Privacy Collection Statement

Privacy Collection Statement

The NDIS Quality and Safeguards Commission (NDIS Commission) is bound by the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act) which regulate how certain types of organisations and agencies may collect, use, disclose and store personal information. The NDIS Commission is also bound by the provisions of the National Disability Insurance Scheme Act 2013 (Cth) (the NDIS Act) concerning management of information that the NDIS Commission holds about a person. This is “protected Commission information” under the NDIS Act. An example of protected Commission information is information about a worker on the NDIS Worker Screening Database. Unauthorised use and disclosure of protected Commission information by any person is a criminal offence under the NDIS Act.

Collection of personal information

The NDIS Commission may collect your personal information (including sensitive information) directly from you, your representative or a third party, or from publicly available sources to facilitate and support the exercise of the NDIS Commissioner’s functions under the NDIS Act and Rules. This includes collecting personal information when we are:

  • Considering and determining an application to be a registered NDIS provider
  • Handling a complaint related to the provision of supports and services under the NDIS
  • Managing the response to a reportable incident notified to the Commission
  • Monitoring or investigating an NDIS provider’s or worker’s compliance with the NDIS Act and Rules
  • Reviewing the use of restrictive practices and the provision of behaviour support services
  • Taking compliance and enforcement action
  • Assessing applications for employment with the NDIS Commission and associated employment matters (including security and pre-employment integrity checks)
  • Assessing applications to participate in any NDIS Commission funded programs and initiatives
  • Managing of contracts and funding agreements, or
  • Undertaking other regulatory action under the NDIS Act and the NDIS Rules.

We may also obtain your personal information collected by other Commonwealth agencies, State or Territory government bodies, or other organisations for the purposes of fulfilling our regulatory functions. Examples include the NDIA, State or Territory disability related regulators, non-disability related regulators (such as work health and safety regulators), law enforcement agencies, courts and tribunals, and workers screening units. From time to time, we may also receive personal information from members of the public without it being requested.

We generally use forms, online portals and other electronic or paper correspondence to collect this information. We may also collect information through our website and social media services such as Facebook (Meta), Twitter, MailChimp, SurveyMonkey, Google and YouTube to improve our website and receive feedback from the community.

We will not ask for information that is not reasonably necessary for, or directly related to, a function or activity of the NDIS Commission. We include a privacy notification on our paper based forms and online portals that describes the reason why the information is being collected and to whom the information may be disclosed to.

Kinds of personal and sensitive information collected and held

The kinds of personal information we may collect and hold is determined by the reason for collection. It may include:

  • name, address and contact details (e.g. phone, email and fax)
  • photographs, video recordings and audio recordings of you
  • information about the supports and services you have provided to NDIS participants and how you provided those supports and services
  • information about your personal circumstances (e.g. marital status, age, gender, occupation, accommodation and relevant information about your partner or children)
  • information about your financial affairs (e.g. payment details, bank account details and information about business and financial interests)
  • information about your employment (e.g. work history, referee comments, remuneration)
  • government identifiers (e.g. Centrelink Reference Number or Tax File Number) and/or
  • information about assistance provided to you under the NDIS.

Sensitive information may include information about:

  • your health
  • your identity (e.g. date of birth, country of birth, passport details, visa details, drivers licence, birth certificates, ATM cards)
  • your background (e.g. educational qualifications, the languages you speak and your English proficiency), and/or
  • your criminal history.


The NDIS Act authorises the collection, use and disclosure of protected Commission information in certain circumstances, including where this is for the purposes of the NDIS Act. Where the collection of personal information is authorised or required under the NDIS Act and Rules, not providing the information may constitute a contravention of the NDIS Act, which may lead to a criminal or civil penalty. Where the NDIS Commission asks you to provide personal information voluntarily, you should consider your own privacy obligations and seek advice if necessary.

Use and disclosure of personal and sensitive information

The NDIS Commission may use or disclose some or all of the personal information collected from you for the purpose of performing the functions of the NDIS Commissioner under the NDIS Act such as in relation to the NDIS Worker Screening Database. This may include sharing information with the Worker Screening Units in States and Territories. 

If authorised by the NDIS Act, the NDIS Commission may also disclose personal information to other relevant parties, including other Commonwealth, State or Territory agencies, regulatory bodies or professional associations. The NDIS Commission often makes disclosures of personal information to:

  • the NDIA, including the NDIS Fraud Taskforce
  • the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability
  • Coroners
  • State and Territory Worker Screening Units
  • Public Advocates
  • Other regulators with a role that has a connection with NDIS supports and services

The NDIS Commission is not likely to disclose personal information to overseas recipients.

Personal and sensitive information obtained by us will only be used and disclosed for the purposes, and in the circumstances, outlined above and will not be used or disclosed without your consent for any other purpose or in other circumstances, except as authorised under the Privacy Act or where authorised or required by law, including by the NDIS Act.

Accessing and correcting your personal and sensitive information

We store and hold your personal and sensitive information in accordance with the NDIS Commission’s obligations under the Privacy Act and the Archives Act 1983 (Cth). The NDIS Commission’s Privacy Policy contains more information about how you may access and seek correction of your personal information.

How to make an enquiry, request or complaint

Enquiries, requests and complaints relating to the Privacy Act and the collection of your personal information can be made by:

If you make a complaint regarding the collection, use or handling of your personal information we will deal with your complaint in accordance with the NDIS Commission’s Feedback and Complaints Policy

Related resources

EasyRead logo - version 2