NDIS Provider Privacy and Security: Data, Compliance and Cyber Basics

NDIS provider privacy security explained: which laws apply, the data you must protect, breach-reporting duties and practical cyber steps to stay compliant.

What NDIS provider privacy and security actually covers

Which privacy laws apply to you

The data you hold — and why it is high-risk

Consent, collection notices and your service agreement

Cyber security controls that actually reduce risk

'Prove and pay' and the coming record-keeping shift

When something goes wrong: breaches and reportable incidents

Choosing secure systems and vendors

How this plays out: a worked example

Common mistakes providers make

Your next 90 days: a priority order

Frequently asked questions

Does the Privacy Act apply to small NDIS providers under $3 million turnover?

Usually yes. The small-business turnover exemption generally does not apply to organisations that provide a health service and hold health information, and disability supports typically fall inside that category. Assume the Australian Privacy Principles apply to you and confirm the current threshold and health-service scope at oaic.gov.au, or get written advice if you think you may be exempt.

What is the difference between a data breach and an NDIS reportable incident?

A data breach concerns information — unauthorised access, disclosure or loss of data you hold — and is notified to the OAIC and affected individuals under the Notifiable Data Breaches scheme when serious harm is likely. An NDIS reportable incident concerns harm to a participant, such as abuse, neglect or serious injury, and is reported to the NDIS Commission within set timeframes. One event can trigger both regimes, so route each type separately.

How long do NDIS providers have to keep records?

Registered providers already have retention obligations under the Practice Standards, and the 'Securing the NDIS for Future Generations' Bill 2026 proposes a seven-year record-retention duty. That seven-year duty is Bill-dependent and not yet settled law, so confirm it against health.gov.au/securingtheNDIS and the NDIA before relying on it. Either way, store records securely for their full retention period, not just while support is active.

What security controls does an NDIS provider actually need?

Start with multi-factor authentication on every system, unique logins with access limited to the participants each worker supports, tested backups, device encryption and screen locks, automatic software updates, and basic phishing awareness. These six prevent most small-provider breaches. Document who is responsible for each, because that documentation is what Practice Standards auditors and insurers ask for.

Do I need participant consent to share information with plan managers or the NDIA?

Yes. You need specific, current and freely given consent to disclose sensitive information to third parties such as plan managers, support coordinators, allied health professionals or the NDIA. Capture it in your service agreement and intake process, date it, keep it with the participant file, and refresh it when the participant's support team changes.

List your NDIS service on Novida