What Happens When You Breach the NDIS Code of Conduct?
Key takeaway: An NDIS code of conduct breach can result in investigations, compliance notices, banning orders, or civil penalties up to $262,500 for corporations. Understanding the process helps providers and workers avoid serious consequences.
The NDIS Code of Conduct sets clear behavioural obligations for every provider and worker in the scheme. When those obligations are not met, the consequences can be swift and severe. An NDIS code of conduct breach can end careers, cost organisations hundreds of thousands of dollars, and most importantly, cause real harm to participants.
This guide explains exactly what counts as a breach, how the NDIS Commission investigates complaints, what enforcement actions are available, and how providers can prevent problems before they arise.
Table of Contents
What Is the NDIS Code of Conduct?
The NDIS Code of Conduct is a legally binding framework that governs how providers and workers must behave when delivering supports and services. It applies to all registered and unregistered providers, all workers, and any person involved in delivering NDIS supports.
The Code outlines seven core obligations. Every person working in the NDIS must:
- Act with respect for individual rights to freedom of expression, self-determination, and decision-making
- Respect the privacy of people with disability
- Provide supports and services in a safe and competent manner
- Act with integrity, honesty, and transparency
- Promptly take steps to raise and act on concerns about safety and quality
- Take all reasonable steps to prevent and respond to violence, exploitation, neglect, and abuse
- Take all reasonable steps to prevent and respond to sexual misconduct
For a full breakdown of each obligation and what it means in practice, refer to the Inficurex NDIS Code of Conduct complete guide for providers.
The Code works alongside the NDIS Practice Standards, which set quality benchmarks for registered providers. A breach of the Code is distinct from failing Practice Standards, but both can trigger NDIS Commission enforcement action.
Types of NDIS Code of Conduct Breaches
Not all breaches carry the same weight. The NDIS Commission classifies breaches across a spectrum of seriousness. Understanding where a particular conduct falls helps predict the likely enforcement response.
Minor Breaches
Minor breaches typically involve procedural failures or isolated lapses in conduct. Examples include failing to document a complaint properly, a single instance of poor communication with a participant, or a minor privacy oversight. These breaches may not result in direct harm but still require attention.
The Commission may handle minor breaches through education, guidance, or a compliance notice. They rarely result in banning orders or significant financial penalties on their own.
Serious Breaches
Serious code of conduct breach consequences arise when conduct causes or risks significant harm to participants. This category includes sustained neglect, financial exploitation, emotional abuse, repeated privacy violations, or systemic failures to report incidents. Serious breaches are more likely to trigger formal investigations and strong enforcement actions.
The Commission considers several factors when assessing seriousness:
- The actual or potential impact on the participant
- The risk level posed to other participants
- How far the conduct falls below the expected standard
- Whether the provider has a history of non-compliance
- The likelihood of future compliance
Criminal Conduct
Some breaches involve criminal behaviour, such as physical assault, sexual abuse, or financial fraud. In these cases, the Commission coordinates with police and other authorities. Criminal conduct almost always results in immediate banning orders and registration revocation, in addition to any criminal prosecution.
Providers must report criminal conduct involving workers or participants as a reportable incident immediately. Failure to report is itself a serious breach.
The NDIS Commission Investigation Process
When the Commission becomes aware of a potential NDIS code of conduct breach, it follows a structured investigation process. This process is designed to be fair, thorough, and proportionate.
- Complaint or notification received: The process begins when the Commission receives a complaint from a participant, family member, or advocate, or when a provider submits a reportable incident notification.
- Initial assessment: The Commission evaluates the complaint to determine if it falls within jurisdiction and assesses the immediate risk to participants. High-risk situations may trigger urgent action before the full investigation is complete.
- Information gathering: Investigators request records, documents, and written submissions from the provider or worker. They may interview relevant staff, participants, and witnesses.
- Site visits and audits: For more complex matters, the Commission may conduct unannounced visits. These visits allow investigators to observe practices firsthand and review records on-site.
- Show cause process: Before taking enforcement action, the Commission typically gives the provider or worker an opportunity to respond to findings. This is a fundamental aspect of procedural fairness.
- Decision and enforcement action: The Commission decides on the appropriate response, taking into account all evidence and any mitigating factors submitted by the respondent.
