permanently. The Commission issues banning orders when a person has breached the NDIS Code of Conduct and poses an ongoing risk to NDIS participants. Banning orders are published on the NDIS Commission's public register, which means the person's name and the details of the ban are publicly available. Banning orders effectively end a person's career in disability services.

How do I report an incident to the NDIS Commission?

Reportable incidents must be notified to the NDIS Commission through the NDIS Commission Portal (the provider portal) within 24 hours of the provider becoming aware of the incident. A brief initial notification is submitted first, followed by a detailed 5-day report within 5 business days, and a final report within 60 business days. The types of reportable incidents include death, serious injury, abuse, neglect, sexual misconduct, unlawful physical contact, and unauthorised use of restrictive practices.

What happens if a participant makes a complaint to the NDIS Commission about my organisation?

The Commission will assess the complaint and determine the appropriate response. This may include contacting your organisation for a response, facilitating resolution between you and the complainant, conducting a compliance investigation, or in serious cases, taking immediate enforcement action. The Commission encourages resolution at the lowest appropriate level and will generally give your organisation an opportunity to respond before taking formal action. However, if there is an immediate risk to participant safety, the Commission can take urgent action without prior notice.

NDIS Quality and Safeguards Commission Explained: What They Do and How They Affect Providers

The Commission's Role and Establishment

The NDIS Quality and Safeguards Commission (commonly called the NDIS Commission) is an independent Commonwealth body established under the NDIS Act 2013. It is Australia's national regulator for NDIS providers and workers.

The Commission was established to address a fundamental gap in the original NDIS design: while the NDIA (National Disability Insurance Agency) manages participant plans and funding, it was never designed to be a regulator. Before the Commission existed, quality and safeguarding of NDIS supports fell to a patchwork of state-based systems that were inconsistent and often inadequate.

The Commission commenced operations on 1 July 2018 in NSW and South Australia, and progressively expanded to cover all states and territories. It achieved full national coverage on 1 July 2020.

Who leads the Commission

The Commission is led by the NDIS Quality and Safeguards Commissioner, an independent statutory officer appointed by the Governor-General. The Commissioner is supported by Registrars, who manage provider registration and compliance operations, and a national team across multiple offices.

Core Functions

The Commission has eight core functions defined in the NDIS Act 2013:

Provider registration — registering NDIS providers and managing the registration process, including audits and renewals
Complaints handling — receiving and resolving complaints about NDIS supports and services from participants, families, workers, and others
Reportable incidents — receiving, monitoring, and overseeing responses to reportable incidents involving NDIS participants
Behaviour support — overseeing the use of restrictive practices and promoting positive behaviour support approaches
Worker screening — managing the NDIS Worker Screening Database and overseeing worker screening processes
Code of Conduct — administering the NDIS Code of Conduct and taking enforcement action for breaches
Compliance monitoring — proactively monitoring provider compliance with the NDIS Practice Standards, Code of Conduct, and other obligations
Education and guidance — providing resources, guidance, and education to providers and workers about their obligations

Provider Registration

The Commission manages the provider registration process from application to renewal. Key aspects:

Application and audit

Providers apply through the NDIS Commission's online portal
The Commission assigns the provider to engage an Approved Quality Auditor (AQA)
The AQA conducts either a verification audit (desk-based) or certification audit (comprehensive, including on-site) depending on the registration groups
The AQA submits the audit report to the Commission, which makes the final registration decision

Registration period and renewal

Certification-level registration is granted for up to 3 years
Verification-level registration is granted for up to 5 years
Certification providers must undergo a mid-term audit at approximately the halfway point of their registration period
All providers must undergo a renewal audit before their registration expires

Conditions on registration

The Commission can impose conditions on a provider's registration at any time — at initial registration, during the registration period (in response to compliance concerns), or at renewal. Conditions might include additional reporting requirements, mandatory training, restrictions on the types of participants served, or independent compliance monitoring at the provider's expense.

Complaints Handling

The Commission operates a national complaints system for NDIS supports and services. Anyone can make a complaint — participants, families, workers, advocates, or members of the public.

