Your regulatory growth consultants

Learn More
Our OfficeSubscribePartnerships
CareersNews & Articles(03) 9084 7427
Portal Login
NDIS

NDIS Code of Conduct for Providers: Complete Guide 2026

April 5, 2026
Andrea
A person in a wheelchair is being assisted by a medical professional standing nearby, reflecting the principles of the NDIS Code of Conduct. The focus is on the person's hand on the wheel.

NDIS Code of Conduct: Provider Obligations Guide 2026

The NDIS Code of Conduct is not optional reading. It is the legal and ethical framework that governs how every registered NDIS provider operates, and non-compliance carries serious consequences, including enforceable undertakings and outright deregistration. At HCPA, we have supported 10,500+ NDIS providers through registration, compliance, and audit preparation. We know exactly where providers get this wrong – and how to get it right.

This guide breaks down all 7 Code of Conduct obligations, explains what enforcement looks like in practice, and gives you a proven system for embedding compliance into your daily operations. Whether you are a new provider preparing for your first audit or an established organisation refining your governance framework, this is the reference you need.

What Is the NDIS Code of Conduct?

The NDIS Code of Conduct is a set of 7 legally binding obligations that apply to all NDIS registered providers and their workers. It was established under the National Disability Insurance Scheme Act 2013 and is enforced by the NDIS Quality and Safeguards Commission. The Code sets the minimum standard of conduct expected from anyone delivering NDIS supports – regardless of their role, employment type, or location.

The Code is intentionally broad. It covers not just what you do, but how you do it. Providers who treat it as a box-ticking exercise almost always struggle at audit time. Those who build it into their culture – through staff training, documented processes, and accountability systems – consistently pass with confidence.

The 7 NDIS Code of Conduct Obligations

Every NDIS provider and worker must comply with all 7 obligations. Here is what each requires in practice:

  • Act with respect for individual rights to freedom of expression, self-determination and decision-making – Support participants to make their own choices, even when those choices carry risk. Document how you balance autonomy with duty of care.
  • Respect the privacy of people with disability – Handle participant information according to the Australian Privacy Act and NDIS-specific requirements. Have a documented privacy policy that workers understand and follow.
  • Provide supports and services in a safe and competent manner with care and skill – Workers must have the qualifications, training, and supervision required for the supports they deliver. Competency frameworks must be documented.
  • Act with integrity, honesty and transparency – Do not mislead participants, the NDIS Commission, or any other party. This includes accurate record-keeping, honest billing, and transparent communication about service limitations.
  • Promptly take steps to raise and act on concerns about matters that might have an impact on the quality and safety of supports – This is your incident management obligation. Reportable incidents must be reported within required timeframes.
  • Take all reasonable steps to prevent and respond to all forms of violence against, and exploitation, neglect and abuse of, people with disability – Your safeguarding framework must be documented and workers trained on recognition and response.
  • Take all reasonable steps to prevent and respond to sexual misconduct – Specific policies, reporting pathways, and staff training on sexual misconduct must be in place.

Enforcement: What Happens When Providers Fall Short

The NDIS Commission has significant enforcement powers, and it uses them. Understanding the enforcement spectrum helps providers appreciate what is genuinely at stake – and why investment in compliance is always cheaper than the alternative.

Compliance Notices

A compliance notice is the Commission’s first formal response to identified non-compliance. It specifies the breach, the required corrective action, and the timeframe. Providers who receive a notice and fail to act promptly escalate their risk significantly. Most compliance notices are issued following a complaint, incident report, or audit finding.

Enforceable Undertakings

An enforceable undertaking is a formal agreement between the provider and the Commission. The provider commits to specific corrective actions over a defined period. Breach of an enforceable undertaking is treated as a serious compliance failure and can trigger further sanctions. These undertakings are publicly available – reputational damage is real and lasting.

Registration Conditions, Suspension, and Cancellation

For serious or repeated breaches, the Commission can impose conditions on a provider’s registration, suspend registration entirely, or cancel it. Registration cancellation means the provider can no longer deliver NDIS-funded supports – a business-ending outcome. The Commission has cancelled registrations for Code of Conduct breaches including abuse, fraud, and systematic safeguarding failures.

Banning Orders

Individual workers – not just organisations – can be banned from working in the NDIS sector. Banning orders are issued where a worker has engaged in conduct that poses a risk to participants. They apply regardless of whether the worker changes employer or moves to a new provider.

Building a Code of Conduct Compliance System

Compliance with the NDIS Code of Conduct is not achieved through good intentions. It requires a documented, auditable system that covers policies, training, supervision, and accountability. Providers who pass audits consistently share a common characteristic: their compliance system is built into daily operations, not bolted on at audit time.

Step 1: Document Your Policies

Each of the 7 Code obligations requires a corresponding policy. These policies must be current (reviewed at least annually), accessible to all workers, and written in plain language. Version control matters – auditors check whether workers are using the current version of each policy.

Step 2: Train All Workers – Including Contractors

The Code applies to workers, not just employees. Contractors, agency staff, and volunteers must receive Code of Conduct training. Training must be documented – name, date, content covered, and attestation. Many providers use a worker induction module that covers the Code alongside mandatory NDIS Worker Orientation Module completion.

Step 3: Establish Incident Management and Reporting

Your incident management system must capture, investigate, and resolve incidents – and report to the Commission where required. Reportable incidents have strict timeframes: 24 hours for priority incidents, 5 days for others. Missing these timeframes is itself a compliance breach.

