NDIS Code of Conduct

In plain English

The NDIS Code of Conduct is the universal floor for behaviour across the NDIS. It applies to every worker and provider delivering NDIS-funded supports, regardless of whether the provider is registered with the Commission or not. Set out in the National Disability Insurance Scheme Act 2013 (Cth) and the NDIS (Code of Conduct) Rules 2018, it has the force of law and breaches carry civil penalties up to $1.6M per contravention.

The Code is short - seven clauses - but each one carries a significant compliance footprint behind it. Auditors test against it via the Practice Standards; the Commission investigates breaches directly through complaints and notifications.

The seven obligations

1. Act with respect for individual rights.

   Treat each participant as an individual with the right to freedom of expression, self-determination, and decision-making. This is the foundation under which every other clause sits.

2. Respect privacy.

   Handle personal information lawfully under the Privacy Act and the NDIS confidentiality rules. Includes how you collect, store, share, and dispose of participant records - practical implication is that ad-hoc Google Drive folders and shared mailboxes are high-risk.

3. Provide supports in a safe and competent manner with care and skill.

   Workers must have the skills, knowledge, and qualifications for the supports they deliver. This is the clause behind worker screening, mandatory training, and competency verification.

4. Act with integrity, honesty, and transparency.

   Don't over-claim, don't bill for supports not delivered, don't mislead participants about cost or scope. The Commission has been increasingly active on fraud and over-servicing in 2025–2026.

5. Promptly take steps to raise and act on concerns about matters that may impact the quality and safety of supports.

   The whistleblower-and-incident-handling clause. Workers must raise concerns; providers must have systems that capture, escalate, and resolve them - including reportable incidents within 5 business days (or 24 hours for serious categories).

6. Take all reasonable steps to prevent and respond to all forms of violence, exploitation, neglect, and abuse.

   Includes financial abuse and discrimination. The Code links directly to the Commission's reportable incident scheme and the new Integrity and Safeguarding Bill 2025 criminal offences.

7. Take all reasonable steps to prevent and respond to sexual misconduct.

   Specific clause given the historical prevalence of sexual abuse of people with disability in institutional settings. Backed by specific reportable-incident categories and worker-screening exclusion grounds.

Who has to comply

The Code applies to:

• NDIS providers - registered and unregistered alike.
• Workers - every employee, contractor, sub-contractor, volunteer, and student delivering NDIS-funded supports.
• Key personnel - directors, executives, and people with operational control over the provider.
• Self-managed and plan-managed support contexts - even where the worker is engaged directly by the participant.

The only NDIS-funded supports the Code does not reach are those provided by family members under informal-care arrangements where no payment flows through the NDIS.

How auditors and the Commission test it

Auditors don't audit the Code directly - they audit against the Practice Standards, and the Standards bake the Code in. The Commission, however, investigates Code breaches independently via:

• Participant and family complaints.
• Reportable incidents.
• Notifications from other providers, workers, or government agencies.
• Their own market surveillance.

Investigations can lead to compliance notices, banning orders against individuals, civil penalty proceedings, or referral for criminal prosecution under the 2025 Bill once it's in force.

Penalties for breach

Civil penalties under the NDIS Act:

• Up to $1.65M per contravention for a body corporate.
• Up to $330,000 per contravention for an individual.
• Banning orders excluding individuals from working in the sector.
• Compliance notices requiring specific remedial actions.
• Criminal offences for the most serious conduct, expanded under the Integrity and Safeguarding Bill 2025.

Penalties for breach will be covered in detail on our upcoming NDIS penalties guide.

How Checkbase helps

Checkbase covers the operational hooks behind clauses 2, 3, and 5: encrypted document storage with role-based access (privacy), worker screening + mandatory training tracked with expiry alerts (care and skill), and an incident-reporting workflow that timestamps and escalates per the 5-business-day reportable-incident rule. Every provider - registered or not - needs these systems; we just make them less painful to keep current.

Frequently asked questions