NDIS Provider Guide
The IT Security Checklist Every NDIS Provider Needs
Plain-English. No jargon. Covers the Essential Eight, Privacy Act 2025, audit requirements, and exactly what to fix first — whether you run a Support Coordination firm, a SIL house, or a plan management company.
🏢 Support Coordination firms
🏠 SIL providers
📋 Plan managers
📅 Updated April 2026
⏱ 8 min read
🔒 Includes free security audit offer
Here’s a number that should get your attention: in Australia, a cybercrime now occurs every six minutes. Health and community services — which includes NDIS providers — is consistently one of the top five most targeted sectors in the country.
And it’s not the big hospital networks getting hit most. It’s small-to-medium providers — support coordination firms, SIL operators, plan management companies — that are increasingly in the crosshairs. Why? Because they hold highly sensitive participant data but rarely have a dedicated IT person, a security plan, or even multi-factor authentication switched on.
This guide cuts through the technical noise and gives you a plain-English security checklist you can actually use. No IT degree required.
The numbers you need to know
Every 6 min
A cybercrime occurs in Australia (ACSC 2024)
$46,000
Average cost of a cybercrime report for an Australian SMB
19%
Of all Australian data breaches are in health & disability services
Why NDIS providers are prime targets
Cybercriminals aren’t random. They target organisations that hold valuable data but lack robust defences. NDIS providers tick both boxes.
Think about what you hold: participant health records, disability diagnoses, behavioural support plans, bank account details, NDIS plan funding amounts, home addresses, next of kin contacts. Under Australian Privacy Principle 12, this is classified as sensitive information — the highest protection category. A breach isn’t just an IT incident. It’s a direct risk to the safety and wellbeing of the people you support.
The four most common attacks on NDIS providers
📧 Phishing emails
Fake emails pretending to be from the NDIA, NDIS Commission, or your own management team — tricking staff into clicking links or revealing passwords.
🔒 Ransomware
Hackers lock your entire system and demand payment to restore access. In 2023, law firm HWL Ebsworth — which handled NDIS matters — was hit, putting participant data at risk.
🔑 Stolen passwords
Shared logins, weak passwords, and no multi-factor authentication allow attackers to walk straight into your case management software or email accounts.
🔗 Supply chain attacks
If one of your software vendors (rostering, billing, case management) is breached, your participant data can be exposed even if your own systems are perfectly secure.
What the law actually requires
This isn’t optional. Three separate pieces of legislation now directly apply to NDIS providers’ IT security — and the penalties have teeth.
| Law / Framework |
What it requires |
Penalty for breach |
Privacy Act 1988
Updated 2025 — now applies to nearly all businesses |
Reasonable steps to protect personal information. Role-based access. Encrypted storage. Documented breach response process. |
Up to $50M
or 30% of adjusted turnover |
Cyber Security Act 2024
Passed November 2024 |
Mandatory ransomware payment reporting. Cyber incident reporting. Minimum security standards for connected devices. |
Mandatory reporting
Failure = civil penalties |
Notifiable Data Breaches (NDB)
Under Privacy Act |
Report any breach likely to cause serious harm to the OAIC and affected individuals within 30 days of becoming aware. |
Penalties + reputational damage
Failure to report = separate offence |
NDIS Practice Standards
Information Management module |
Documented access controls, staff privacy training records, audit trails, data retention schedules, and incident logs for auditors. |
Audit failure
Risk of deregistration |
⚠️ 2025 Privacy Act change
The 2025 Privacy Act updates removed the small business exemption for organisations with turnover under $3 million. This means almost every NDIS provider — regardless of size — now has full Privacy Act obligations. If you previously assumed you were exempt, that protection is gone.
The IT security checklist — 8 areas every NDIS provider must address
This checklist is built around the Australian Government’s Essential Eight framework — the ACSC’s recommended baseline for cyber resilience — translated into plain English for NDIS organisations. Work through each section and note where you have gaps.
🔑
1. Passwords & Multi-Factor Authentication (MFA)
Essential Eight: Restrict admin privileges + MFA
HIGHEST PRIORITY
Most NDIS provider breaches start here. Shared passwords, weak passwords, and no MFA are the three most common entry points for attackers.
