NDIS Incident Management Policy and Procedure Template

What's in this template?

This free NDIS Incident Management Policy and Procedure template is aligned to Core Module 1 of the NDIS Practice Standards (Version 4, November 2021). It provides a systematic framework for identifying, reporting, investigating, and learning from incidents — including the five categories of reportable incidents that must be notified to the NDIS Quality and Safeguards Commission within 24 hours.

The template covers 17 sections:

1. Purpose — commitment to participant safety and systematic incident management aligned to NDIS Practice Standards and the NDIS Act 2013
2. Scope — all incidents connected to NDIS-funded supports, across all settings (premises, homes, community, transport)
3. Definitions — incident, reportable incident (s73Z NDIS Act), near miss, serious injury — with clear statutory definitions
4. Legislative and Regulatory Framework — NDIS Act 2013, Incident Management Rules, Practice Standards, Code of Conduct, WHS Act, Privacy Act
5. Guiding Principles — participant safety first, all incidents reported, proportional investigation, no disadvantage for reporters
6. Incident Categories and Severity — three-tier system (Critical/Reportable, Significant, Minor) with specific examples
7. Immediate Response — first aid, emergency services, hazard removal, supervisor notification, evidence preservation
8. Incident Reporting — internal 24-hour reporting, NDIS Commission reporting (24 hours initial, 60 business days final), other mandatory reporting (police, WorkSafe, child protection)
9. Investigation — independent investigator, evidence gathering, root cause analysis, 30-day target
10. Participant and Family Involvement — notification, communication supports, involvement in review, right to complain to NDIS Commission
11. Corrective and Preventive Actions — service delivery changes, training, disciplinary action, policy updates, referrals
12. Incident Register — what to record, NDIS Commission report status, 7-year retention
13. Reporting, Analysis, and Continuous Improvement — quarterly review, trend analysis, governing body reporting, risk management integration
14. Support for Participants and Workers — counselling, advocacy referrals, EAP, debriefing, no penalty for good-faith reporting
15. Training — induction, annual refresher, recognising abuse/neglect/exploitation
16. Related Policies — cross-references to Complaints, Risk Management, Privacy, Participant Rights, Continuity of Supports
17. Review History — version control and approval

Editable placeholder fields

• {{practice_name}}, {{abn}}, {{ndis_registration_number}}, {{practice_address}}, {{phone}}, {{email}}
• {{responsible_person}} — key personnel / responsible person
• {{incident_manager_name}} and {{incident_manager_email}}
• {{review_date}}, {{next_review_date}}

NDIS Practice Standards requirement

Core Module 1 — Incident Management requires that incidents, including allegations of abuse and neglect, are effectively managed and reviewed. The NDIS Quality and Safeguards Commission's quality indicators specify that providers must demonstrate:

• A documented incident management system that covers identification, reporting, investigation, and resolution
• Reportable incidents are notified to the NDIS Commission within the required timeframes (24 hours for initial notification, 60 business days for final report, 5 business days for unauthorised restrictive practices)
• Participants and their families are involved in incident review
• Incident data is analysed and used to identify trends and drive improvements
• Workers are trained to recognise and respond to incidents, including abuse, neglect, and exploitation
• The governing body receives reports on incidents and systemic issues

The five categories of reportable incidents under s73Z of the NDIS Act 2013 are: death of a participant, serious injury, abuse or neglect, unlawful sexual or physical contact or assault, and unauthorised use of a restrictive practice.

During a verification or certification audit, auditors will review the incident management policy, check the incident register, verify NDIS Commission reporting compliance, ask workers about their obligations, and assess whether incident data informs continuous improvement.

How to customise this template

1. Download the Word document and fill in all {{placeholder}} fields with your organisation's details
2. Add your NDIS registration number — confirms your registration and reporting obligations
3. Appoint an Incident Manager — nominate the person responsible for coordinating incident management and add their contact details
4. Add state/territory legislation — Sections 4 and 8 have prompts for state-specific mandatory reporting requirements
5. Customise incident categories — adjust the Category 2 and 3 examples to reflect your specific services and risk profile
6. Set up your incident register — spreadsheet, database, or incident management software with the fields listed in Section 12
7. Establish NDIS Commission reporting access — ensure the Responsible Person has access to the NDIS Commission's online portal for submitting reportable incident notifications
8. Cross-reference your other policies — update Section 16 with the specific titles of your related policies
9. Train all workers on the policy before it takes effect, with particular focus on recognising reportable incidents and immediate response procedures

Frequently asked questions

What incidents must be reported to the NDIS Commission?

The five categories of reportable incidents under s73Z of the NDIS Act 2013 are: (1) the death of a participant, (2) serious injury of a participant, (3) abuse or neglect of a participant, (4) unlawful sexual or physical contact with, or assault of, a participant, and (5) the unauthorised use of a restrictive practice. The initial notification must be made within 24 hours of becoming aware of the incident.

What is the difference between a reportable incident and a general incident?

A general incident is any event that has caused or could have caused harm to a participant, including near misses. A reportable incident is one of the five specific categories defined in the NDIS Act that must be notified to the NDIS Commission. All incidents should be recorded and managed through your incident management system, but only reportable incidents trigger mandatory notification obligations.

What happens if we don't report a reportable incident on time?

Failure to report a reportable incident to the NDIS Commission within the required timeframes is a breach of the NDIS Act 2013 and the NDIS (Incident Management and Reportable Incidents) Rules 2018. The Commission may take compliance action, including issuing a compliance notice, imposing conditions on your registration, or in serious cases, revoking your registration.

How long do we need to keep incident records?

ClinicComply recommends retaining incident records for at least 7 years, or longer for incidents involving minors (until the person turns 25, or 7 years from the incident, whichever is later). This aligns with general record-keeping obligations and allows for potential future inquiries or legal proceedings.

Do near misses need to be reported to the NDIS Commission?

Near misses do not need to be reported to the NDIS Commission unless they meet the definition of a reportable incident. However, near misses should be recorded in your incident register and analysed as part of your continuous improvement process. Near miss data is valuable for identifying systemic risks before harm occurs.

Is an incident management policy required for both verification and certification audits?

Yes. Incident management is part of Core Module 1, which applies to all registered NDIS providers regardless of their audit pathway. Both verification and certification auditors will assess your incident management system, including the policy, the incident register, NDIS Commission reporting compliance, and evidence that incident data informs improvement.