Does every participant subject to a restrictive practice need a behaviour support plan?

Yes. Where a regulated restrictive practice is used, a behaviour support plan developed by a registered NDIS behaviour support practitioner is mandatory. The plan must be current, accurately reflect the participant's needs, and be reviewed regularly. Using a restrictive practice without a current plan in place is a major non-conformity.

How quickly must providers report unauthorised restrictive practice use to the NDIS Commission?

Unauthorised use of a regulated restrictive practice is a reportable incident under the NDIS (Incident Management and Reportable Incidents) Rules 2018. Providers must notify the NDIS Commission within the timeframe specified in those Rules. Providers should check the Commission's current operational guidance for the applicable notification period, as requirements can be updated.

Can a provider use a restrictive practice while waiting for state or territory authorisation?

Generally no. Authorisation must be in place before or at the point of implementation. In urgent situations, some jurisdictions have transitional or emergency provisions, but these are narrow and time-limited. Providers should consult their relevant state or territory authorisation body and the NDIS Commission's guidance before acting.

What happens if an auditor finds a major non-conformity in restrictive practices?

A major non-conformity can result in the auditor recommending non-certification or conditions on registration. In cases involving ongoing unauthorised restrictive practices, the NDIS Commission may also commence its own compliance or regulatory action. Providers are given the opportunity to provide corrective action evidence, but the Commission treats participant safety breaches very seriously.

How often should behaviour support plans be reviewed?

Plans must be reviewed at least annually and also when there is a significant change in the participant's circumstances, when a new restrictive practice is introduced, or when an incident suggests the plan is not working as intended. The registered behaviour support practitioner is responsible for conducting reviews, and providers must initiate the process in a timely way.

Restrictive Practices: Common Audit Non-Conformities

Q: What are the five categories of regulated restrictive practices under the NDIS?

The NDIS Commission recognises chemical restraint, mechanical restraint, physical restraint, seclusion, and environmental restraint. Each category has a specific definition under the NDIS (Restrictive Practices and Behaviour Support) Rules 2018, and all require authorisation under the relevant state or territory process before they can be lawfully implemented.

Why Restrictive Practices Attract the Most Audit Scrutiny

Restrictive practices sit at the intersection of participant rights, provider duty of care, and legislative compliance. For SIL and disability support providers, they represent the single area most likely to generate a major non-conformity finding during an NDIS Commission audit. The NDIS Practice Standards and the National Disability Insurance Scheme (Restrictive Practices and Behaviour Support) Rules 2018 impose precise obligations — and approved quality auditors are trained to look for exactly the gaps that providers most commonly overlook.

The 2026 strengthened registration framework has raised the bar further. Providers seeking registration or re-registration under the updated Quality and Safeguards Framework must demonstrate not just that they have policies on paper, but that those policies are implemented, monitored, and continuously improved.

Below are the seven most common non-conformities auditors find, along with practical fixes for each.

The 7 Most Common Non-Conformities

1. Using Regulated Restrictive Practices Without Authorisation

This is the single most serious finding an auditor can make. The NDIS Commission defines five categories of regulated restrictive practices: chemical restraint, mechanical restraint, physical restraint, seclusion, and environmental restraint. Each requires prior authorisation under the relevant state or territory process before it can be lawfully used.

Providers are frequently found to be implementing what amount to environmental or physical restraints — locked doors, restricted access to areas, physical guiding — without having obtained the necessary authorisation or without even recognising the practice as a regulated restrictive practice. Documentation reviewed by auditors often shows the practice occurring before authorisation was granted, or continuing beyond the authorisation period.

The fix: Conduct a full audit of all current practices against the NDIS Commission's published definition of each category. Any practice that meets a definition must be authorised before or immediately upon implementation. Build authorisation expiry dates into your compliance calendar.

2. Absent or Expired Behaviour Support Plans

Where a regulated restrictive practice is used, a behaviour support plan developed by a registered NDIS behaviour support practitioner is mandatory. Auditors routinely find one of three failures: no plan exists at all; a plan exists but was not developed by a registered practitioner; or the plan has not been reviewed within the required timeframe.

Plans must be kept current and must accurately reflect the participant's current needs, circumstances, and any changes to the restrictive practices in use. An outdated plan is treated as a non-conformity even if the practices themselves are otherwise authorised.

The fix: Maintain a register of all participants subject to regulated restrictive practices, linked to their behaviour support plan review dates. Assign a staff member accountable for triggering reviews before expiry. Confirm that your practitioners hold current registration with the NDIS Commission.

3. Incomplete or Delayed Incident Reporting

The National Disability Insurance Scheme (Incident Management and Reportable Incidents) Rules 2018 require providers to report certain incidents to the NDIS Commission within defined timeframes. Use of an unauthorised restrictive practice is a reportable incident. Providers frequently fail on two counts: not classifying the incident correctly, and not meeting the reporting timeframe.

