← Back to Resources Regulation & Compliance

Cyber Security for NDIS Providers: Participant Data Protection and What Your Compliance Obligations Require

NDIS providers hold some of the most sensitive personal data in Australia — disability diagnoses, health histories, care plans, financial details, and the daily routines of people who depend on you. Protecting that data is not just a legal obligation. It is a fundamental expression of the duty of care you owe to every participant you support.

1 February 2026  ·  8 min read  ·  Regulation & Compliance

The NDIS sector has grown into one of the largest social support programs in Australian history, with over half a million active participants and a registered provider network spanning sole traders to large organisations. That scale, combined with the deeply sensitive nature of participant information, makes the sector an increasingly prominent target for cyber attack.

Health service providers — a category that includes disability support providers — consistently report the highest number of data breaches of any industry in Australia. The OAIC's Notifiable Data Breaches Report for July to December 2024 confirmed this pattern: health and disability services accounted for the highest proportion of reported breaches across all sectors. The data held by NDIS providers explains why: it is comprehensive, sensitive, and — for participants who may have limited capacity to manage the consequences of identity theft or financial fraud — the impact of a breach can be severe in ways that go beyond what statistics capture.

Providers who are also registered health practitioners — physiotherapists, occupational therapists, psychologists, and similar — face AHPRA's Code of Conduct obligations on top of NDIS Commission requirements. Both sets of obligations apply simultaneously, and a single incident can trigger consequences under both frameworks.

#1
Health and disability services: highest data breach rate of any industry in Australia (OAIC, Jul–Dec 2024)
1 in 5
NDIS providers had no cyber security strategy in place (Digital Technology in the Not-for-Profit Sector Report, 2024)
6 min
a cybercrime report is made in Australia every six minutes (ASD Annual Cyber Threat Report 2024)

What Data NDIS Providers Actually Hold

The starting point for any security analysis is understanding the data you collect and retain. For NDIS providers, this goes well beyond what most small businesses would consider. Across participant records, staff records, and operational systems, a typical provider holds:

  • Participant assessment and care plans — functional assessments, support needs, goals, and behaviour support plans; these documents describe a person's disability in clinical and personal detail
  • Health and medical information — diagnoses, medications, medical history relevant to supports, allied health reports, and specialist assessments
  • Financial information — NDIS plan budgets and funding categories, banking details for plan-managed participants, Centrelink interactions, and invoicing records
  • Identity documents — copies of birth certificates, Medicare cards, and government-issued photo ID collected at registration
  • Daily care records and progress notes — shift-by-shift records of supports delivered, incidents observed, and participant wellbeing; these create a granular record of a participant's daily life
  • Incident and complaint records — reports of restrictive practices, serious incidents, and complaints; these are among the most sensitive records in any organisation
  • Home and routine information — for in-home support providers, records may include property access arrangements, daily schedules, and household security details
  • Guardian and nominee information — contact details and decision-making authority for participants' families and representatives

The combination of health information, financial data, identity documents, and detailed personal routines in a single record set makes a participant file extraordinarily comprehensive. A breach of this data is not just a privacy incident — it creates the conditions for identity fraud, financial exploitation, and for participants in supported living arrangements, potential physical safety risks.

Your Regulatory Obligations

NDIS Code of Conduct — Principle 2

Respect the Privacy of People with Disability

Every registered NDIS provider and support worker must comply with the NDIS Code of Conduct. Principle 2 explicitly requires respecting participant privacy — including through secure data handling practices. Failure to maintain adequate information security can constitute a breach of the Code, with consequences ranging from conditions on registration to deregistration.

NDIS Practice Standards — Core Module 1

Rights and Responsibilities — Participant Privacy and Dignity

The NDIS Practice Standards require approved providers to implement consistent policies and procedures that protect participant privacy — including through secure digital systems. Annual privacy and information security assessments are expected as part of audit readiness.

Privacy Act 1988 (Cth)

APP 11 — Data Security and Australian Privacy Principles

Health and disability information is sensitive information under the Privacy Act, attracting its strongest protections. Providers with annual turnover above $3M — or those handling health information regardless of turnover — are covered by the APPs and must take reasonable technical and organisational steps to protect personal information.