Step 4: Implement Supervision and Performance Management

Regular supervision ensures workers deliver supports in line with Code obligations. Supervision records must show frequency, content, and any concerns raised. Performance management processes must address Code breaches promptly – documented evidence of action taken is essential at audit.

Step 5: Conduct Internal Audits

Do not wait for the Commission to find gaps. Internal audits against the Code of Conduct – conducted at least annually – allow providers to identify and remediate issues before they become audit findings. Our team includes experienced internal auditors who can run these reviews on your behalf.

Step 6: Review and Improve Continuously

Compliance systems decay without active maintenance. Policy reviews, incident trend analysis, worker feedback, and post-audit reviews all feed into continuous improvement. Document your improvement actions – this evidence is valuable at your next audit.

Worker Screening and the Code of Conduct

NDIS Worker Screening is a separate but complementary requirement to Code compliance. Every worker in risk-assessed roles must hold a current NDIS Worker Screening clearance. Providers who deploy workers without clearances are in breach – and this breach is almost always identified at audit.

Worker screening does not replace Code of Conduct training. A worker can hold a valid screening clearance and still breach the Code through dishonest, disrespectful, or unsafe conduct. Both requirements must be managed in parallel. Your NDIS registration obligations include documenting compliance with both.

Many providers find it helpful to use a worker compliance register – a single document that tracks each worker’s screening clearance expiry, Code training completion, mandatory module status, and supervision history. This single source of truth dramatically reduces audit preparation time.

Common Code of Conduct Failures – and How to Avoid Them

After working with thousands of NDIS providers across Australia, our team has identified the most common Code of Conduct compliance gaps. These are the issues that generate complaints, trigger investigations, and produce adverse audit findings.

  • Incomplete worker training records – Providers often have training programs but cannot produce evidence of completion for all workers, particularly contractors and casuals.
  • Outdated policies – Policies last reviewed in 2022 or 2023 are a red flag to auditors. Annual reviews with documented sign-off are required.
  • Delayed incident reporting – Missing the 24-hour window for priority reportable incidents is one of the most common compliance breaches we see.
  • Insufficient supervision records – Supervision happening but not documented is the same as supervision not happening from an audit perspective.
  • No complaints management system – Every provider must have a functioning complaints process. Participants and their families must know how to make a complaint and what will happen when they do.

Our NDIS compliance support services include a comprehensive gap analysis that maps your current systems against all 7 Code obligations. We identify what is missing, what needs updating, and what you can do immediately to reduce your risk.

Frequently Asked Questions

Does the NDIS Code of Conduct apply to unregistered providers?

Yes. The Code applies to all NDIS providers – registered and unregistered – and their workers. Unregistered providers delivering supports to self-managed or plan-managed participants are still bound by the Code. The NDIS Commission can take action against unregistered providers for Code breaches.

What training do workers need to meet Code of Conduct requirements?

As a minimum, workers must complete the NDIS Worker Orientation Module (available through the NDIS Commission) and receive provider-specific Code of Conduct training. The orientation module alone is not sufficient. Providers must supplement it with training on their own policies, incident reporting procedures, and safeguarding frameworks.

How often should policies be reviewed?

Policies should be reviewed at least annually, and immediately following any significant incident, regulatory change, or audit finding. Reviews must be documented – including who conducted the review, what changes were made, and when the updated policy was communicated to workers.

Can a worker be held personally liable for Code breaches?

Yes. The Code applies to individual workers, not just to organisations. The NDIS Commission can take action against workers directly, including issuing banning orders. This applies to employees, contractors, and volunteers. Providers are responsible for ensuring their workers understand and comply with the Code.

What happens during an NDIS audit related to the Code of Conduct?

Auditors assess compliance with the Code by reviewing your policies, training records, incident management logs, supervision records, and complaints register. They may also conduct worker interviews to assess understanding of Code obligations. The audit is evidence-based – good systems without documentation are treated the same as no systems.

HCPA has supported 10,500+ NDIS providers to build compliant, audit-ready systems. Our client managers average 3 years with the same clients – we know your business, not just your paperwork. Whether you need a full compliance review, policy development, or audit preparation support, we are ready to help. Code of Conduct mastery is not just about avoiding sanctions. It is the foundation of Regulatory Growth: providers with robust compliance systems build reputations that attract referrals, win tenders, and scale confidently within the NDIS sector.

Talk to a compliance expert today – and find out exactly where your Code of Conduct systems stand.

Related HCPA’s News

NDIS

NDIS Job Description Templates: Complete Hiring Guide 2026

NDIS Job Description Templates: Compliance Guide for All Roles 2026 Poorly written...

April 5, 2026
NDIS

NDIS Quality Indicators: Evidence & Documentation Guide

NDIS Quality Indicators: A Complete Guide to All 5 Domains and Measurement...

April 5, 2026
NDIS

NDIS Verification Audit: Module Compliance Process

NDIS Verification Audit: Module Compliance Process If you are registering as an...

April 2, 2026
Read All Articles

Subscribe to HCPA’s Newsletter and stay updated

Get Exclusive Updates On HCPA’s Events, Services And Career Opportunities!

Subscription Form
A smiling person wearing a checkered shirt.Woman smiling over her shoulder with a blurred natural background.A man in a hat looking to the side with a forested mountain landscape in the background.Two women smiling outdoors.A young man smiling at the camera.

10,500+ Businesses are growing faster