- Review rights: Parties can seek internal review of most Commission decisions. External review through the Administrative Review Tribunal is also available.
Important: Cooperating fully with the Commission during an investigation is always the right approach. Obstruction or failure to provide requested information is itself a breach and can worsen enforcement outcomes.
Providers should maintain meticulous records to support their response during any investigation. Strong incident management systems and up-to-date policies are critical during this stage.
NDIS Commission Enforcement Actions
The Commission takes a proportionate approach to NDIS Commission enforcement. The severity of the enforcement action matches the severity of the breach. Here is a breakdown of the primary tools available.
Compliance Notices
A compliance notice is a formal written direction requiring the provider or worker to take specific steps within a set timeframe. The notice identifies the exact conduct that must change and what the provider must do to remedy it.
As of current records, 2 compliance notices have been issued. These notices are among the least severe formal enforcement actions. However, failing to comply with a notice escalates the matter significantly and may result in stronger action.
Banning Orders
A banning order prohibits a person from delivering NDIS supports, either for a specified period or indefinitely. The Commission has issued 18 banning orders to date. A person subject to a banning order cannot be engaged in any NDIS support delivery role, regardless of their registration status or employment arrangement.
Grounds for a banning order include:
- Conduct that poses an unacceptable risk to participants
- A pattern of serious non-compliance with the Code
- Criminal convictions related to violence, abuse, or fraud
- Failure to comply with a compliance notice
The consequences of a banning order are severe. Workers lose their livelihood in the sector. Providers found to have engaged a banned person face additional provider sanctions and potential criminal liability.
Registration Suspension and Revocation
The Commission can suspend a provider’s registration temporarily while an investigation is underway. Currently, 3 registration suspensions are on record. Suspension stops the provider from delivering registered supports during that period.
Revocation permanently removes a provider’s registration. One revocation is currently on record. Revoked providers cannot continue operating as registered providers and must transition participants to other services. The Commission can also refuse to grant re-registration — 3 re-registration refusals have been recorded.
For more detail on what registration requires and how to maintain it, see the NDIS provider registration checklist 2025.
Civil Penalties
Civil penalties represent significant financial consequences for providers and workers who breach the Code. The penalty amounts are substantial by design — they are meant to deter non-compliance.
| Respondent Type | Maximum Civil Penalty (Per Contravention) |
|---|---|
| Individual (worker or sole trader) | $52,500 |
| Corporation or organisation | $262,500 |
Penalties can stack across multiple contraventions arising from the same conduct. Organisations should treat these figures as a baseline risk cost when assessing the financial impact of poor compliance systems.
Real-World Case Studies
Oak Tasmania: $1.1 Million Penalty
One of the most significant enforcement actions in NDIS history involved Oak Tasmania, a registered provider found to have committed serious safety and reporting failures. The Federal Court imposed a civil penalty totalling $1.1 million. The case centred on systemic failures to report incidents, inadequate safeguards for participants, and a failure to act promptly on known safety concerns. This case demonstrated that the Commission will pursue substantial penalties where systemic failures put participants at risk over an extended period.
The Oak Tasmania decision sent a clear message to providers across Australia. NDIS Commission enforcement is not merely theoretical. Large, established organisations are just as exposed to significant penalties as smaller providers.
Smaller enforcement actions are far more common. In many cases, providers receive compliance notices or banning orders following complaints about individual workers. Even a single substantiated complaint can result in career-ending consequences for the worker involved.
Effective incident management and prompt reporting significantly reduce both the likelihood of formal enforcement and the severity of any penalties imposed.
How to Prevent NDIS Code of Conduct Breaches
Prevention is far less costly than responding to an investigation. Providers that build strong compliance cultures consistently demonstrate better outcomes for both participants and their own organisations.
Establish Clear Policies and Procedures
Every provider must have written policies that reflect the Code’s requirements. Policies should be accessible, written in plain language, and regularly reviewed. Workers must know where to find them and how to apply them in their day-to-day work.
The NDIS compliance checklist is an excellent starting point for auditing whether your current policies cover all required areas.