-
✓
Multi-factor authentication (MFA) is enabled on email, case management software, PRODA/myID, and any system containing participant data
-
✓
No shared login credentials — each staff member has their own unique username and password
-
✓
Passwords are at least 14 characters — or your organisation uses a password manager (Bitwarden, 1Password)
-
✓
Admin accounts are separate from day-to-day user accounts — admin rights restricted to those who genuinely need them
-
✓
Departed staff accounts are disabled immediately — a documented offboarding process exists for IT access removal
Plain-English tip: MFA is the “two-step login” you use for your banking app. When you log in, you enter your password AND a code sent to your phone. Even if someone steals your password, they still can’t get in without your phone. Enable this on everything — it stops the vast majority of breaches.
🔄
2. Software Updates & Patching
Essential Eight: Patch applications + patch operating systems
Outdated software is the #1 source of data breaches. The “Remind me later” button is the most dangerous button in your office. Critical vulnerabilities must be patched within 48 hours under the Essential Eight framework.
-
✓
Windows/macOS is fully up to date on all staff devices — auto-updates are enabled
-
✓
Microsoft Office / Google Workspace is current — no staff using Office 2013 or older versions
-
✓
Web browsers are current (Chrome, Edge, Firefox) — browser extensions reviewed and unnecessary ones removed
-
✓
No unsupported operating systems in use — Windows 10 reaches end-of-life October 2025; devices must be upgraded to Windows 11
🗄️
3. Data Encryption & Storage
Privacy Act APP 11 — reasonable steps to protect personal information
Participant data must be stored in encrypted, Australian-hosted systems. The NDIA explicitly requires that identifiable participant data cannot be stored or accessed offshore.
-
✓
Participant records are stored in an encrypted, cloud-based system — not on local hard drives, USBs, or personal Google Drive accounts
-
✓
Data is stored in Australian data centres — check your software provider’s data residency. Microsoft 365 and major Australian systems typically qualify.
-
✓
Laptop hard drives are encrypted — BitLocker (Windows) or FileVault (Mac) is enabled on all devices that leave the office
-
✓
No sensitive data is shared via personal email or SMS — a documented policy exists for how participant information is shared between staff
💾
4. Backups — Your Last Line of Defence
Essential Eight: Regular backups
When ransomware hits — and for many providers, it’s a matter of when, not if — your backup is what determines whether you’re back online in hours or weeks. Most small providers discover they have no working backup only when it’s too late.
-
✓
Backups run automatically at least daily — not manually, not weekly, not “when I remember”
-
✓
Backups are stored separately from your main system — ideally offline or in a separate cloud account that can’t be encrypted by ransomware
-
✓
You have actually tested restoring from backup — in the last 6 months, someone verified the backup actually works by restoring a test file
-
✓
Backup retention covers at least 90 days — some ransomware lies dormant; you need older restore points in case the corruption goes back weeks
Plain-English tip: Think of your backup like a spare key. Having one copy of your house key and keeping it in the same drawer as your main key defeats the purpose. Your backup needs to be in a completely separate location — ideally a different system entirely.
📧
5. Email Security & Staff Awareness
The #1 attack vector — phishing causes 91% of all data breaches
-
✓
Staff have received training on phishing emails — they know what a suspicious email looks like and who to report it to
-
✓
Business email uses a custom domain (e.g. @yourorg.com.au) — not a free Gmail or Hotmail account for official communications
-
✓
Spam filtering and email scanning is active — Microsoft 365 Defender or Google Workspace’s built-in protection is enabled
-
✓
There is a process for staff to report suspicious emails — someone knows what to do when a staff member receives a suspicious email
🛡️
6. Role-Based Access Control
NDIS Practice Standards — only authorised staff see participant data
Not every staff member needs access to every participant’s records. Role-based access is a fundamental NDIS Practice Standard requirement and is specifically checked during NDIS audits.
-
✓
Staff can only access records they need for their role — a support worker doesn’t have access to financial records; an admin doesn’t see clinical notes
-
✓
Access is reviewed when roles change — when someone is promoted, moved, or leaves, their access level is updated immediately
-
✓
An audit trail exists — your case management software logs who accessed which records and when (required by NDIS auditors)
💻
7. Device Security & Mobile Workers
Especially important for SIL providers and field-based support coordinators
NDIS organisations have decentralised workforces — support coordinators work from home, SIL staff use tablets in the field. Every device that touches participant data is a potential entry point.
