What Is An NDIS Consent Form?

If you deliver supports and services under the National Disability Insurance Scheme (NDIS), you’ll regularly handle highly sensitive personal and health information.

An NDIS Consent Form is a simple but critical tool that helps you collect, use and share that information lawfully and transparently.

In this guide, we’ll explain what an NDIS Consent Form is, when you should use one, what to include, and how to make sure your consent process complies with Australian privacy laws and the NDIS Practice Standards. We’ll also outline related documents and a step-by-step approach to rolling out a compliant consent framework in your organisation.

What Is An NDIS Consent Form (In Plain English)?

An NDIS Consent Form records a participant’s permission for your organisation to collect, use and disclose their personal information - including sensitive health information - for clearly stated purposes related to their supports.

In practice, it confirms that the participant (or their guardian/nominee) understands what information you’re collecting, why you need it, who you may share it with (for example, the NDIA, plan managers, support coordinators or allied health providers), and how they can change or withdraw consent.

For NDIS providers, consent isn’t a “nice to have”. It’s a key requirement under Australian privacy law and the NDIS Quality and Safeguards framework. A well-drafted, easy-to-understand form helps you meet those obligations and build trust with participants and their families.

Why Does Consent Matter For NDIS Providers?

Consent underpins participant choice and control. It also reduces legal risk for your organisation. Here’s why it matters:

• Legal compliance: The Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) require consent (or another lawful basis) to collect and disclose sensitive information such as health data.
• NDIS Practice Standards: You’re expected to demonstrate transparent information handling, participant involvement in decision-making and robust record-keeping.
• Risk management: Clear consent reduces the likelihood of complaints, reportable incidents or privacy breaches.
• Trust and safety: Participants and families are more comfortable sharing information when the “who/what/why/how” is set out clearly.

Consent isn’t a one-off event. It’s an ongoing conversation that should be revisited if circumstances change (new services, new third-party providers, or a change in a participant’s preferences).

What Should An NDIS Consent Form Include?

Your form should be short, clear and written in plain English. It should also accommodate easy-read or translated versions if you support participants with different communication needs. At a minimum, cover:

1) What Information You Collect

List the types of information you collect (e.g. contact details, NDIS number, support plans, clinical notes, assessments, incident reports). Clarify that some of this is sensitive health information.

2) Why You Collect It (Purpose)

Explain how the information supports service delivery, safety, funding/claims, quality review, coordination with other providers, and legal obligations.

3) Who You Share It With

Name the typical third parties you may disclose to, such as the NDIA, plan managers, support coordinators, external clinicians, emergency services (if required), or legal advisors. Where possible, describe categories rather than an exhaustive list.

4) How You Store And Protect It

Describe your security approach in simple terms (e.g. secure electronic records, limited staff access, confidentiality obligations). Reference your Privacy Policy so participants know where to find the full details.

5) How Long You Keep It

Note your retention practices and that you’ll securely delete or de-identify information when it’s no longer required under law or for service purposes.

6) Rights To Access, Correct, Or Withdraw Consent

Explain how participants can request access to their information, correct it, or change/withdraw consent at any time (and what that means for service delivery).

7) Capacity, Guardians And Nominees

Include space to record whether the participant is providing consent themselves or via a legally authorised decision-maker (e.g. guardian, Attorney, NDIS nominee). Capture the decision-maker’s details and supporting evidence if applicable.

8) How To Make A Complaint

Point to your internal complaints pathway and external options (e.g. the NDIS Quality and Safeguards Commission) in clear, neutral language. Internally, it’s a good idea to align this with a Privacy Complaint Handling Procedure.

9) Signature And Dates (Or Electronic Acknowledgement)

Offer options that suit your service model: physical signature, e-signature or recorded verbal consent (see more on formats below). Always include a date and version of the form.

When And How Should You Collect Consent?

Consent should be voluntary, informed, specific and current. It should also be given by someone with capacity, or by an authorised decision-maker. Here’s how to get it right.

Obtain Consent Early (But Don’t Rush)

Ideally, collect consent during onboarding, before starting supports. Allow time for questions and consider providing an easy-read summary. If the participant needs support to understand, arrange for a support person, interpreter or advocate.

Use Clear, Accessible Formats

You can use written, electronic or verbal consent so long as it’s documented. For many providers, an electronic form works well - especially if you operate remotely or at scale.

Where you need permission for a specific type of disclosure, use targeted forms like a Participant Consent Form or a Medical Release Consent Form so the participant can clearly see what they’re agreeing to.

Check Capacity And Authority

Always verify who is giving consent. If a guardian or nominee is signing, record their details and keep evidence of their authority. If capacity fluctuates, consider shorter review periods and regular check-ins.

Keep Consent Specific

Overly broad consent can cause confusion and complaints. Be precise about purposes and third parties, and use separate tick-boxes where appropriate (e.g. sharing with a specific therapist or for marketing updates).

Review And Renew When Things Change

Consent should be refreshed when you change your services, engage new third-party providers, roll out new systems, or when a participant’s goals and supports shift. Consider annual reviews as a baseline.

Document, Document, Document

Keep a clear record of how consent was obtained and what was explained. If consent is given verbally (e.g. over the phone), record the date, time, staff member and content of the conversation in your case notes.

Privacy Law And NDIS Practice Standards: What Do You Need To Comply With?