Auditors examine incident logs, staff records, and Commission portal submissions side by side. Gaps between when an incident occurred and when it was reported — or incidents never reported at all — constitute clear non-conformities.

The fix: Ensure your incident management policy explicitly lists regulated restrictive practice use (including unauthorised use) as a category requiring Commission notification. Train all staff on the trigger, the timeframe, and who is responsible for lodging the report.

4. Staff Training Records Are Incomplete or Cannot Be Produced

NDIS Practice Standards require that staff who implement restrictive practices are appropriately trained. During audits, providers are asked to produce training records for each staff member involved in implementing or overseeing a regulated restrictive practice. Common failures include: training completed verbally with no record; records stored inconsistently across sites; or training that does not address the specific type of restrictive practice being used.

The fix: Implement a centralised training matrix that maps each staff member to the restrictive practices relevant to their role, the training completed, and the date of next renewal. Ensure records are retrievable within minutes during an audit — auditors will ask for them on the spot.

5. Behaviour Support Plans Not Implemented as Written

A well-drafted plan provides no protection if staff are not following it. Auditors interview staff and compare their accounts of practice with what the plan prescribes. Common discrepancies include staff using physical guidance in situations not covered by the plan, or applying environmental restrictions inconsistently across shifts.

The fix: Build plan fidelity checks into your quality monitoring cycle. Conduct periodic observations and debrief staff. Where deviations are identified, treat them as incidents and update the plan through the behaviour support practitioner if the participant's needs have changed.

6. Participant and Guardian Consent Is Not Documented or Is Outdated

The NDIS Practice Standards place participant rights at the centre of behaviour support. Auditors look for evidence that participants and, where relevant, their nominees or guardians have been genuinely informed about any restrictive practices, have had the opportunity to raise concerns, and have provided documented consent or acknowledgement in accordance with state and territory authorisation requirements.

Providers often have a single consent form signed at the time of entry into the service, with no subsequent review even as practices change. This is insufficient.

The fix: Treat consent as an ongoing conversation, not a one-time sign-off. Document each discussion, link it to the behaviour support plan review cycle, and retain records in the participant's file.

7. Policies Do Not Reflect Current Commission Requirements

Many providers operate on policies written several years ago, before subsequent amendments to the Behaviour Support Rules or the introduction of the strengthened Practice Standards under the 2026 framework. Auditors compare the provider's policy wording against current regulatory requirements. Where policies omit required elements — for example, failing to distinguish between the five categories of regulated restrictive practices, or not addressing the provider's obligations regarding unauthorised use — this constitutes a documentary non-conformity independent of what actually happens on the floor.

The fix: Schedule an annual policy review against the NDIS Commission's current operational guidelines and the Practice Standards. Assign a designated compliance role to own this process and document the review.

What Approved Quality Auditors Actually Check

During a certification or verification audit against the NDIS Practice Standards (Core Module and the Behaviour Support module), auditors typically:

Review a sample of participant files, focusing on those with restrictive practices in use
Inspect behaviour support plans for currency, practitioner registration, and authorisation status
Cross-reference the incident register with Commission portal notifications
Interview a sample of direct support workers about their understanding of specific plans
Request training records for staff named in restrictive practice documentation
Review the provider's written policies and procedures for alignment with current rules
Examine governance records showing how leadership monitors compliance with behaviour support obligations

Non-conformities are rated as either minor or major. A major non-conformity in restrictive practices — particularly unauthorised use — can result in immediate referral to the NDIS Commission's compliance team and, in the most serious cases, suspension of registration.

A Practical Pre-Audit Checklist

List every participant currently subject to a regulated restrictive practice and confirm current authorisation for each.
Confirm each participant has an in-date behaviour support plan authored by a registered NDIS behaviour support practitioner.
Pull the incident register for the past twelve months and verify all restrictive practice incidents were reported to the Commission on time.
Cross-check staff training records against the list of staff who implement restrictive practices.
Review policy documents and update any section that references superseded rules or lacks the required elements under the 2026 strengthened framework.
Obtain and file current written consent or acknowledgement from each participant and their nominee regarding restrictive practices in use.
Schedule a plan fidelity check with a team leader across at least three active plans before the audit date.

Getting Audit-Ready

Providers who identify gaps early have time to remediate before an auditor arrives. The priority is always to stop any unauthorised practice immediately and obtain proper authorisation — the Commission takes a very dim view of providers who continue non-compliant practices after becoming aware of them.

For SIL providers building out their full compliance documentation suite, ndiscompliant.com.au offers a 74-document audit-ready SIL compliance kit that covers behaviour support policies, restrictive practice registers, staff training matrices, and incident management templates aligned with current Commission requirements — a practical starting point for providers who want to close multiple gaps at once.

Regardless of the tools used, the principle is the same: treat every non-conformity finding as a signal, not a surprise. Providers who maintain live, accurate records and embed compliance into daily operations consistently achieve better audit outcomes than those who prepare only in the weeks before an assessment.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.