-
✓
All work devices have antivirus/endpoint protection — Microsoft Defender (built into Windows 11) is a good free starting point
-
✓
Devices auto-lock after inactivity — screen locks after 5–10 minutes of no use (critical for SIL house tablets left unattended)
-
✓
Staff personal devices are not used for participant records — or if they are, a clear BYOD (Bring Your Own Device) policy is in place
-
✓
Lost/stolen devices can be remotely wiped — especially important for field staff tablets containing participant information
🚨
8. Incident Response & Breach Reporting
Notifiable Data Breaches — you have 30 days to report from awareness
When (not if) an incident occurs, your response in the first 24 hours determines how much damage is done. Most NDIS providers have no plan. The law requires one.
-
✓
A written incident response plan exists — staff know who to call, what to shut down, and who is responsible in an emergency
-
✓
Staff know what counts as a notifiable breach — any unauthorised access to participant data that could cause serious harm must be reported to the OAIC within 30 days
-
✓
An incident log is maintained — security incidents are recorded and reviewed, as required by NDIS Practice Standards during audits
-
✓
Ransomware payment reporting is understood — under the new Cyber Security Act 2024, ransomware payments must be reported to the government within 72 hours
How to score your organisation
| Score |
What it means |
Action required |
| 0–10 ticks |
High risk. A breach is not a matter of if, but when. Your organisation would likely fail an NDIS audit on data governance. |
Act immediately. Call Fixable for a free IT security assessment. |
| 11–20 ticks |
Moderate risk. Some protections in place but significant gaps. You are meeting some compliance requirements but not all. |
Prioritise gaps. Focus on MFA, backups, and access control first. |
| 21–28 ticks |
Good foundation. You’re meeting most baseline requirements. Focus on documentation, staff training, and keeping systems updated. |
Maintain and document. Annual review recommended. |
Frequently asked questions
Do I need to be NDIS-registered to need IT security?
No. The Privacy Act 1988 applies to all organisations handling personal information, regardless of NDIS registration status. Since the 2025 updates removed the small business exemption, virtually all NDIS providers — registered or unregistered, large or small — now have full Privacy Act obligations.
Does an NDIS auditor actually check our IT systems?
Yes. NDIS audits under the Practice Standards Information Management module specifically look for: documented access control policies, evidence of staff privacy training, incident logs, data retention schedules, and evidence that only authorised staff can access participant records. An auditor may ask to see your login procedures or how you handle a data breach.
We’re a small team of 3–4 people. Is this really relevant for us?
More so than for large organisations. Small teams are disproportionately targeted because attackers know they lack dedicated IT support. A 3-person support coordination firm holds just as much sensitive participant data as a 50-person company — but typically has a fraction of the protection. The good news is the basics (MFA, strong passwords, encrypted storage, regular backups) cost almost nothing to implement.
What does a data breach actually cost an NDIS provider?
The direct costs include: legal fees, IT forensics, notifying affected participants, regulatory investigation, potential fines (up to $50M under the Privacy Act), and staff time spent on remediation. The indirect costs — participant trust, referral relationships, and reputation — can be even more damaging. The ACSC reports the average cybercrime cost for an Australian SMB is $46,000. For a small NDIS provider, that can be existential.
Can Fixable help us get audit-ready on IT security?
Yes. Fixable offers a free on-site IT security assessment for NDIS providers in Melbourne’s eastern and south-eastern suburbs. We go through your systems, identify gaps against the Essential Eight and NDIS Practice Standards, and give you a plain-English action plan. No jargon, no upselling — just an honest assessment of where you stand and what to fix first. Call
0435 955 429 to book.
Free IT security assessment for NDIS providers
We come to your office or SIL house, review your IT setup against this checklist, and give you a plain-English written report. No sales pitch. NDIS Worker Screening cleared. Melbourne-wide.
📋
Free NDIS IT Security Checklist PDF
A printable one-page version of this checklist — ready for your next staff meeting or to keep on file for your NDIS audit. Download free →
About Fixable: Friendly, patient on-site IT support across all Melbourne suburbs. We specialise in helping NDIS organisations, SIL providers, support coordination firms, and plan management companies with technology — always in plain English. NDIS Worker Screening cleared. Call 0435 955 429 or visit fixable.au
