All templates
NDIS Practice Standards · Core Module 1

NDIS Information Management and Privacy Policy Template for Disability Service Providers

NDIS-aligned information management and privacy policy covering data collection, storage, security, access, disclosure, breach response, retention, and disposal. Mapped to Core Module 1 quality indicators and the Privacy Act 1988.

NDIS Act 2013NDIS Practice Standards v4Privacy Act 1988Notifiable Data Breaches scheme

This template is available on a paid plan

Subscribe to ClinicComply to download the Information Management and Privacy Policy template and access all policy templates.

View plans

What's in this template?

This NDIS Information Management and Privacy Policy template is aligned to Core Module 1 of the NDIS Practice Standards (Version 4, November 2021) and the Privacy Act 1988 (Cth). It provides a comprehensive framework for managing participant and organisational information securely, covering the full information lifecycle from collection through to disposal — including electronic and paper records, data breach response, and worker responsibilities.

The template covers 13 sections:

  1. Purpose — commitment to secure, confidential information management aligned to NDIS Practice Standards, Privacy Act, Australian Privacy Principles, and Code of Conduct
  2. Scope — all personal and sensitive information: participant data, worker records, organisational data, across all formats (electronic, paper, verbal, visual)
  3. Legislative and Regulatory Framework — Privacy Act 1988, APPs, NDIS Act 2013, Practice Standards, Code of Conduct, Notifiable Data Breaches scheme, My Health Records Act
  4. Privacy Principles — lawful collection, informed consent, accuracy, secure storage, controlled disclosure, access rights, appropriate retention
  5. Information Collection — types of information collected, collection methods, direct collection priority, third-party collection notification
  6. Use and Disclosure — primary purpose use, directly related secondary use, mandatory disclosure exceptions (law, NDIS Commission, safety), routine disclosure notification
  7. Information Storage and Security — electronic records (access controls, encryption, backups, MFA), paper records (locked storage, restricted access), mobile devices and remote access
  8. Access and Correction — participant rights to access and correct information, 30-day response, refusal reasons and complaint avenues
  9. Data Breach Response — containment, risk assessment, OAIC notification, individual notification, breach register, security review
  10. Information Retention and Disposal — retention periods (7 years minimum), secure disposal methods, disposal register
  11. Worker Responsibilities — privacy training, information handling, breach reporting, role-based access, ongoing confidentiality
  12. Related Policies — cross-references to Complaints, Incidents, Risk, Governance, HR, Worker Orientation, Data Breach Response Plan
  13. Review History — version control and approval

Editable placeholder fields

  • {{practice_name}}, {{abn}}, {{ndis_registration_number}}, {{practice_address}}, {{phone}}, {{email}}
  • {{responsible_person}} — key personnel / responsible person
  • {{privacy_notice_timing}} — when the privacy notice is provided to participants
  • {{information_system}} — client management software or system used
  • {{privacy_officer}} — person responsible for privacy matters and data breach response
  • {{review_date}}, {{next_review_date}}

NDIS Practice Standards requirement

Core Module 1 — Information Management requires that participant information is managed securely, confidentially, and in accordance with privacy legislation. The NDIS Quality and Safeguards Commission's quality indicators specify that providers must demonstrate:

  • Information management systems that protect participant privacy and confidentiality
  • Participant information is collected only for lawful purposes related to support delivery
  • Participants are informed about how their information is collected, used, and disclosed
  • Information is stored securely with appropriate access controls
  • Workers understand and comply with information management and privacy obligations
  • Data breach response procedures are in place
  • Information is retained and disposed of in accordance with legislative requirements

The NDIS Verification Module Required Documentation Guide lists information management and privacy as a required policy area for all registered providers. During a verification audit, auditors will review the policy, check information security measures, examine consent processes, and ask workers about their privacy obligations.

For providers undergoing certification audit, the assessment includes evaluating the maturity of information management systems, the quality of data breach preparedness, and evidence that participant privacy is actively protected in day-to-day operations.

How to customise this template

  1. Download the Word document and fill in all {{placeholder}} fields with your organisation's details
  2. Appoint a privacy officer — designate a person responsible for privacy matters and data breach response
  3. Review your information systems — document the software, platforms, and physical storage systems you use for participant and worker information
  4. Audit your security controls — verify access controls, encryption, backup procedures, and physical security measures
  5. Create a privacy notice — develop a clear notice for participants explaining what information you collect and why
  6. Develop a data breach response plan — create a step-by-step plan for containing and responding to data breaches
  7. Set up a data breach register — create a register to record any breaches, including near misses
  8. Train your workers — ensure all workers complete privacy and information management training during induction

Frequently asked questions

Is an information management policy required for NDIS registration?

Yes. Information management is part of Core Module 1 of the NDIS Practice Standards, which applies to all registered NDIS providers. The Verification Module Required Documentation Guide requires evidence of information management and privacy systems. Without an information management policy, you cannot pass a verification or certification audit.

Does the Privacy Act 1988 apply to all NDIS providers?

The Privacy Act applies to organisations with an annual turnover of more than $3 million, all health service providers (regardless of turnover), and organisations that receive Commonwealth government funding. Most NDIS providers fall within at least one of these categories. Even if the Privacy Act does not technically apply to your organisation, the NDIS Practice Standards require equivalent privacy protections.

What is the Notifiable Data Breaches scheme?

The Notifiable Data Breaches (NDB) scheme requires organisations covered by the Privacy Act to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. Notifications must be made as soon as practicable. Common examples include unauthorised access to participant files, lost or stolen devices containing participant information, and email sent to the wrong recipient containing sensitive data.

How long should participant records be retained?

ClinicComply recommends retaining participant records for at least 7 years after the last service, or until the participant turns 25, whichever is later. Some state and territory legislation requires longer retention periods for specific record types (e.g., health records). Check your applicable state/territory requirements. Records must be stored securely for the entire retention period and disposed of securely when no longer required.

What security measures are needed for electronic participant records?

At a minimum, electronic records should be stored in access-controlled systems with individual user accounts, strong passwords, and multi-factor authentication where available. Data should be encrypted in transit and at rest, regular backups should be maintained, and anti-virus and firewall protection should be current. The NDIS Practice Standards expect security measures to be proportionate to the sensitivity of the information and the risks involved.

Can we share participant information with other providers?

Participant information can be shared with other providers when the participant has given informed consent, when it is necessary for the delivery of supports the participant has requested, or when required or authorised by law. Best practice is to obtain written consent specifying what information can be shared, with whom, and for what purpose. Information shared without consent should be limited to what is strictly necessary and documented.

Related templates

Core Module 1

Complaints Management and Resolution Policy

NDIS-aligned complaints management policy covering participant complaints, investigation procedures, resolution timeframes, escalation to the NDIS Commission, and continuous improvement. Mapped to Core Module 1 quality indicators.

View template
Core Module 1

Risk Management Policy

NDIS-aligned risk management policy covering risk identification, assessment, treatment, monitoring, participant-specific risk assessments, and integration with AS/NZS ISO 31000. Mapped to Core Module 1 quality indicators.

View template
Core Module 1

Human Resource Management Policy

NDIS-aligned human resource management policy covering recruitment, worker screening, orientation, supervision, training, performance management, worker wellbeing, and separation. Mapped to Core Module 1 quality indicators.

View template
Ready to get started?

Your next accreditation visit starts today.

Join Australian GP clinics and medical practices that have replaced spreadsheets and email threads with a single healthcare compliance platform. Your free trial starts the moment you sign up.

Start your 30-day free trialView all features
No credit card required
Australian data residency
Cancel anytime