Consent is one part of your broader privacy and data protection obligations. To stay compliant, make sure you have the following building blocks in place.

Privacy Policy And Collection Notices

Publish a current, accessible Privacy Policy and provide a Privacy Collection Notice at the point you collect information. These documents tell participants what you collect, why, and how they can exercise their rights.

Consent Workflow And Templates

Use a standardised NDIS Consent Form with clear guidance for staff. This ensures consistency and reduces the risk of omissions.

Third-Party Processors And Cloud Providers

If you use software platforms, case management tools or offshore service providers to store/handle participant information, you’ll usually need a Data Processing Agreement with each vendor to set security, confidentiality and breach obligations.

Data Security And Breach Response

Implement appropriate technical and organisational measures (access controls, encryption, secure disposal). Plan ahead with a tested Data Breach Response Plan so you can act quickly if something goes wrong.

Complaints, Requests And Corrections

Train staff to recognise and handle privacy requests (access, correction, withdrawal of consent) promptly. Maintain a simple pathway for privacy complaints, aligned with your complaint handling procedure and NDIS incident/complaints obligations.

How To Draft And Roll Out An NDIS Consent Form (Step-By-Step)

Putting a strong consent framework in place doesn’t need to be complicated. Here’s a practical roadmap you can follow.

Step 1: Map Your Information Flows

List what you collect, why, where it’s stored, and who you share it with. This helps you write precise consent wording and identify any risky disclosures that need tighter controls.

Step 2: Draft The Form In Plain English

Keep it short and modular. Use headings, checkboxes and examples. Make versions available in easy-read or translated formats to support accessibility.

Step 3: Align With Your Policies

Ensure your consent wording aligns with your Privacy Policy, collection notices and service agreements. If someone else is authorised to act for the participant, consider using or attaching an Authority To Act Form.

Step 4: Build An Onboarding Workflow

Embed the consent step into your intake process. Decide whether you’ll capture consent via paper, your client management system, or e-signature. Train staff on how to explain the form and answer common questions.

Step 5: Implement Record-Keeping Rules

Standardise where consent records live, who can access them, and how you record verbal consent. Set reminders for consent reviews and version control for forms.

Step 6: Prepare For Edge Cases

Document how you’ll handle urgent disclosures (e.g. safety concerns), withdrawal of consent, conflicts between family members, and capacity changes. Having a clear playbook makes hard moments easier.

Step 7: Review Regularly

Consent practices should evolve with your service. Schedule periodic reviews, audit a sample of files for consent quality, and update your form when services or systems change.

Common Questions About NDIS Consent

Can We Rely On Verbal Consent?

Yes, if it’s truly informed and voluntary - and you document it properly. For higher-risk disclosures, written or electronic consent is preferable.

Is Electronic Consent Valid?

Electronic consent is widely accepted in Australia provided the participant can view the information, indicate agreement, and you can keep a reliable record (audit trail, IP/time stamp, or signed PDF).

Who Can Consent If The Participant Lacks Capacity?

Where a participant can’t provide informed consent, you’ll generally seek consent from the legally authorised decision-maker (e.g. guardian, NDIS nominee, enduring attorney for health matters). Record their authority and contact details on the form.

Do We Need Separate Consent For Marketing?

Yes. Keep service-delivery consent separate from optional uses like newsletters or testimonials. Use clear opt-in boxes and allow participants to change their preferences at any time.

What If A Participant Withdraws Consent?

Respect their decision and stop the relevant collection/disclosure unless another lawful basis applies (e.g. serious threat to life or health). Explain any service impacts and update your records promptly.

Do We Need A New Form For Each Disclosure?

Not necessarily. A well-drafted form can cover typical, reasonably expected disclosures. If a new, unusual disclosure arises (e.g. to a new third-party system provider or for a new program), seek fresh, specific consent.

Related Documents You’ll Likely Need

An NDIS Consent Form works best as part of a consistent privacy toolkit. Depending on your model, consider:

• Privacy Policy: Sets out your information handling in full and must be easily accessible to participants.
• Privacy Collection Notice: A short notice you provide when collecting information that explains purposes and rights in plain terms.
• Participant Consent Form: Useful when you need a targeted permission for a specific disclosure or activity.
• Medical Release Consent Form: For sharing clinical records or requesting information from external health providers.
• Data Processing Agreement: Contracts with software or service vendors who process participant data on your behalf.
• Data Breach Response Plan: A practical plan for investigating, containing and notifying affected people if a breach occurs.

Not every provider will need all of these from day one, but most will need several. The key is to ensure they’re consistent and tailored to your actual services and systems.

Key Takeaways

• An NDIS Consent Form records a participant’s clear, informed permission for you to collect, use and disclose their information for defined purposes.
• Consent should be voluntary, specific, current and documented - and refreshed when services or third-party arrangements change.
• Make your form short and plain-English, covering what you collect, why, who you share it with, storage and security, rights and complaints.
• Embed consent into your onboarding workflow and keep robust records, whether consent is written, electronic or verbal.
• Back up your form with a current Privacy Policy, collection notices, processor agreements and a breach response plan to meet your wider obligations.
• When in doubt, get advice and keep the participant at the centre - clarity and transparency go a long way in building trust and staying compliant.

If you’d like a consultation or a tailored NDIS Consent Form for your organisation, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.