NDIS Privacy Policy Requirements For Providers (With Template Example)

If you run an NDIS business, you’re trusted with some of the most personal information a person can share - details about health, disability supports, family circumstances, goals, and daily living. For many providers, privacy obligations can feel like just another document on the compliance checklist.

But in practice, a well-written NDIS privacy policy is one of the simplest ways to reduce legal risk, build participant trust, and set clear rules for your team (especially as you grow).

In this guide, we’ll break down what an NDIS privacy policy is, when you need one, what to include, and we’ll also give you a practical template example you can adapt to your business.

What Is An NDIS Privacy Policy (And Why Does It Matter)?

An NDIS privacy policy is a public-facing document that explains how your NDIS business handles personal information - including how you collect it, why you collect it, how you store it, who you share it with, and how people can access or correct it.

For most NDIS providers, the personal information you handle will often include sensitive information (for example, health information). That’s why privacy isn’t just a website issue - it affects your intake process, service delivery, staff training, record-keeping systems, and incident response.

From a small business perspective, a privacy policy matters because it helps you:

• Meet legal obligations under Australian privacy laws (where applicable)
• Set expectations with participants and their families
• Reduce disputes about what you can/can’t do with information
• Standardise staff behaviour so privacy isn’t handled ad hoc
• Respond faster if something goes wrong (like a suspected data breach)

It’s also worth remembering: privacy compliance isn’t only about avoiding penalties. In the NDIS sector, your reputation is a huge part of your growth. Clear, respectful information handling is a real point of difference.

Do NDIS Providers Need A Privacy Policy In Australia?

Many NDIS providers do need a privacy policy - but the exact legal “trigger” depends on your situation.

1) The Privacy Act And “APP Entities”

In Australia, privacy obligations are primarily governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

Generally, the Privacy Act applies to:

• Most organisations with turnover of $3 million+, and
• Some small businesses under $3 million in specific circumstances (for example, where an exception to the small business exemption applies, or where the business opts in to be covered by the Privacy Act)

If your business is an APP entity, you are required to have a clearly expressed and up-to-date privacy policy.

2) Sensitive Information Is Common In NDIS Work

Even if you’re a smaller provider, NDIS work almost always involves personal information and often health-related information. That means you should treat privacy as a core compliance area from day one.

Practically, many NDIS providers choose to implement a privacy policy (and supporting procedures) even before they’re strictly required, because it’s how you run a safe, professional service.

3) Contract, Platform, And Funding Expectations

Separately from the Privacy Act, you may be asked for privacy documentation by:

• Plan managers or support coordinators referring participants
• Software providers you use to store notes or run rosters
• Funders, insurers, or professional bodies
• Your own partners and subcontractors

If you collect personal information online, you’ll also typically need a compliant Privacy Policy that matches what your website and forms actually do.

What Must An NDIS Privacy Policy Include?

A strong NDIS privacy policy should be written in plain English and reflect your real-world processes - not generic statements that don’t match your service model.

While the exact content depends on your business, these are the key inclusions most NDIS providers should cover.

1) What Personal Information You Collect

Be specific. For example, you may collect:

• Identity information (name, date of birth, address)
• Contact details (phone, email)
• NDIS-related details (NDIS number, plan dates, goals, supports)
• Health and disability information (diagnosis, assessments, medication notes)
• Information about representatives (nominees, guardians, family contacts)
• Service records (case notes, progress notes, incident reports)
• Financial information (invoices, payment details)

NDIS providers should assume they are dealing with sensitive information and address that directly.

2) How You Collect Information

Explain the sources, such as:

• Directly from the participant (in person, by phone, through forms)
• From representatives (family member, nominee, guardian)
• From referrers (support coordinators, plan managers)
• From other providers (with appropriate consent)
• From your website (enquiry forms)

If you use a specific intake process, you’ll often also benefit from a separate Privacy Collection Notice provided at the point you collect information.