Privacy Act — NDB Scheme

Notifiable Data Breaches

A breach involving participant health or disability information almost certainly meets the serious harm threshold that triggers mandatory notification to the OAIC and affected participants. Given the vulnerability of many NDIS participants, the threshold for serious harm is lower than for other populations.

Cyber Security Act 2024 (Cth)

Ransomware Payment Reporting

Providers with annual turnover above $3M must report ransomware or extortion payments to the Australian Signals Directorate within 72 hours. Ransomware targeting NDIS providers disrupts critical care delivery as well as compromising data — the operational stakes are higher than in most other small business contexts.

NDIS Act 2013 — NDIS Commission

Commission Investigation and Registration Consequences

The NDIS Quality and Safeguards Commission has broad powers to investigate, impose conditions, suspend, or cancel provider registrations where there are serious failures in participant safety or data protection. A cyber incident leading to participant harm could trigger a Commission investigation independent of Privacy Act obligations.

The Specific Threats Facing NDIS Providers

The threat landscape for NDIS providers has characteristics that differ from other small business sectors. Three threats deserve particular attention:

Ransomware Targeting Care Delivery Systems

NDIS providers are attractive ransomware targets for two reasons: the sensitivity of the data they hold creates leverage for extortion demands, and the disruption of care delivery systems creates operational pressure to pay quickly. A provider that cannot access care plans, shift records, or medication information faces not just data risk but real participant safety consequences. The 2022 CTARS breach — in which the cloud-based case management platform used by multiple NDIS providers was compromised, exposing sensitive participant data — illustrated exactly this dynamic.

Phishing and Account Compromise

Many NDIS providers use cloud-based rostering, billing, and case management platforms, and communicate extensively by email. Support workers often use personal devices and personal email accounts for work-related communication. This creates a diffuse and difficult-to-control attack surface. A phishing email that captures a support coordinator's login credentials can expose every participant file they have access to.

Supply Chain and Third-Party Platform Risk

The 2023–24 ASD Annual Cyber Threat Report documented 107 supply chain incidents — approximately 9% of all recorded incidents. NDIS providers who rely on third-party platforms for rostering, invoicing, or participant management share in the risk profile of those platforms. If a vendor's platform is compromised, participant data held on that platform may be exposed regardless of the provider's own security posture.

Staff with direct participant access represent a significant insider threat vector. Support workers frequently access participant information on personal mobile devices. Casual and part-time staff may not receive adequate cyber security training. And the distributed, community-based nature of much NDIS work means that security controls applied at the head office do not automatically extend to every access point. Policies without training and enforcement are not controls — they are documentation.

Baseline Controls for NDIS Providers

For most NDIS providers, a practical and proportionate security baseline centres on the following controls:

  • MFA on all staff accounts — rostering systems, billing platforms, case management software, and email; MFA blocks the majority of account compromise attempts; it is the single most impactful control available
  • Role-based access controls — support workers should access only the participant files relevant to the clients they directly support; administrators should not have the same access as senior coordinators; a breach involving one account should not expose every participant record
  • Device management policies — if staff use personal devices for work purposes, minimum security requirements (screen lock, device encryption, no jailbreaking) should be documented and enforced as a condition of access
  • Encrypted storage of participant records — care plans, assessment reports, and health information should be stored in encrypted systems, not in shared drives, USB sticks, or personal email attachments
  • Regular software patching — all software, including rostering apps, case management platforms, and mobile applications, should be kept up to date; unpatched software is the most common technical attack vector
  • Offline backup of critical records — in the event of a ransomware attack, an offline backup of participant care plans and critical information allows care continuity without paying a ransom
  • Annual cyber security training for all staff — including support workers; training should cover phishing recognition, password management, device security, and what to do if they suspect a breach
  • Third-party vendor assessment — before adopting any cloud platform that will hold participant data, assess the vendor's security practices; at minimum, confirm they have MFA, encryption at rest, and a breach notification process
  • Documented incident response plan — a clear process for what happens when a suspected breach is detected; who is notified internally, what systems are isolated, and when the OAIC and NDIS Commission are contacted
  • Annual privacy and information security assessment — the NDIS Practice Standards expect this as part of audit readiness; it should be documented and retained

Cyber security is participant safety. When a breach occurs in an NDIS provider, the NDIS Commission does not treat it solely as an IT failure. It is assessed against your obligations under the Code of Conduct and Practice Standards — as a failure to protect participant rights and wellbeing. Framing your cyber security investment as participant safety expenditure, rather than IT overhead, is the right lens — and it is the lens your auditors will use.