Invest in Worker Screening and Training
Robust worker screening processes ensure that high-risk individuals are identified before they are engaged. NDIS Worker Screening Checks are mandatory for risk-assessed roles and must be current before work begins.
Regular training on the Code of Conduct — at induction and throughout employment — is equally important. Workers who understand their obligations are far less likely to breach them. Refer to the complete Code of Conduct guide for detailed training content guidance.
Build a Speak-Up Culture
Many breaches go unreported internally because workers fear reprisal. Providers must actively foster environments where staff feel safe to raise concerns. Internal complaint and feedback mechanisms should be well-publicised, easy to use, and genuinely effective.
Monitor and Audit Compliance
Compliance is not a one-time exercise. Providers should conduct regular internal audits of their practices against the NDIS Practice Standards and the Code. Proactively identifying gaps and addressing them before an incident occurs is far more effective than reactive remediation.
Report Incidents Promptly
Timely reporting demonstrates good faith and reduces the risk of the Commission treating a failure to report as a separate, aggravating breach. All reportable incidents must be lodged within the required timeframes. See the NDIS reportable incidents guide for full detail on what must be reported and when.
Common Questions About NDIS Breaches
What happens immediately after a complaint is made about a breach?
The Commission assesses the complaint to determine the immediate risk level. If a participant is in immediate danger, the Commission can act urgently — including contacting police if necessary. For less urgent matters, the provider is typically notified and asked to provide information as part of the formal investigation process.
Can a provider continue operating during an investigation?
Yes, in most cases. The Commission does not automatically suspend operations when an investigation begins. However, if the risk to participants is assessed as high, the Commission may impose interim conditions on the provider’s registration while the investigation is underway.
Does a breach automatically lead to deregistration?
No. The Commission takes a proportionate approach. Most breaches result in compliance notices or banning orders rather than full deregistration. Revocation is reserved for the most serious cases involving systemic failures or deliberate misconduct.
What mitigating factors does the Commission consider?
The Commission considers whether the provider self-reported the issue, cooperated with the investigation, took immediate steps to protect participants, had effective systems in place, and has a strong compliance history. All of these factors can reduce the severity of the enforcement outcome.
Are banning orders publicly listed?
Yes. The NDIS Commission publishes a register of banning orders on its website. Employers can search this register to ensure they are not engaging a banned worker.
How Inficurex Helps Providers Stay Compliant
Managing NDIS compliance across policies, training, incident reporting, and audits is a significant operational burden. Inficurex provides purpose-built tools to help providers meet all their obligations under the Code of Conduct and Practice Standards.
With Inficurex, providers can:
- Track worker training completion and screening check expiry dates
- Manage incident reports and ensure they are lodged within required timeframes
- Maintain audit-ready policy and procedure documentation
- Monitor compliance against the NDIS Practice Standards
- Receive alerts when key compliance tasks are due
For a complete overview of how NDIS-specific software supports compliance management, visit the Inficurex NDIS software for providers page.
Ready to strengthen your NDIS compliance?
Explore how Inficurex helps providers manage Code of Conduct obligations, incident management, and worker screening in one place.
Frequently Asked Questions
What is considered a breach of the NDIS Code of Conduct?
A breach occurs when a worker or provider fails to meet any of the seven obligations in the Code. This includes acting with neglect or dishonesty, failing to provide safe supports, not respecting participant rights, or engaging in sexual misconduct or illegal conduct.
What penalties apply to NDIS code of conduct breaches?
Civil penalties can reach $52,500 for individuals and $262,500 for corporations per contravention. More serious breaches can result in banning orders, registration suspension, or revocation.
Can a worker be banned permanently for an NDIS breach?
Yes. The NDIS Commission can issue indefinite banning orders for the most serious breaches. As of current records, 18 banning orders have been issued. Workers subject to a banning order cannot work in any NDIS role.
How does the NDIS Commission investigate a complaint?
The Commission first receives a complaint or notification, then assesses the risk level. It may request information, interview staff, conduct site visits, and review documentation. After investigation, it determines an appropriate enforcement action proportionate to the breach.
What is the difference between a compliance notice and a banning order?
A compliance notice requires the provider or worker to fix a specific issue within a set timeframe. A banning order prohibits a person from delivering NDIS supports entirely, either for a fixed period or permanently.