What can be complained about

Quality of NDIS supports or services
Safety of NDIS supports or services
Conduct of an NDIS provider or worker
Failure to provide agreed supports
Breach of the NDIS Code of Conduct
Any other concern about NDIS supports

The complaints process

Complaint received — the Commission assesses the complaint to determine its nature and urgency
Initial assessment — the Commission determines whether the complaint falls within its jurisdiction and what response is appropriate
Resolution — the Commission may facilitate resolution between the complainant and the provider, conduct a compliance investigation, or take immediate action if there is a safety risk
Outcome — outcomes range from informal resolution to formal enforcement action, depending on the severity and nature of the complaint

The Commission aims to resolve complaints at the lowest appropriate level. Most complaints are resolved through facilitated discussion between the provider and complainant. However, serious complaints — particularly those involving safety risks — can trigger immediate compliance investigation or enforcement action.

Provider Tip

Having a robust internal complaints system is your first line of defence. If participants can raise and resolve concerns with you directly, many issues will never reach the NDIS Commission. Auditors check for an active complaints and feedback system — not just a policy document, but evidence that complaints are received, responded to, and used for improvement.

Reportable Incidents

Registered NDIS providers must report certain incidents to the Commission. The reportable incident framework is governed by the NDIS (Incident Management and Reportable Incidents) Rules 2018.

Categories of reportable incidents

Death of a participant — including deaths that occur during or as a result of NDIS supports
Serious injury of a participant — injury requiring medical treatment beyond first aid
Abuse or neglect of a participant — physical, psychological, emotional, or financial abuse, or neglect
Sexual misconduct — any sexual act, behaviour, or communication directed at a participant
Unlawful physical contact or assault — any physical contact with a participant that is unlawful
Unauthorised use of a restrictive practice — use of a restrictive practice that has not been authorised under the relevant state/territory legislation

Reporting timeline

Report	Deadline	Content
Initial notification	Within 24 hours	Brief notification identifying the type of incident, the participant involved, and the immediate actions taken
5-day report	Within 5 business days	Detailed report including a description of the incident, the response, interim actions, and impact on the participant
Final report	Within 60 business days	Complete report including the investigation outcome, root cause analysis, corrective actions, and systemic improvements

Failure to report a reportable incident within the required timeframe is itself a compliance breach and can result in enforcement action.

Compliance Monitoring

The Commission does not wait for complaints or incidents to monitor providers. It has a proactive compliance monitoring program that includes:

Risk-based monitoring — the Commission identifies higher-risk providers (based on factors like the type of supports, the participant cohort, complaint history, and incident reports) and targets compliance activities accordingly
Desktop reviews — the Commission may request documentation from providers (policies, incident reports, complaints records, staff files) for review without conducting an on-site visit
Own-initiative investigations — the Commission can initiate investigations based on intelligence, media reports, or patterns identified across multiple providers
Data analysis — the Commission analyses data from complaints, incidents, and other sources to identify trends and systemic issues across the sector
Unannounced visits — the Commission has the power to conduct unannounced visits to provider premises, particularly SIL houses and other residential settings

Unannounced Visits

The Commission can visit your premises without prior notice, particularly for SIL and other residential settings. During an unannounced visit, Commission officers may inspect the premises, observe service delivery, speak with participants and workers, and request access to records. Ensure your documentation is up to date at all times — not just before scheduled audits.

What triggers compliance monitoring

While the Commission uses risk-based targeting, certain factors increase the likelihood of your organisation being selected for compliance monitoring activities:

Complaint patterns — multiple complaints about the same provider, or complaints about serious issues (safety, abuse, neglect), will trigger heightened scrutiny
Reportable incident history — a high volume of reportable incidents, or a pattern of similar incidents, signals potential systemic issues that warrant investigation
Support type — providers delivering high-risk supports (SIL, SDA, behaviour support, restrictive practices) are monitored more closely than those delivering lower-risk supports
Audit findings — if your most recent audit identified non-conformities, the Commission may follow up to verify that corrective actions have been implemented
Media and intelligence — if your organisation appears in media reports or is flagged through intelligence from other agencies, the Commission may initiate an investigation
Whistleblower reports — reports from current or former workers about non-compliance or unsafe practices

How to prepare for compliance monitoring

The best preparation is to maintain genuine, ongoing compliance — not just audit-time compliance. This means:

Keeping all documentation current and accessible (not locked in a filing cabinet that nobody opens between audits)
Ensuring your incident register, complaints register, and training register are up to date
Conducting regular internal reviews of your compliance against the Practice Standards
Having a named person responsible for compliance management in your organisation
Training all staff on what to do during an unannounced visit — be cooperative, provide access to records, and direct Commission officers to the appropriate person

Enforcement Actions

When the Commission identifies non-compliance, it has a graduated enforcement framework. The response is proportionate to the severity and nature of the breach.