Responding to an Incident

If you experience a cyber incident — a ransomware infection, a phishing compromise, an unauthorised access event, or a vendor breach — the response obligations for NDIS providers are layered. Understanding what happens when a breach occurs — the sequence of events, costs, and notification obligations — is essential planning before an incident, not after.

  1. Contain and assess — isolate affected systems, reset compromised credentials, and determine what data may have been accessed or exfiltrated
  2. Notify the NDIS Commission — the Commission's incident reporting portal should be notified of significant incidents affecting participant safety or data; this includes data breaches involving participant health or personal information
  3. Assess NDB obligations — determine whether the breach constitutes an eligible data breach under the Privacy Act; participant health information almost certainly meets the serious harm threshold
  4. Notify the OAIC and affected participants — for eligible data breaches, notification must occur as soon as practicable; for participants with limited capacity, notification to nominees or representatives may also be required
  5. Notify the ASD — if a ransomware payment has been made and your turnover is above $3M, report within 72 hours
  6. Review care continuity — if care delivery systems have been disrupted, the immediate priority is ensuring participant safety; incident response planning should address care continuity alongside data breach response

Assess Your NDIS Organisation's Cyber Security

Our NDIS Provider Health Check covers the controls most relevant to your organisation — participant data protection, staff access management, device security, vendor risk, and NDIS Commission compliance. Scored results, prioritised recommendations, and a written report you can use as evidence of your annual information security assessment.

NDIS Provider Health Check

Related Articles

Cyber Security for Health Practitioners

AHPRA-registered practitioners who provide NDIS services face concurrent obligations under both regulatory frameworks.

Cyber Security for Childcare Providers

Childcare providers face overlapping privacy and data security obligations for similarly sensitive information about children and families.

Privacy Act Reforms: What Australian Businesses Must Know

Health and disability information is sensitive information under the Privacy Act — the 2024 reforms directly strengthen your obligations.

References

  1. NDIS Quality and Safeguards Commission, NDIS Code of Conduct — Principle 2: Respect the Privacy of People with Disability; Code obligations for providers and support workers. ndiscommission.gov.au
  2. NDIS Quality and Safeguards Commission, NDIS Practice Standards and Quality Indicators — Core Module 1: Rights and Responsibilities; participant privacy and dignity; annual security assessment expectations. ndiscommission.gov.au
  3. Office of the Australian Information Commissioner, Notifiable Data Breaches Report: July–December 2024 — health service providers (including disability services) reported the highest number of breaches of any industry. oaic.gov.au
  4. DSC (Team DSC), Cybersecurity: An Urgent Priority for NDIS Providers — overview of legal obligations; Cyber Security Act 2024; CTARS breach case study. teamdsc.com.au
  5. Techability, NDIS Providers: Data Breaches and Compliance Penalties — one in five NDIS providers has no cyber strategy; regulatory consequences of non-compliance. techability.net.au
  6. Velacore, NDIS Cybersecurity: Protecting Participant Data and Staying Compliant — supply chain risk; ASD 107 supply chain incidents in 2023–24; MFA effectiveness statistics. velacore.au
  7. Kloudify, NDIS Cyber Security Clauses Australia — Code of Conduct cybersecurity clauses; insider threat vectors; best practice controls framework. kloudify.com
  8. Privacy and Other Legislation Amendment Act 2024 (Cth) — APP 11 clarification; technical and organisational measures; health information as sensitive information; effective 10 December 2024.
  9. Cyber Security Act 2024 (Cth), Part 3 — mandatory ransomware payment reporting; 72-hour timeframe; entities with annual turnover above $3M; commenced 30 May 2025. legislation.gov.au
  10. Australian Signals Directorate, Annual Cyber Threat Report 2023–24 — cybercrime reported every six minutes in Australia; healthcare and social services among top five targeted sectors. cyber.gov.au