Running a registered NDIS provider comes with significant administrative responsibility. Beyond delivering quality supports, providers must maintain a suite of compliant NDIS policies and procedures that reflect current legislative requirements, align with the NDIS Practice Standards, and hold up under audit scrutiny. Yet across the sector, the same gaps appear again and again — not because organisations lack care, but because NDIS policy and procedures requirements are detailed, frequently updated, and easy to underestimate.
This post outlines the most common NDIS policy gaps identified in registered provider organisations, and what each gap means for compliance risk.
Outdated or Incomplete Worker Screening and Onboarding Policies
Worker screening is one of the most straightforward NDIS requirements, yet it remains a persistent gap. The NDIS (Worker Screening) Act 2020 requires that registered providers ensure workers in risk-assessed roles hold a valid NDIS Worker Screening Check. Whether a worker can begin in a risk-assessed role while awaiting a clearance determination varies by state and territory — some jurisdictions permit supervised work during the assessment period, while others operate on a no-clearance, no-start basis. Providers must confirm the arrangements that apply in their state or territory under the NDIS (Practice Standards — Worker Screening) Rules 2018, and reflect these accurately in their onboarding policies.
Where providers often fall short is not always in the check itself, but in the surrounding policy framework. NDIS requirements for support workers must be documented in formal onboarding policies that specify: who requires a check, what constitutes a clearance, how the organisation monitors ongoing validity, and what action is taken if a clearance is suspended or revoked. Policies that simply reference the obligation without operational detail will not demonstrate compliance during a Commission audit.
The same applies to evidence of qualifications, induction completion, and mandatory training. If your onboarding policy does not clearly capture what must be verified before a worker begins delivering supports, you have a gap.
Missing or Generic Privacy Policies
An NDIS privacy policy is not optional, and a copied template from a non-NDIS context will rarely be sufficient. Registered providers handle sensitive personal information about participants — including health information, disability-related details, and financial data — and are required under the NDIS (Provider Registration and Practice Standards) Rules 2018 to manage this in accordance with the Australian Privacy Principles.
A compliant NDIS privacy policy must address how participant information is collected, stored, used, shared, and disposed of. It should reference the Privacy Act 1988, explain participant rights to access their own information, and include a process for privacy complaints. Many organisations maintain generic privacy statements that do not address the specific information flows in disability service delivery — particularly third-party sharing with allied health providers, plan managers, or family members. This is a common and easily overlooked gap.
No Formal Cancellation Policy or Misaligned Policy Language
The NDIS cancellation policy requirements apply to both providers and participants, and the rules around short notice cancellations are specific — and since July 2024, more complex. Under the current NDIS Pricing Arrangements and Price Limits, the applicable notice period depends on the type of support being delivered. For disability support worker related supports, a cancellation is considered short notice if the participant provides less than seven clear days’ notice. For most other supports — such as allied health and therapy services — the short notice period is two clear business days. In both cases, providers may claim up to 100% of the agreed support price when a short notice cancellation occurs and the relevant conditions are met, including that the terms were specified in a signed service agreement and the provider was unable to find alternative billable work for the relevant worker.
A gap here usually takes one of two forms. Either the organisation has no formal cancellation policy in place — leaving workers and coordinators to handle cancellations inconsistently — or the policy exists but does not align with current pricing guidance. Given that the NDIS Annual Pricing Review updates the Pricing Arrangements and Price Limits annually, policies that were accurate twelve months ago may no longer reflect the correct timeframes, rates, or conditions. Providers must review and update cancellation policies each time pricing guidance changes.
Gaps in Behaviour Support and Restrictive Practices Policies
For providers delivering supports to participants with complex needs, behaviour support documentation requirements are among the most detailed under the NDIS framework. Providers must have policies that address their obligations relating to behaviour support plans, the use of regulated restrictive practices, and reportable incident obligations when restrictive practices are used.
Common gaps include: policies that reference Behaviour Support Practitioners without defining the referral process; incident reporting procedures that do not specify the correct timeframes under the NDIS (Incident Management and Reportable Incidents) Rules 2018; and restrictive practices authorisation records that are incomplete or stored inconsistently. For providers supporting participants who may be subject to NDIS SIL requirements — Supported Independent Living — these gaps carry additional risk because the practice environment is continuous and the documentation burden is higher.
Inadequate SIL-Specific Policies and Procedures
NDIS SIL requirements extend beyond funding eligibility. Providers delivering SIL supports must have operational policies that reflect the 24/7 or continuous nature of the service environment. This includes rostering policies that address continuity of support, incident management procedures adapted for residential settings, and documentation practices that capture support delivery against each participant’s SIL quote assumptions.
A policy framework built for community access or allied health cannot simply be adapted for SIL delivery without significant additions. Providers who expand into SIL without reviewing their full NDIS policies and procedures suite frequently find themselves with operational gaps that are only identified at audit — or following a critical incident.
Complaint and Feedback Policies That Don’t Meet Practice Standard Requirements
Every registered provider must have a complaints management system that meets the requirements of the NDIS Practice Standards. The gap here is rarely the absence of a complaints policy — most organisations have something in place — but rather that the policy does not meet all required elements.
A compliant complaints policy must: be accessible to participants and their supporters, include an internal resolution process, reference the participant’s right to escalate to the NDIS Commission, specify timeframes for acknowledging and resolving complaints, and integrate with the organisation’s incident management system where complaints involve reportable incidents.
Policies that treat complaints handling as purely an administrative process, without linking it to quality improvement or participant rights obligations, fall short of what the Practice Standards require.
Policies That Exist but Aren’t Embedded
One of the most significant and underrecognised gaps is the implementation gap: policies that exist on paper but have not been communicated to the workforce, integrated into day-to-day operations, or reviewed within required timeframes.
NDIS eligibility requirements for provider registration include an expectation that policies are not only documented but actively implemented. During certification and verification audits, auditors routinely ask frontline workers about their understanding of key policies. If staff cannot speak to the organisation’s incident reporting process, privacy obligations, or complaints procedure, the policy suite — no matter how comprehensive — will not demonstrate compliance.
This is why staff training against NDIS policies is not a one-time onboarding activity. It requires ongoing reinforcement, regular policy review cycles, and evidence that the workforce understands and applies the policies that govern their practice.
Closing the Gaps
Policy gaps in NDIS organisations are rarely the result of negligence. More often, they reflect the sheer volume of NDIS requirements across registration groups, the frequency of regulatory updates, and the difficulty of maintaining an aligned, current, and embedded policy framework without dedicated compliance infrastructure.
The starting point is an honest audit of your current NDIS policy and procedures suite — not just checking whether policies exist, but assessing whether they are current, complete, specific to your registration scope, and understood by your workforce. From there, a structured review and training cycle is the most effective way to close gaps before they become compliance findings.
Effective Policy works with NDIS registered providers to develop, review, and embed compliant policy frameworks. If you would like to understand where your current documentation sits against NDIS requirements, get in touch with our team.