3) Why You Collect It (Your Purposes Of Use)

Your policy should explain why you collect and use personal information. Common purposes include:

• Assessing whether you can provide services safely and appropriately
• Delivering supports and coordinating services
• Managing bookings, rosters, and service delivery
• Maintaining participant records and compliance documentation
• Billing, payments, and NDIS-related administration
• Handling feedback and complaints
• Legal and regulatory compliance

4) When You Disclose Information (And To Whom)

This is one of the most important parts of an NDIS privacy policy. Participants want to know who may receive their information.

Common disclosures may include:

• Plan managers and support coordinators
• Other service providers involved in care (with consent or as authorised)
• Medical professionals (for safety and coordination, where appropriate)
• Your staff, contractors, and support workers (on a need-to-know basis)
• IT providers (practice management software, email hosting, cloud storage)
• Professional advisers (lawyers, accountants) where necessary
• Government bodies or regulators where required or authorised by law

If you engage external platforms or subcontractors, it’s often helpful to document data handling responsibilities contractually too (for example, through a Data Processing Agreement where appropriate).

5) Overseas Disclosures

If any of your systems store data overseas (common with cloud platforms), your policy should disclose that possibility. Even if you don’t know every server location, you should be transparent about whether overseas disclosures may occur through your suppliers.

6) How You Store And Protect Information

Your privacy policy doesn’t need to list every technical safeguard, but it should reassure people that you take reasonable steps to protect information.

You might refer to measures like:

• Access controls (user accounts, role-based permissions)
• Password and device security requirements
• Secure cloud storage and encryption (where used)
• Staff confidentiality obligations and training
• Secure disposal of physical documents

7) Access And Correction Rights

Your policy should explain how a person can:

• Request access to their personal information, and
• Request corrections if information is inaccurate, out of date, or incomplete

Include a clear contact method (email is usually best) and the steps you’ll take to verify identity.

8) Complaints Handling

Explain how people can complain if they believe you’ve mishandled their information, and how your business will respond.

This should include:

• Where to send the complaint
• Expected response timeframes (even if approximate)
• Escalation options if they aren’t satisfied (including the Office of the Australian Information Commissioner (OAIC) where applicable)

9) Data Breaches (And What You’ll Do If Something Goes Wrong)

NDIS providers should plan for the possibility of a privacy incident - for example, an email sent to the wrong recipient, a lost device, or unauthorised access to a client management platform.

Your privacy policy can briefly explain how you handle suspected breaches, while your internal process should be set out in a document such as a Data Breach Response Plan.

Depending on the circumstances, you may also need to comply with notification requirements (including preparing a Data Breach Notification where required).

10) Updates To The Policy

NDIS businesses change quickly - new software, new support types, new staff, new subcontractors. Your policy should state that you may update it from time to time, and where the latest version will be published.

NDIS Privacy Policy Template Example (Practical Starting Point)

Below is a template example you can use as a starting structure. It’s intentionally written in plain English, because your participants and their families need to understand it.

Important: this is a general example only. Your final document should be tailored to your actual services, systems, and processes (especially how you collect information, where you store it, and who you disclose it to).

1) Privacy Policy Statement

Privacy Policy

At , we respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, store and disclose personal information, and how you can access or correct your information.

2) What Personal Information We Collect

We may collect personal information about you, including:

• your name, date of birth, address, phone number and email address
• NDIS-related information (such as your NDIS number, plan dates, goals and supports)
• health and disability-related information where relevant to providing our services
• information about your representatives (such as nominees, guardians or family contacts)
• service delivery records, including notes and incident records
• billing and payment information

3) How We Collect Personal Information

We collect personal information in a range of ways, including:

• directly from you when you contact us, complete forms, or use our services
• from your representative (such as your nominee or guardian) where appropriate
• from referrers or other service providers where you have consented or where permitted by law
• through our website when you submit an enquiry

4) Why We Collect, Use And Disclose Personal Information

We collect, use and disclose personal information for purposes including:

• to assess whether we can provide supports safely and appropriately
• to provide services and supports and coordinate service delivery
• to manage bookings, schedules, and service administration
• to comply with our legal and regulatory obligations
• to manage billing, payments and record-keeping
• to respond to feedback, incidents and complaints

5) Who We May Disclose Personal Information To

We may disclose personal information to:

• your plan manager, support coordinator, or authorised representatives
• other service providers involved in your supports (where appropriate and authorised)
• our staff and contractors who need the information to provide services
• our professional advisers (such as accountants, legal advisers, or insurers) where necessary
• IT service providers who help us operate our systems
• government bodies, regulators, or law enforcement agencies where required or authorised by law

6) Overseas Disclosure

Some of our service providers (such as cloud-based software providers) may store information overseas. Where this occurs, we take reasonable steps to ensure appropriate privacy protections are in place.