Action	Description	Severity
Education and guidance	Advice, resources, and direction to help the provider understand and meet their obligations	Low
Compliance notice	Written direction to take specific actions within a set timeframe to address non-compliance	Moderate
Infringement notice	Financial penalty for specific breaches (civil penalty provisions)	Moderate-High
Enforceable undertaking	Binding agreement where the provider commits to specific corrective actions	Moderate-High
Conditions on registration	Additional requirements imposed on the provider's registration (e.g., mandatory training, enhanced reporting, independent monitor)	High
Suspension of registration	Temporary halt to the provider's ability to deliver NDIS supports	High
Revocation of registration	Permanent removal of the provider's NDIS registration	Severe
Banning order	Individual is banned from delivering any NDIS supports (registered or unregistered), published on the public register	Severe
Civil penalty proceedings	Court proceedings seeking financial penalties for serious or repeated breaches	Severe
Criminal referral	Referral to police or the Commonwealth Director of Public Prosecutions for criminal investigation	Critical

The Commission publishes enforcement actions on its website, including compliance notices, conditions on registration, suspensions, revocations, and banning orders. This transparency serves as both accountability and deterrent.

Worker Screening

The Commission manages the NDIS Worker Screening Database and oversees the nationally consistent NDIS Worker Screening Check system. While the actual screening checks are administered by state and territory screening units, the Commission sets the national standards and maintains the database.

How NDIS Worker Screening works

Workers apply for an NDIS Worker Screening Check through their state or territory screening unit
The screening unit conducts a risk assessment based on criminal history, disciplinary proceedings, and other relevant information
Workers receive either a clearance (can work in risk-assessed roles) or an exclusion (cannot work in risk-assessed roles)
Clearances are valid for 5 years and are nationally portable
Providers must verify worker clearances through the NDIS Worker Screening Database before allowing workers to commence in risk-assessed roles

Restrictive Practices

The Commission has a specific role in overseeing restrictive practices — any practice that restricts the rights or freedom of movement of a participant. This includes:

Chemical restraint — use of medication to control behaviour (not for therapeutic purposes)
Physical restraint — use of physical force to restrict movement
Mechanical restraint — use of devices to restrict movement
Environmental restraint — restricting access to areas or objects
Seclusion — confining a participant to a room or area from which they cannot freely exit

Registered providers must report all use of restrictive practices to the Commission. The Commission's policy is to reduce and eliminate restrictive practices over time, and it requires providers to have behaviour support plans that include strategies for reducing restrictive practice use. Unauthorised use of restrictive practices is a reportable incident.

Your Obligations as a Provider

Every NDIS provider — registered or unregistered — has obligations to the Commission. Here is a summary of what the Commission expects:

All providers (registered and unregistered)

Comply with the NDIS Code of Conduct — all 8 requirements
Report reportable incidents within the required timeframes
Cooperate with the Commission's complaints investigations
Not deliver NDIS supports while subject to a banning order
Respond to compliance notices and other regulatory communications

Registered providers (additional obligations)

Meet the NDIS Practice Standards at all times (not just during audits)
Undergo quality audits (initial, mid-term, and renewal)
Ensure all workers in risk-assessed roles hold NDIS Worker Screening Check clearances
Report restrictive practices to the Commission
Comply with any conditions on registration
Notify the Commission of changes to key personnel, business structure, or contact details
Maintain comprehensive documentation (policies, procedures, registers, records) as evidence of compliance
Participate in the Commission's compliance monitoring activities

Good documentation is the foundation of compliance. Our free NDIS Notes Rewriter helps your workers write audit-ready progress notes every shift. For the complete compliance documentation set, the SIL Rescue Kit provides 65 audit-ready documents for $297.

Get Audit-Ready Documentation

The SIL Rescue Kit includes 25 policies, 25 forms, 10 registers, and 5 guides — all mapped to the NDIS Practice Standards and ready for your certification audit. $297 for the complete set.

Get the SIL Rescue Kit

Important: This article provides general guidance about the NDIS Quality and Safeguards Commission. It is not legal or professional advice. The Commission's powers, processes, and requirements may change as NDIS reforms are implemented. Always verify current requirements with the NDIS Quality and Safeguards Commission or seek legal advice if you are subject to enforcement action.