NDIS Consent to Share Information: Privacy Compliance Guide 2026

Information sharing is central to NDIS service delivery – but it comes with strict legal obligations that many providers mismanage. Getting consent wrong does not just risk a privacy complaint. It can trigger a Commission investigation, result in an audit finding, and – most importantly – harm the participants you are there to support. HCPA has guided 10,500+ NDIS providers through consent management frameworks that are both compliant and practical to operate.

This guide covers what the NDIS consent to share information requirements actually require, the 5 elements of valid consent, when you need it, when exceptions apply, and how to build a consent management system that your whole team can follow consistently.

Why NDIS Consent to Share Information Matters

NDIS participants have the right to control their own information. This right is protected by the Privacy Act 1988, the NDIS Act 2013, and the NDIS Practice Standards. It is not a bureaucratic formality. It is a core expression of participant autonomy, which is one of the fundamental principles the entire scheme is built around.

For providers, consent management is a compliance obligation assessed at audit. Auditors look for documented evidence that participants gave informed consent before their information was shared, that consent was obtained properly, and that consent was recorded and is retrievable. Verbal assurances are not sufficient evidence.

Beyond compliance, strong consent practices build participant trust. Participants who feel their privacy is genuinely respected are more likely to share the information providers need to deliver effective, tailored supports. Weak consent practices, including rushed sign-offs, blanket consents, and outdated forms, undermine the therapeutic relationship and create regulatory exposure simultaneously.

The 5 Elements of Valid Consent

For consent to share NDIS participant information to be legally valid, it must meet all 5 elements. Missing any single element means the consent is not valid – and sharing information based on invalid consent is a privacy breach.

1. Voluntary

Consent must be given freely, without coercion, pressure, or the implication that services will be withheld if consent is refused. Participants must understand that declining to consent to information sharing does not jeopardise their access to supports. Any consent obtained through pressure – even unintentional pressure created by the power dynamic between provider and participant – is not valid consent.

2. Current

Consent must apply to the current proposed information sharing, not to sharing in general or to sharing that occurred years ago. A consent form signed at intake in 2022 does not automatically cover information sharing in 2026. Providers must obtain fresh consent when the purpose, recipient, or nature of information being shared changes materially from what was originally consented to.

3. Informed

Participants must understand what information will be shared, who it will be shared with, why it is being shared, and what the consequences of sharing – and not sharing – might be. Informed consent requires plain language communication. Legal jargon, dense policy documents, and complex consent forms do not constitute informed consent for participants who have cognitive, communication, or literacy challenges.

4. Specific

Consent must relate to a specific piece of information or a specific category of information, shared with a specific recipient for a specific purpose. Blanket consents – “I consent to my information being shared with anyone involved in my care” – are generally not specific enough to be valid for sensitive health and disability information. Providers should design consent forms that capture specificity without creating unnecessary administrative burden.

5. Capacity-Based

The participant must have the decision-making capacity to consent. Where a participant lacks capacity, consent must be obtained from their authorised representative: a guardian, administrator, or person responsible under the relevant state or territory legislation. Providers must not assume capacity or assume a family member has authority to consent without verifying that authority. Documenting how capacity was assessed – and by whom – is part of a defensible consent record.

When Is Consent to Share Information Required?

Consent is required whenever you share personal information about a participant with a third party. In the NDIS context, common scenarios where consent is required include:

• Sharing support plans or progress notes with other service providers involved in the participant’s care
• Providing information to family members or carers who are not the participant’s authorised representative
• Sharing health or medical information with allied health practitioners, GPs, or specialists
• Reporting incident details that identify a participant to the NDIS Commission (note: mandatory reporting has its own framework)
• Providing information to support coordinators or plan managers not directly employed by your organisation
• Sharing information for research, training, or quality improvement purposes

Each of these scenarios requires consent that meets all 5 elements. Providers who use a single intake consent form to cover all future sharing scenarios are taking on significant compliance risk.

Exceptions to Consent Requirements

There are circumstances where information can be shared without participant consent. These exceptions exist to protect participants and the community – they are not a mechanism for avoiding consent processes where consent should be obtained.

Mandatory Reporting Obligations

Where a provider has a legal obligation to report – for example, mandatory reporting of child abuse, mandatory reporting of reportable incidents to the NDIS Commission, or reporting to police following unlawful conduct – consent is not required. However, participants should generally be informed that a report is being made, unless doing so would create risk.

Serious Risk to Health or Safety

Information may be shared without consent where there is a serious and imminent threat to the health or safety of the participant or another person, and obtaining consent is not reasonably practicable. This exception is applied narrowly – providers must document the specific threat, the assessment of imminence, and why consent could not be obtained before sharing.