7) How We Store And Protect Personal Information

We take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. This may include access controls, secure storage systems, and staff confidentiality obligations.

8) Accessing And Correcting Personal Information

You may request access to, or correction of, personal information we hold about you by contacting us using the details below. We may need to verify your identity before we respond.

9) Privacy Complaints

If you have a concern or complaint about how we handle personal information, please contact us. We will review your complaint and respond within a reasonable timeframe.

If you are not satisfied with our response, you may be able to lodge a complaint with the Office of the Australian Information Commissioner (OAIC). More information is available at www.oaic.gov.au.

10) Contact Us

If you would like to contact us about privacy, please email: or call: .

11) Changes To This Policy

We may update this Privacy Policy from time to time. The most current version will be available at .

If you’d prefer a document that’s purpose-built for the NDIS context (rather than adapting a generic privacy policy), you may want an NDIS Privacy Policy drafted to match your actual service delivery and compliance requirements.

How To Implement Your NDIS Privacy Policy (So It Actually Works)

A privacy policy is only useful if it matches your daily operations. If your policy says one thing but your team does another, that’s where risk increases.

Here are practical steps to make your privacy compliance real - without turning it into an administrative burden.

1) Map Your Information Flow

Start by documenting:

• What information you collect at intake
• Where it gets stored (software, email, paper files)
• Who has access (admin, support workers, management)
• When it gets shared (plan managers, coordinators, other providers)

This mapping exercise makes it much easier to write a privacy policy that’s accurate.

2) Align Your Forms, Scripts, And Website With The Policy

Common mismatch points include:

• Website enquiry forms collecting more data than your policy describes
• Intake forms not clearly explaining why you need sensitive information
• Staff verbally requesting information without explaining purpose or consent

In many cases, giving participants a short collection statement (separate from the full policy) is the cleanest way to keep things consistent - that’s where a Privacy Collection Notice can help.

3) Train Your Team (Especially Support Workers)

In an NDIS business, privacy issues often happen through everyday moments - not intentional misconduct. For example:

• Discussing a participant’s information in a public place
• Leaving case notes visible on a device
• Sharing screenshots in group chats
• Using personal email accounts or phones for participant communications

Practical training and a clear “do/don’t” standard can prevent most problems before they start.

4) Have A Breach Playbook Ready

NDIS providers should plan for:

• lost or stolen devices
• misdirected emails
• platform access issues
• unauthorised access by former staff or contractors

A Data Breach Response Plan helps you respond consistently and quickly, and may support your notification obligations if a breach is serious.

5) Review Your Policy When Your Business Changes

Update your privacy policy when you:

• introduce a new service type (for example, behaviour support, allied health, support coordination)
• start using new practice management software
• begin subcontracting supports
• expand into new states or regions
• change your complaints or incident management process

Key Takeaways

• An NDIS privacy policy helps you meet privacy obligations and build trust with participants, families, and referrers.
• Many NDIS providers handle sensitive information (like health information), so privacy compliance should be treated as a core operational requirement, not just a website document.
• A strong privacy policy should clearly explain what you collect, why you collect it, who you share it with, how you store it, and how people can access or correct their information.
• Your policy should match your real processes - especially your intake forms, software platforms, staff access controls, and data sharing practices.
• It’s worth having a documented plan for handling incidents, including a Data Breach Response Plan, so you can respond quickly and consistently.

If you’d like help drafting or reviewing your NDIS privacy policy (including tailoring it to your services, intake process, and software systems), you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.