Information Management: NDIS Provider Governance and Operational Management


Published: 23 August 2021

Providers of National Disability Insurance Scheme (NDIS) services must ensure that NDIS participants’ information is collected, stored and disclosed appropriately and in a way that respects their privacy and confidentiality.

What is Health Information?

The term health information refers to any information regarding a person’s health or disability, and any information that relates to a health service they have received or will receive (Better Health Channel 2015).

What is Information Management?

Information management involves obtaining, analysing and protecting health information in both digital and handwritten forms (AHIMA n.d.).

According to the International Organization for Standardization, the steps of effective information management are:

  1. Establishing an ‘Inventory of Information Assets’ that keeps track of:
    • Every location where information is stored, processed or accessible, such as:
      • IT hardware
      • Software
      • People
      • Physical files
    • The owners of this information.
  2. Collecting and classifying information in accordance with a classification system
  3. Labelling all information
  4. Handling information in a secure way depending on its classification type, according to the organisation’s policies and procedures.

(Sinor 2020)

health information in folders
Information management involves obtaining, analysing and protecting health information in both digital and handwritten forms.

Information Management Tips

The top 10 administrative record-keeping tips, as listed by the Australian Department of Health (2021), are:

  1. Planning what processes are needed for information to be effectively maintained, and determining how these processes can be achieved
  2. Collecting and storing information consistently and ensuring that all workers follow the same policies and procedures
  3. Clearly communicating expectations to workers and ensuring they understand the relevant policies and procedures
  4. Providing appropriate staff training
  5. Appropriately allocating the resources (e.g. workers and physical resources) needed in order to manage information
  6. Modifying the information management system if a more efficient method arises
  7. Embracing new technology that may improve efficiency
  8. Delegating information management responsibilities to appropriate workers
  9. Being aware of responsibilities and obligations, such as what to record, how to maintain records and how long records should be kept
  10. Reviewing the information management system and seeking feedback from workers in order to facilitate continuous improvement.

Information Management in the NDIS Practice Standards

Information management is a requirement of the NDIS Practice Standards under Core Module 2: Provider Governance and Operational Management.

This Practice Standard aims to ensure that providers manage health information in a way that ensures it is identifiable, accurately recorded, up-to-date and confidential. Furthermore, this information should be easily accessed by participants and appropriately used in the delivery of supports (NDIS 2020).

NDIS providers must meet the following quality indicators:

  • Providers must obtain consent from participants before obtaining, using, retaining or disclosing their information. Participants should be informed about situations in which their information could be disclosed, including without consent if required by law
  • Participants should be informed about:
    • How their information is being stored and used
    • When and how they can access or change their information
    • When and how they can revoke or change their prior consent
  • Providers maintain an information management system that is relevant and proportionate to the size and scale of the organisation and records participant information accurately and in a timely manner
  • Providers store documents with appropriate use, access, transfer, storage, security, retrieval, retention, destruction and disposal processes. These processes must be relevant and proportionate to the scope and complexity of the supports being delivered.

(NDIS 2020)

Obtaining Consent

Read: Privacy and Dignity: NDIS Provider Rights and Responsibilities

NDIS participants, or a nominated individual, can make the decision to give the provider access to the participant’s health records or to withhold them.

While this is optional, giving workers access to this information will help them to provide the best care possible. However, workers are required to protect participants’ privacy and confidentiality (Better Health Channel 2015).

Note: a person always maintains a right to access their own medical records.

The NDIS and NDIS providers may collect and access participants’ health information, as well as other personal information if it is ‘reasonably necessary’ for them to do so in order to perform their role. This information might include:

  • Name, contact details, date of birth and age
  • Gender
  • Health details (e.g. physical health, mental health, any disabilities)
  • Support requirements
  • Names, contact details and addresses of guardians and nominees
  • Centrelink Customer Reference Number (CRN)
  • Feedback or complaints about services
  • Bank details
  • Employee records.

(NDIA 2021)

Recording Health Information

worker handwriting health information

The recording of progress notes and other information is crucial to the delivery of high-quality supports (Sinor 2020).

Effectively documenting information helps to:

  • Improve the efficiency of operations
  • Ensure transparency
  • Maintain the security of confidential information
  • Support staff to work more effectively
  • Increase staff retention
  • Improve business continuity
  • Measure progress towards the participant’s goals
  • Provide a record of events that have occurred during an appointment or shift
  • Ensure members of the care team can identify, communicate and coordinate around the participant’s needs
  • Provide evidence that supports are being delivered properly and the participant is being appropriately cared for.

(DoH 2021; Sinor 2020)

Read: Record Keeping and Documentation

When recording progress notes, clinical records, reports or planning documents, workers should:

  • If writing by hand:
    • Ensure that writing is legible
    • Use a pen rather than a pencil
    • Correct errors by ruling a line through the mistake, writing the correction and initialling the change. The original entry should still be readable. Avoid erasing or using whiteout
  • Ensure that observations and actions are documented accurately and the facts of the situation are clearly stated
  • Use familiar and comfortable language and avoid technical jargon
  • Record information as completely and concisely as possible, ensuring that documentation is brief, simple and direct
  • Prioritise quality over quantity; avoid ‘padding’ and exaggerations
  • Ensure observations, events and conversations are recorded as soon as possible after they occur so that entries are as complete and accurate as possible
  • Ensure all entries are signed and labelled with the correct date and time
  • Follow their organisation’s policies and procedures on date and time format, use of initials, position designations and other identifiers
  • Ensure that participants’ records are easily distinguishable
  • Ensure they have the correct participant’s record before making an entry, especially when documenting healthcare or medicines
  • Check previous entries and progress notes to ensure continuity and coordination in supports
  • Only use abbreviations that are listed in organisational guidelines.

(Sinor 2020)

Disclosing Information

In some cases, the NDIS might need to disclose a participant’s personal information. Where possible, this information will be de-identified before disclosure. Examples of when disclosure may occur include:

  • The participant consenting to have their information disclosed
  • The NDIS referring a participant to an external provider
  • Disclosure being necessary in order to deliver the NDIS
  • Disclosure being required under law
  • Disclosure being necessary in order to prevent or reduce a serious and immediate threat to someone’s life
  • Disclosure being necessary in order to prevent or reduce a threat to public safety
  • Disclosure being required as part of an internal complaints investigation The NDIS engaging a contractor that requires personal information in order to perform required services
  • Data sharing or data integration with Australian Government agencies.

(NDIA 2021)

Laws may differ by State and there are certain exemptions that may apply in law enforcement situations and in a court of law. Keep in mind, health information privacy laws only apply rights to people who are living (Better Health Channel 2015).

Additional Resources



educator profile image
Ausmed View profile
Ausmed’s editorial team is committed to providing high-quality, well-researched and reputable education to our users, free of any commercial bias or conflict of interest. All education produced by Ausmed is developed in consultation with healthcare professionals and undergoes a rigorous review process to ensure the relevancy of all healthcare information and updates to changes in practice. If you have identified an issue with the education offered by Ausmed or wish to submit feedback to Ausmed's editorial team, please email with your concerns.