Authorised by Law

Some information sharing is authorised or required by legislation – for example, sharing with law enforcement agencies under warrant, or with courts under subpoena. These situations should be handled in consultation with legal advice. Providers should have a documented process for responding to legal information requests.

Building a Consent Management System

A compliant consent management system does not need to be complex – but it does need to be consistent and auditable. Providers who implement the following framework typically complete the privacy and consent section of their audit without findings.

Start with a consent policy that defines what consent is required for, how it is obtained, how it is documented, and how it is reviewed or withdrawn. This policy should align with your privacy policy and be reviewed annually. Workers must understand the policy, not just sign off on having read it.

Use purpose-specific consent forms rather than a single blanket form. A form for sharing information with an allied health practitioner looks different from a form for sharing with a support coordinator. Building purpose-specific forms reduces the risk of using vague or overly broad consent language.

Maintain a consent register – a record of what was consented to, by whom (participant or authorised representative), when, and for what purpose. This register is your primary audit evidence. It should be searchable and updated whenever consent is obtained, amended, or withdrawn.

Train all workers on consent requirements as part of induction and annual refresher training. Workers who interact with participants must understand when consent is needed, how to obtain it properly, and what to do if a participant declines. Our NDIS compliance support includes staff training resources tailored to your service type.

Review consent records at regular intervals – at least annually or when a participant’s circumstances change significantly. Consent given 3 years ago for a support arrangement that has since changed substantially may no longer be valid for current sharing activities. A scheduled consent audit as part of your internal review calendar catches these gaps before an external auditor does.

Consent and the NDIS Practice Standards

Consent management sits within multiple NDIS Practice Standard requirements. The core module on support provision environment requires providers to demonstrate that participants’ rights to privacy and dignity are respected. The participant outcomes module requires evidence that participants are actively involved in decisions about their supports – including decisions about who receives information about them.

Providers who have strong consent systems typically also perform better across related compliance areas – participant rights, complaints management, and incident disclosure. These systems are interconnected. Strong consent practice reflects a broader organisational commitment to participant-centred service delivery, which auditors recognise and reward in their assessments.

Our team can review your current consent systems against the full NDIS Practice Standards and identify exactly where gaps exist. Most providers find 2-3 areas for improvement in their consent documentation even when they believe their systems are solid.

Frequently Asked Questions

Can a participant’s family member give consent on their behalf?

Only if that family member is the participant’s legally authorised representative – a guardian, administrator, or person responsible under relevant state or territory law. Being a family member, even a close one, does not automatically confer authority to consent on a participant’s behalf. Providers must verify and document the basis of authority before accepting third-party consent.

What does “withdrawing consent” mean, and how should providers respond?

Participants have the right to withdraw consent at any time. Withdrawal means stopping the sharing activity from that point forward – it does not require reversing information that has already been legitimately shared. When a participant withdraws consent, providers must update their consent register immediately, notify relevant parties where appropriate, and document what steps were taken in response. Withdrawal of consent must not result in any reduction in the quality of supports provided.

How long should consent records be retained?

NDIS providers should retain consent records for a minimum of 7 years from the date of the last service delivery, consistent with general record-keeping obligations under Australian law. For participants who were minors at the time of service, records should be retained until the participant turns 25 or for 7 years from last service – whichever is longer. Some states have different requirements – check local legislation for your jurisdiction.

What is the difference between NDIS consent and the Privacy Act consent requirements?

The Privacy Act 1988 provides the overarching legal framework for handling personal information in Australia. NDIS-specific consent requirements operate within that framework but add sector-specific obligations related to participant rights, safeguarding, and the nature of disability supports. NDIS providers must comply with both. In most cases, meeting NDIS consent requirements will satisfy Privacy Act obligations – but providers should have their privacy policy reviewed against both frameworks.

Do we need consent to share de-identified participant information?

Genuinely de-identified information – where there is no reasonable prospect of re-identification – is generally not covered by privacy consent requirements. However, “de-identification” is assessed against a high standard. Information that includes location, age, disability type, support type, and postcode in combination may be re-identifiable even without a name. Providers should seek advice before assuming information is de-identified for sharing purposes.

---

HCPA has supported 10,500+ NDIS providers to build privacy and consent systems that hold up under Commission scrutiny. As Australia’s Regulatory Growth Consultants, we turn consent compliance into participant trust advantage. Our client managers – who average 3 years with the same clients – understand the full context of your organisation, including your participant cohort, support types, and risk profile. We build consent frameworks that are compliant, practical, and understood by your entire team.

Book a privacy and consent review today – and know your information management systems are audit-ready.